Monday, 24 March 2014

The NSA responds to Edward Snowden’s interview at TED

Richard Ledgett, Deputy Director, NSA, speaks with Chris Anderson via video at TED2014. Photo: Bret Hartman
Richard Ledgett, Deputy Director, NSA, speaks with Chris Anderson via video at TED2014. Photo: Bret Hartman
Rick Ledgett is the deputy director of the National Security Agency. He’s here to give a response to Edward Snowden’s onstage/virtual appearance at TED earlier in the week. (See the talk, Here’s how we take back the Internet.) On Tuesday, the former NSA sysadmin made the case for open government and private lives, arguing that “we don’t have to give up liberty to have security.” Here at TED with his own onstage/virtual appearance, speaking on behalf of both the NSA and the American government, Ledgett responds to questions from TED curator Chris Anderson, who started things off. An edited version of their conversation follows:
Rick, we appreciate you joining us. It’s a strong statement that the NSA was prepared to reach out to show a more open face here. You saw, I think, the talk and the interview Edward Snowden gave here. What did you make of it?
I think it was interesting. We didn’t realize he was going to show up there [the audience laughs], so kudos to you guys for arranging a nice surprise like that. I think a lot of things have come up since Mr. Snowden started disclosing classified information. There were some kernels of truth in there but a lot of extrapolations and half-truths in there. I’m looking forward to helping you address them. This is an important conversation, important and of import. We need to have that be a factor in this conversation. We need to make that happen.
The question a lot of people have: What do you make of Snowden’s motivations for doing what he did? Did he have an alternative way he could have gone?
He absolutely did have alternative ways he could have gone. I actually think that characterizing him as a whistleblower hurts legitimate whistleblowing activities. Someone who works in the NSA, and 35,000 people do who are great citizens, mothers, fathers, brothers, sisters, friends and relatives, and they’re all interested in doing the right thing for their country and for our allies internationally. There are a variety of venues to address if folks have a concern. First up, you can go to your supervisor through the supervising chain in the organization. If you’re not comfortable with that, there are inspectors general. In the case of Mr. Snowden, he had the option of the NSA Inspector General, the Navy Inspector General, the Pacific Fleet Inspector General, the Intelligence Committee Inspector General. Any of whom would have kept concerns in classified channels and addressed them. There are also Congressional committees and mechanisms in place. He didn’t do any of that.
[At this point, Chris Anderson calls a halt to the conversation, hoping a break will allow the tech team — which has been scrambling to set up a clear video line between Vancouver and Washington, DC — can fix some of the audio issues, including screechy feedack. As he says, “This is too important not to be able to hear it properly.”] Later, Ledgett takes up where he left off:
I thought that as has been the case in a lot of these discussions, there were some half-truths and distortions in what Edward Snowden said. I’m looking forward to the opportunity to address this. It’s an important national and international discussion that we’re having. It’s important to be informed, and we want to inform with facts, not conjecture and misinformation. I’m happy for the opportunity.
You said Edward Snowden had other avenues for raising concerns. There are a number of comebacks to that: 1. He certainly believes that as a contractor those avenues weren’t available to him; 2. There’s a track record of whistleblowers, such as, say, Thomas Drake, being treated harshly. And thirdly, he wasn’t taking on one specific flaw he discovered but programs approved by all three branches of government. In those circumstances, couldn’t you argue that what he did was reasonable?
No, I don’t agree with that. The actions he took were inappropriate because of the fact that he put people’s lives at risks in the long run. I know there’s been a lot of talk by Edward Snowden and journalists who say the things disclosed did not put national security or people at risk. That is categorically not true. They actually do. There’s also an amazing arrogance to the idea that he knows better than the framers of the Constitution how government should work, should be designed and work with the separation of powers. The executive and legislative branches have to work together, they have to balance each other, and then the judicial branch oversees that whole process. That’s extremely arrogant on his part.
Do you have a specific example of how he put lives at risk?
In the things he disclosed. The NSA is a capabilities-based organization. When we have foreign intelligence targets, legitimate things of interest — the terrorist is the iconic example but that also includes human traffickers, drug traffickers, people trying to build advanced weaponry or deliver systems for them — those capabilities are applied in very discrete and measured and controlled ways. So the unconstrained disclosure of those capabilities mean the targets see it and recognize it and move away from our ability to have insight into what they’re doing. Then we are at greater risk because we don’t see the threats coming and we might be vulnerable. We have seen targets in terrorism, in the nation state area, smugglers, who have moved away from our ability to have insight into what they’re doing. The net effect of that is that our people overseas in dangerous places, our military, our diplomats, our allies in similar situations, face a greater risk.
