NSA’s international crisis, and what Congress should do about it

I’ll be testifying tomorrow before the House Intelligence Committee.  This post is an excerpt from that testimony.  The full document is here: Baker – HPSCI testimony – Oct. 29 2013.

NSA-BuildingI fear that the campaign by Glenn Greenwald and others who control the Snowden documents has forced the executive branch into a defensive crouch.  Other nations are taking advantage of the moment to demand concessions that the White House is already halfway to granting.  If so, we will regret them as a country long after the embarrassment of fielding angry phone calls from national leaders has faded into a short passage in President Obama’s memoirs.

European and other nations see the prospect for enormous gains at the expense of the U.S., in part because President Obama seems genuinely embarrassed and unwilling to defend the National Security Agency.  Instead, he is offering assurances to select world leaders that they are not targets, and his homeland security adviser is declaring that “the president has directed us to review our surveillance capabilities, including with respect to our foreign partners. We want to ensure we are collecting information because we need it and not just because we can [and that] we are balancing our security needs with the privacy concerns all people share.”

Administration sources have begun criticizing the NSA for putting the President in this bind, and they are hinting at the possibility of negotiating reciprocal deals with other countries that will bar espionage directed at each other while sharing intelligence….

In short, we face the prospect that foreign nations will capitalize on President Obama’s defensive crouch to extract diplomatic and intelligence concessions that would have been unthinkable a year ago.

At the same time, I note, these nations have asked China, which is subjecting them to the most notorious and noisy computer hacking campaign on the planet, for, well, for nothing at all. The reason for that reticence is simple.  They know that China will give them nothing.

And that, it seems to me, is where Congress comes in.  Sometimes an American negotiator’s best friend is an unreasonable Congress.  As far as European negotiators are concerned, the United States Congress is almost in China’s league.  If Congress sets limits on what the executive branch can concede to its foreign counterparts, those limits will be observed.  And if Congress specifies consequences for threatening U.S. industry, threatening U.S. industry will be much less attractive.

That’s why I suggest that any legislation addressing the domestic intelligence program also address the international campaign to weaken U.S. intelligence capabilities. What would that legislation say?  Let me suggest a few possibilities, any one of which would provide U.S. negotiators with useful limits and leverage:

  • A “cooling off”  provision requiring that any intelligence reciprocity agreement with any nation be submitted to Congress for review prior to taking effect.
  • A “start with common ground” provision prohibiting reciprocal intelligence talks with any nation unless the DNI determines that the nation does not use its intelligence services to steal commercial information from private American companies for the benefit of its own companies.
  • A “true reciprocity” provision requiring an independent report to this committee from the CIA, NSA, and other agencies prior to any proposed intelligence reciprocity arrangement taking effect; no such arrangement could take effect without a determination by Congress that the arrangement provided benefits to the U.S. intelligence community that matched the benefits to the counterpart nation.
  • A “trust but verify” provision requiring that the DNI certify that any reciprocal “no spying” promise in an international agreement be verifiable and enforceable.
  • A “no hostage-taking” provision that bars negotiations – and counterterrorism intelligence-sharing – with any European Union member if the European Union terminates its existing terrorism information sharing arrangements with the United States or takes action to punish U.S. companies in an effort to regulate U.S. intelligence or law enforcement agencies.  Exceptions for intelligence sharing would require a determination by the DNI that the sharing is in the national interest of the United States and that the country in question took action to oppose the termination.
  • A “stay in your lane” provision barring any negotiation with the European Union that touches on intelligence.  The European Union has no authority over European intelligence, and its role in past counterterrorism negotiations has been uniformly hostile to American interests.
  • A “sauce for the goose” provision requiring declassified reports from the intelligence community on (1) the scope and intrusiveness of other nations’ surveillance of American officials, businessmen, and private citizens and (2) how much data about individual Americans is being retained by companies in Europe and elsewhere, how often it is accessed by European governments, and whether that access meets our constitutional and legal standards.

Comments as usual may be sent to vc.comments@gmail.com; unless you ask to have your name withheld, don’t be surprised if I add your comment and name to this post as an update.

—————————————————–

UPDATE:  Zachary Martinez offers a different view of the EU’s jurisdiction.  It doesn’t persuade me but it may persuade you:

I disagree with your assertion that “A “stay in your lane” provision barring any negotiation with the European Union that touches on intelligence.  The European Union has no authority over European intelligence”. Here are a number of points that may be said in response:
1) The European Union operates an imaging intelligence agency, the European Union Satellite Centre in Spain. This was formerly a WEU asset, but was transferred to the EU when the WEU was dismantled
2) The European Union has its own military staff (composed of officers seconded from the armed forces of the Member States); obviously, any military staff is going to be a consumer of intelligence products
3) There is no explicit prohibition in EU law barring EU participation in intelligence matters. The EU has had for some time a Common Foreign and Security Policy, and Foreign Policy and Security inevitably touch on intelligence. The fact that the EU organs have thus far had limited involvement in intelligence matters does not mean they lack the capacity to do so; since the scope of CFSP is largely driven by the member states, if they had not up to now wished to focus on intelligence matters in an EU context, that is their prerogative, but it does not prevent them from turning to a focus on those matters now. Since CFSP is for the large part driven by unanimous consent, its scope has been kept very open-ended, whereas in a policy area which did not operate on unanimity there would be pressure to impose scope limitations. This is why intelligence is not excluded from CFSP
4) The EU policing and prosecution agencies EUROPOL and EUROJUST are involved in the coordination of the production and consumption of criminal intelligence; while criminal intelligence and national intelligence are distinct, there is inevitably some overlap. Similar comments might be made about EU cooperation in the area of visas, immigration and border control
5) EU regulation already covers areas like privacy, data retention, the exchange of financial data between national authorities, etc. All these areas already touch on intelligence
So the EU is both a producer and consumer of intelligence products, and has the legal capacity to involve itself more deeply in these matters, I think your statement that “The European Union has no authority over European intelligence” is false.
And here’s another:

The following comments might be made to the congressional committee:

  1. It is generally not feasible to exclude certain parties from electronic surveillance. It is usually necessary to just capture everything from everybody and identify the parties or contents later. If some are to be excluded, those can then be deleted, but we can’t promise the initial capture will never be made.
  2. Many other national (and perhaps private) intelligence groups are making similar efforts. Offended parties should look into whether their own intelligence services are doing it to them. It won’t do them much good if we stop and the Russians or Chinese continue. At least we don’t have missiles pointed at them.
  3. The appropriate remedy is for people who don’t want eavesdroppers is to use encrypted channels and not speak where they can be overheard by listening devices, which probably excludes all voice communications except in secure rooms.
  4. We can offer to report to parties what their vulnerabilities are and how they can improve their security so we can’t penetrate it.
  5. Encrypted or not, anything that can be received by a human being can be copied and propagated without limit after it is decrypted. We cannot guarantee there will never be another Bradley Manning or Edward Snowden, so be careful what you say that you don’t want the world to get the next morning. “You can’t stop the signal, Mal.”

You may of course post this with my name.

— Jon Roland

And another from tz that I find less persuasive:

Congress can obstruct, but I don’t see what it is in it for the Europeans.  During the cold war, Russia could treat eastern Europe as its satellites, but the EU countries have a different relationship.  The NSA has caused them to think of us as “The Evil Empire”.  If Congress plays the American exceptionalism / triumphalism card, it would make this worse.  Remember there are two parties here, and it has to be in the interest of both sides.

The question might be if we want to fix the problem – the technology works (Bruce Schneier said “you can trust the math”.  But the NSA/NIST apparently weakened things embarrassing even RSA, somehow their B-SAFE library may have had a backdoor.  The IP-SEC spec is a morass that no one could implement.  And others might be going through the backdoors.  We are all less safe and secure because of the weakening of security.

But we could create “tap-proof” phones, connections which are secure from your computer to the server.  If you have an individual, and a warrant, you can get the company to provide the data without requiring a skeleton key for every user (as the FBI demanded of Lavabit).  And just change the laws so that Google, Apple, and Microsoft can be transparent and open to show they aren’t being (universally) tapped – even without the knowledge of the company.  We could have true security.  The US and Europe.

In the 1990s, there was a controversy over “key-escrow”, so the best and safest email encryption program, PGP, had to be printed out and faxed to Europe where it could be re-entered and compiled and freed.  (Fax was protected by the first amendment, but encryption was considered a munition).  They repealed/revised that, but the substitute is worse – some federal jackboots just arrive and ask for the master key so they can decrypt every file, message, chat, of every user in real-time without detection or warrant.

You are attorneys.  There is supposed to be something called “attorney-client” privilege.  If the FBI asked for access to ALL your files (computer and paper) just like what they wanted for Lavabit, what would you do?  If the NSA has all your “privileged” communication and shared it with the DEA?  Would you do THAT for “national security”?

There is a further problem.  We love tech over humint – human intelligence.  The Russians simply placed spies or bribed or turned our citizens.  The CIA and our intelligence is suffering because we have petabytes of emails but no one in the areas where the terrorists actually are to confirm or deny what they think is going on from the emails.  We aren’t developing human sources, relying on drones, satellites, and massive universal surveillance – but that universal surveillance is a thousand miles wide and a foot deep – so you have to find the drops in the ocean that matter.  There was too much data, not too little to prevent 9/11.  It seems easier and safer, but like the futuristic SDI / “Star Wars” under Reagan, it is the wrong direction.

We should develop truly secure communications, and go back to traditional methods targeted at the real threats, not try to encompass the entire earth in a driftnet.

Comments are closed.