CNN, 20 February 2014
Editor’s note: Bruce Schneier is a security technologist and author of Liars and Outliers: Enabling the Trust Society Needs to Thrive.
(CNN) — The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission — protecting the security of U.S. communications and eavesdropping on the communications of our enemies — has become unbalanced in the post-Cold War, all-terrorism-all-the-time era.
Putting the U.S. Cyber Command, the military’s cyberwar wing, in the same location and under the same commander, expanded the NSA’s power. The result is an agency that prioritizes intelligence gathering over security, and that’s increasingly putting us all at risk. It’s time we thought about breaking up the National Security Agency.
Broadly speaking, three types of NSA surveillance programs were exposed by the documents released by Edward Snowden. And while the media tends to lump them together, understanding their differences is critical to understanding how to divide up the NSA’s missions.
The first is targeted surveillance. This is best illustrated by the work of the NSA’s Tailored Access Operations (TAO) group, including its catalog of hardware and software “implants” designed to be surreptitiously installed onto the enemy’s computers. This sort of thing represents the best of the NSA and is exactly what we want it to do. That the United States has these capabilities, as scary as they might be, is cause for gratification.
The second is bulk surveillance, the NSA’s collection of everything it can obtain on every communications channel to which it can get access. This includes things such as the NSA’s bulk collection of call records, location data, e-mail messages and text messages.
This is where the NSA overreaches: collecting data on innocent Americans either incidentally or deliberately, and data on foreign citizens indiscriminately. It doesn’t make us any safer, and it is liable to be abused. Even the director of national intelligence, James Clapper, acknowledged that the collection and storage of data was kept a secret for too long.
The third is the deliberate sabotaging of security. The primary example we have of this is the NSA’s BULLRUN program, which tries to “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices.” This is the worst of the NSA’s excesses, because it destroys our trust in the Internet, weakens the security all of us rely on and makes us more vulnerable to attackers worldwide.
That’s the three: good, bad, very bad. Reorganizing the U.S. intelligence apparatus so it concentrates on our enemies requires breaking up the NSA along those functions.
First, TAO and its targeted surveillance mission should be moved under the control of U.S. Cyber Command, and Cyber Command should be completely separated from the NSA. Actively attacking enemy networks is an offensive military operation, and should be part of an offensive military unit.
Whatever rules of engagement Cyber Command operates under should apply equally to active operations such as sabotaging the Natanz nuclear enrichment facility in Iran and hacking a Belgian telephone company. If we’re going to attack the infrastructure of a foreign nation, let it be a clear military operation.
Second, all surveillance of Americans should be moved to the FBI.
The FBI is charged with counterterrorism in the United States, and it needs to play that role. Any operations focused against U.S. citizens need to be subject to U.S. law, and the FBI is the best place to apply that law. That the NSA can, in the view of many, do an end-run around congressional oversight, legal due process and domestic laws is an affront to our Constitution and a danger to our society. The NSA’s mission should be focused outside the United States — for real, not just for show.
And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.
Computer and network security is hard, and we need the NSA’s expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts — from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly — no secrecy required.
This is a radical solution, but the NSA’s many harms require radical thinking. It’s not far off from what the President’s Review Group on Intelligence and Communications Technologies, charged with evaluating the NSA’s current programs, recommended. Its 24th recommendation was to put the NSA and U.S. Cyber Command under different generals, and the 29th recommendation was to put encryption ahead of exploitation.
I have no illusions that anything like this will happen anytime soon, but it might be the only way to tame the enormous beast that the NSA has become.
ROBERT STEELE: Winn Schwartau led the pack in briefing Congress in 1990 and publishing books such as Terminal Compromise: Computer Terrorism is a Networked World (1991), all of which were very specific about the threat to the US economy and US society of a failure to protect communications and computing. I personally sounded the alarm to the White House in an unacknowledged letter to Marty Harris, then running the National Information Infrastructure (NII) for Vice President Al Gore. That letter included recommendations from Jim Anderson, then one of NSA’s top cyber-security minds. Within the military, as early as 1992 there were concerns about NSA sabotaging encryption on our side for their convenience. My first book in 2000, ON INTELLIGENCE: Spies and Secrecy in an Open World, clearly denounced NSA’s handicapping of US private sector encryption.
NSA does not have a legislative charter. Now is the time to throw it under the bus. Brother Bruce makes some very important points, but then kills the utility of his proposals by putting the dysfunctional parts of NSA into two equally dysfunctional organizations, the FBI (if anything, more retarded than CIA’s Directorate of Operations when it comes to information technology) and Cyber-Command (a really pathetic collection of contractors and reservists that are part of the problem, not part of the solution — see Mark Bowden’s book, WORM: The First Digital World War to understand that all the valuable knowledge is outside the US Government. Cyber-Command is worse than a joke, it is an abomination that should be put to death along with NSA.