So you’re saying that your access to information has been closed down. One concern is that the nature of its access was not legitimate in the first place. Describe to us the Bullrun program, in which it’s alleged that the NSA deliberately weakened security to get access.
Legitimate foreign targets use the global telecommunications system, and let me say it’s a great system, it’s the most complex system devised by man. It’s a wonderful thing. It’s also used by those working against us and our allies. And in working against them I ned the capability to go after them. If we could make it so that all the bad guys used the same corner of the internet, if they all used badguy.com, that would be awesome, we could concentrate our capabilities there. That would be awesome. That’s not what happens. They’re trying to hide from the government’s ability to isolate and interdict their actions. We have to swim in the same space.
The NSA has two missions. The first is the signals and intelligence mission about which sadly we read so much in the press. The second is the information and assurance mission, to protect the security of the United States. That’s the communications the president uses, the communications we use to control nuclear weapons, the communications we use with our allies. We make recommendations on those standards — and we use the same standards. We are invested in making sure those communications are secure for their intended purposes.
It seems like when it comes to the Internet, any strategy is fair game if it improves America’s safety. I think that’s why there’s such a divide of opinion. People think very differently about the Internet; it’s a momentous invention of humanity on a par with the Gutenberg press. It’s the bringer of knowledge to all; the connecter of knowledge of all. It’s viewed in idealistic terms and when seen through that lens, what the NSA has done is the equivalent of the Germans inserting a device in printing press to reveal what people bought or read. Do you see how that feels outrageous?
I do understand that and I share that view of the utility of the Internet. But this is bigger than the Internet. This is a big chunk of the global telecommunications system. People have legitimate concerns about the balance between transparency and secrecy. It’s couched as privacy and national security, but I don’t think that’s the right framing. It’s really transparency and secrecy. That’s the national and international conversation we’re having to let people participate in an informed way.
There are things we need to be transparent about, our authorities, processes, our oversight, who we are. We at the NSA have not done a good job of that, and that’s part of the reason why this has been so sensational. We’re “Never Say Anything,” I’ve seen there’s takeoffs of our logo of an eagle with headphones around it — that’s the public characterization of our work. We need to be more transparent, but what we don’t need to be transparent about, because it’s bad to expose them, are the operations and capabilities that allow the people we’re working against, the bad guys, to counter those.
Isn’t it also bad to deal a body blow to the American companies that have essentially given the world the Internet services that matter?
It is. Companies are in as tough position as are we. We compel companies to provide information, just like every nation in world does. Every industrialized nation has a lawful intercept program compelling companies to provide information, and companies comply with those programs as they do in Russia, the UK, China, India or France, in any country you choose to name. The fact that these revelations have been broadly characterized as “you can’t trust Company A because your privacy is suspect with them” is only accurate in that it’s accurate with every other company in the world dealing with those countries in the world. It’s been marketed by countries, including some ally countries, that you can’t trust the US but “you can trust our telecoms because we’re safe.” They’re using that to counter the very large technology edge US companies have in the cloud.
You’re sitting there with the American flag behind you. The American Constitution guarantees against unnecessary search and seizure. Is there a right to privacy?
Of course there is. We devote inordinate, I shouldn’t say that, I should say appropriate time and effort to ensure we protect that privacy and beyond that the privacy of citizens around the world, not just Americans. We’re all on the same network. I use a particular internet email service that is the number-one email service of choice of terrorists. I’m right beside them in email space on the Internet. We need to pick that apart and find the information that’s relevant. In doing so, we’re going to necessarily encounter Americans and innocent foreign citizens going about their business. And when you find it, because you’re certain to find it, here’s how to protect it. We have minimization procedures approved by the Attorney General that are constitutionally based. And for citizens of the world going about their lawful business on a daily basis, the President laid out new protections in a January 17th speech. Absolutely folks have the right to privacy.
What about foreigners using American companies’ Internet services?
They do too. The only way we are able to compel one of those companies to provide us information is when it falls into one of three categories, that this particular person is associated with counterterrorism or proliferation or another intelligence target.
A lot of information you’ve obtained has been metadata, not necessarily words, but it’s who people wrote to when and so forth. It’s been argued that metadata is more invasive than core data. In core data you present yourself as you want to be presented. With metadata who knows conclusions drawn. What do you make of that?
