The intelligence disaster wrought by fomer National Security Agency contractor Edward Snowden carries important lessons about the character of the digital world we now inhabit. Intelligence agencies, and indeed anyone who relies on information security, are far more vulnerable than in the past. At one time a spy was lucky to bring home a film cartridge from a Minox camera with copies (which might not be terribly good) of a few pages of some secret document. Obtaining those copies might take as much as 15 or 20 minutes, during which he was vulnerable to detection. A spy with legitimate access to a classified library might manage to obtain information from 10 to 20 documents in a day, assuming he knew what he wanted. Former civilian analyst Jonathan Pollard apparently obtained a few hundred sensitive documents, which he passed to his masters to be copied. He was limited to what he could carry in a briefcase. In each instance, the damage was significant, because even one sensitive document might well contain crucial information.
Snowden’s theft was on an altogether greater scale. Because he was a system administrator, he could override the settings on computers that prevented them from dumping data into thumb drives. He was acquiring data at the rate of millions of bytes per second. That might be thousands of pages per second, depending on how documents were stored. Current thumb drives are rated in the tens of gigabytes of data. A gigabyte is roughly a thousand million bytes, which is on the order of half a million pages. Snowden’s system administrator status almost certainly made it possible for him to override any firewalls. The only real limit on Snowden might have been ignorance of the relative value of the documents he was stealing.
It is nearly impossible to enforce restrictions such as “need to know” in an Internet-style database such as we currently use. Moreover, any such restrictions go against the need to “connect the dots” so as to detect and thwart terrorist operations. Who can be sure of exactly what information is relevant? That is particularly the case when the distinction between foreign and homegrown terrorists seems to dissolve. How do you classify those who carried out the Boston Marathon atrocity? What is the appropriate relationship between law enforcement, which seeks to identify and penalize those who have already committed crimes, and defense against terrorist threats? Without knowing a great deal more about how well we have done, we cannot say how worthwhile defense has been.
Enormous effort has been expended to find better ways of protecting sensitive information against those attempting to penetrate our networks. Snowden is a key example of a very different problem: a human threat, or perhaps the threat of human engineering (did he reach his ideology on his own, or was he helped?).
We do not know enough about Snowden to say when or why he decided that it was his mission to collect secret information that could later be used against the U.S. government. It does seem that he began working this way as a contractor for the CIA, before moving over to the NSA. The CIA went so far as to warn the NSA that he was showing undue curiosity—electronic libraries do register who asks for what and when. As a system administrator, Snowden should not have been using the data on his networks; his job was to ensure only that the networks functioned properly. He may have been affected by the various WikiLeaks scandals and by the U.S. reaction to them, or he may have made his decisions well before they broke, perhaps in connection with the WikiLeaks project or with the “Anonymous” hacking group. No one knows, apart from Snowden himself.
It seems obvious that Snowden benefited from a series of devastating human failures. The first was that he was granted a very high clearance. That may have been tied to the mobilization of homeland-security resources in the wake of 9/11. Suddenly large numbers of computer experts were needed to create and maintain systems for sharing and analyzing intelligence data. It also became necessary to extend the military-clearance system into law enforcement. This requirement collided with a decision made during the late 1990s to largely or completely privatize the process. By that time massive human losses due to the end of the Cold War had badly damaged the government system that had been developed to handle the mass of contractors involved in classified work. The other problem, in Snowden’s case, is that the NSA apparently failed to convince him that what it was doing was for the public good, rather than for some evil purpose.
The pool of potential computer-system analysts is not large, and most of them are often snapped up by private industry at high salaries. The NSA and other government entities badly needed whoever was available. How many administrators would willingly drop a talented computer analyst because he seemed to be acting odd? How easy would it have been to obtain a replacement? To wait while the replacement navigated the clearance process?
The public outcry to “connect the dots” so that information already in our hands could be used to prevent attacks translates to “use all the data we can have in an effective way,” which in turn requires that data be shared at every level. That means reducing it to digital form and creating databases that can be exploited. In theory, a terrorist operation on American soil produces an identifiable signature. If that signature can be detected, it may be possible to trace those involved and neutralize them.
That is the modern form of a classic signals-intelligence technique, traffic analysis, which the NSA has undoubtedly used for decades. Even if the enemy’s codes cannot be broken, careful analysis of who talks to whom (and when) yields enormous dividends. Put this way, it is unsurprising that the NSA has been collecting phone and email records, in terms not of what was said but of who called whom and for how long. Once a potential threat was identified, the agency had the authority to concentrate on the individuals involved. We don’t know whether it worked, but we can see it as something more than a government attempt to invade our privacy. If we have some idea of how well it works, we can decide whether the loss of privacy is justified. Snowden did not care to reveal anything about how well (or poorly) the program worked. Perhaps it worked too well for his taste.
Snowden also revealed the shocking (shocking!) reality that the NSA has been listening to the communications of foreign leaders, including our allies. After all, such interception (to protect us from surprises) is its great responsibility. The NSA is also responsible for protecting us from foreign eavesdropping, but Snowden apparently did not consider it worthwhile to reveal what anyone has done to us. It is just a bit rich to read of Chinese outrage at American eavesdropping in light of the extensive Chinese penetration of sensitive U.S. computer systems. Allied leaders’ outrage that we were listening is presumably for public consumption: Their own intelligence services would be remiss if they were not trying to eavesdrop on us.
The damage Snowden has done is in the form of a signals intelligence disaster: He has let the opposition know what it needs to do to evade detection. Cries from leading Internet companies to kill the NSA’s programs are really cries to let their clients know they are safe from surveillance of any kind. To most citizens, such safety is a reasonable expectation of privacy. To a terrorist, it means safety from detection.
What happens now? First, to the extent that Snowden revealed details of NSA operations, many of those techniques are no longer going to be effective. The NSA will develop alternatives, but that will take time. We can expect our enemies to take advantage of that window of opportunity. They have already shown considerable awareness of the danger the NSA and similar agencies represent. The NSA’s exploitation of the Internet will cause hostile foreign governments to work harder to wrest Internet control from the United States, and also to create their own censored Internets; China, for example, is already doing that. The freedom of the Internet, about which Snowden claims to be passionate, will evaporate.