I was a contributor to the National Security Act of 1992 that was destroyed by Dick Cheney, then Secretary of Defense, and Senator John Warner (R-VA), then the senior Senator from Virginia. That Act was destroyed because Dick Cheney wanted to keep the secret billions under his control and Senator Warner refused to “right size” the US IC since that meant — in his mind — a down-sizing of budgets and bodies in Virginia. I learned some hard lessons in that encounter, the most important of which is that until Congress is ready to make decisions on the merits, it must be satisfied that any reform will be budget and body neutral from state to state and ideally from district to district. I now know how to do that, by integrating education, intelligence, and research & development — the “trick” is to have a six year plan (2014-2020) that moves budgets and bodies away from dysfunctional secret sources and methods and toward open sources and methods that radically enhance US education and US R&D. We can create a Smart Nation.
To create a Smart Nation we need to have a Smart Nation Act of 2014, something Congressman Rob Simmons (R-CT-02) and were working on when he lost by 80 votes because two newspapers, unaware of his work in this area recommended against him. They did not bother to ask and his staff failed to distribute the copies of the book I published to highlight his work. A copy of the book went to every Senator and every Representative then serving, with a Dear Colleauge letter from Rob.
Below are a few reforms I recommend, that in the aggregate would transform US intelligence:
01 Dismantle the Office of the Director of National Intelligence by 31 December 2016
02 Reinstate the Office of the Director of Central Intelligence by 31 December 2016
03 Expand CIA with a new Directorate of Technical Operations (DTO)
04 Dismantle, expeditiously, both NSA and the Cyber-Command
05 Move Taillored Access Operations (TAO) into the CIA DTO
06 Create a new Office of the Inspectors General and Counterintelligence (OIGC)
07 Create an Open Source Agency to nurture all the opens including security
– This will include a national open source everything (IT) strategy
– This will include the Multinational Decision-Support Centre (MDSC)
– This will include a major role for DoD through the military eight tribe reach-back networks
– This will include a Horizons College within the University of the Republic
– This will include a Consortium for Multi-Disciplinary Research & Development
– This will include a new PhD in Comprehensive Architecture with 128 scholarships a year
08 Elevate and expand the NIC within EOP co-located with OMB DD/M still under DCI
– Have four super NIOs, one each for strategy, policy, acquisition, and operations
– Have senior NIOs for each of the ten high-level threats to humanity
– Have NIOs for every policy domain and every region
– Embrace the holistic analytic model and the “six bubbles” concept of Earth Intelligence Network
– Make true cost economics the foundation for all intelligence analytics henceforth
09 Rebuild the national clandestine service from scratch
– Eliminate the Defense Clandestine Service (DCS)
– Remove all clandestine case officers from official cover no later than 31 December 2016
– Create regional multinational clandestine stations focused on top-level threats of common concern
– Begin recruiting — as the best of us have been recommending since 1994 — non-official cover mid-careerists
– Do not send a spy where a schoolboy can go. Learn to focus and play the long game
None of this is rocket science. It can be done with three parts:
a) John Brennan to the President — throwing NSA under the bus is the perfect move at this time, and a catalyst for getting everything else sorted out. NSA is not our biggest problem — the irrelevance of secret intelligence to strategy, policy, acquisition, and operations is our biggest problem. Jim Clapper has lied to Congress on more than one occasion – never mind that Congress wanted him to lie — the time is right to expel the technocrats and money-movers and get back to the heart and soul of national intelligence: Human Intelligence (HUMINT) in collection, processing, analysis, and direct support to ALL public programs.
b) Win over ALL of the Congressional jurisdictions by showing them the common sense political and financial value of finally being able to have shared ethical evidence-based decision support for all legislative decisions including support to oversight AND we commit to making intelligence reform budget and body neutral from state to state (for certain) and district to district (60% or so). The assures rapid passage of the Smart Nation Act of 2014.
c) Create the Open Source Agency on the South-Central Campus with a fast track real estate deal and the private partnership envisioned by Congress for the adjacent Potomac Plaza Park. This is President Obama’s sole opportunity to improve the landscape of Washington DC. The campus, on land conveyed to CIA and mistakenly returned to the GSA, will hold the new ODCI, the OSA, and a Multinational Decision Support Centre. The plaza will hold the University of the Republic with a Horizons (future-oriented) college. JFK Center, which will take the lead in raising the 450 million needed for the Plaza, will be radically expanded to become a national and global culture center that is activist in nature, with many road shows underway at all times. Together, the Campus and the Plaza will be the first major transformation of the DC landscape since Senator Daniel Patrick Moynihan (RIP) completed the Pennsynvalia Avenue reconstruction capped by the Ronald Reagan building.
I plan to be focused on the above for the next 20-25 years. I came within striking distance in 2000 when Sean O’Keefe was Deputy Director of OMB and approved a Presidential Initative at $125M IOC toward $2B FOC but then he got annoyed with the Director of OMB and went off to run NASA. I came within striking distance again in 2006 when Rob Simmons was ready to support the Smart Nation Act, but his campaign could not overcome two badly-led or bought and paid for local papers. This now is my third shot. Unlike baseball, I get as many strikes as I can handle. This is the right stuff, for the right reasons. I will not stop my advocacy of intelligence reform inclusive of the need to restore integrity to the US electoral and governance process. I have faith in the Constitution and the Republic, and am certain that America the Beautiful can be brought forward once again. The question each of you should ask yourselves is this: why do you not share this faith and this vision? Why are you not an advocate for intelligence with integrity?