I don’t really understand that argument. Metadata is important for a few reasons. It’s information that lets you find connections that people are trying to hide. So when a terrorist is corresponding with someone who’s not known to us but is supporting terrorist activities or violating sanctions, or is trying to hide activity because it’s because illicit, metadata lets you connect that. The alternative is less efficient and much more invasive to privacy, it’d be a giant collection of content. Metadata is privacy enhancing. We don’t grind out metadata profiles of average people. If you’re not connected to an intelligence target, you’re not of interest to us. [At that, a man at the back of the auditorium says clearly, "Thank you."]
Where would you place terrorism in terms of threats to Americans overall?
Terrorism is still number one. We have never been in a time where there are more places where things are going badly and forming the petri dish where terrorists can take advantage of a lack of governance. An old boss of mine, Tom Fargo, refers to “arcs of instability.” And you have a lot of them in the world right now. In Syria there’s a civil war and a massive number of foreign fighters flooding in there to learn to be terrorists. These are westerners with passports to European countries or the US. They are learning to do jihad and they have expressed intent to go out and do that in their home countries. Iraq is suffering from a high level of sectarian violence; it’s a breeding ground for violence. In the horn of Africa there’s lots of weak governance which forms a breeding ground for terrorist activities. Number two is cyberthreat, in three ways. One way is probably the most common way people have heard of and that’s the theft of IP. Basically foreign countries are stealing companies’ secrets and providing them to state enterprises or enterprises connected with government, which allows them to leapfrog technology or win business intelligence. That is hugely costly and several nation-states are doing it. Number three is distributed denial of service attacks, and there has been a spate of those against the US financial sector since 2012. That’s a nation-state doing so as semi-anonymous reprisal. And the last is destructive attacks, which concern me the most. In 2012 at Saudi Aremco, a Wiper-style virus took out thousands of computers. In March 2013, a South Korean attack attributed in the press to North Korea took out thousands of computers. Those are on the rise; we see people expressing interest in those capabilities.
A lot of people look at the risk and the numbers and don’t understand the belief that terrorism is still a threat. If you don’t include 9/11, in the last 30-40 years, 500 Americans have died of terrorism, mostly from homegrown terrorirsts. The chance of being killed of terrorism is less than being killed by lightning. Of course, nuclear or bioterrorism acts would change those numbers. Is that the point?
Two things. The reason there hasn’t been a major attack in the US since 9/11 is not an accident. That’s hard work we’ve done and folks in the military have done and allies around world have done. You’ve heard the numbers: 54 terrorist attacks were stopped. 25 of them were in Europe, 18 occurred in just three countries, some of them our allies, some of whom are beating the heck out of us over the NSA programs. But that’s not an accident, that’s hard work, that’s us finding intelligence through law enforcement, through cooperation and sometimes through military action. But your idea of nuclear or biothreat is not at all far-fetched. A number of groups have expressed the desire to obtain those capabilities and are working toward that.
So there were 54 incidents, but it’s been suggested that as few as zero of them were revealed because of the controversial programs Mr. Snowden revealed. They were revealed through other forms of intelligence. It’s almost like you’re looking for a needle in a haystack, and yet the controversial programs simply add hay to stack.
No. There are two programs typically implicated in that discussion. One is the Section 215 program, the other one is Section 702, the Fisa Amendment Act, popularly known as the Prism program. The Section 215 program is only relevant to threats directed against the US. There have been a dozen threats where that was implicated. You’ll see people say publicly there’s no “but for” case, no “but for that, the threat would have happened.” That indicates a lack of understanding of how investigations actually work. If you think about a television murder mystery, they start with the body and work to solve crime. We’re starting well before then, before the bodies, to figure out who the people are and what they’re trying to do. That involves a massive amount of information. Think of it as a mosaic; it’s hard to say which is the most important piece of a mosaic.
In 42 of those events, the Prism program was hugely relevant and material in contributing to stopping those attacks.
Edward Snowden said that terrorism provides almost an emotional cover for action. It allows the initiation of these programs to give powers an organization like yours couldn’t otherwise have. Is there internal debate about this?
Yes. We debate these things all the time. Discussion goes on in the executive branch and within the NSA and intelligence community about what’s right, what’s proportionate, what’s the right thing to do. These programs have been authorized by two Presidents, two political parties, by Congress twice and by federal judges 16 times. It’s not the NSA running off and doing these things. This is a legitimate activity of the US government, as agreed to by all branches of the government.
Yet when Congress discovered things that were being done, many were completely shocked. Is that not a legitimate reaction? Did they know exactly what you were doing?
Congress is a big body. In the lower house there are 535 of them and they change out frequently. The NSA provided all relevant information to the oversight committees; the dissemination of information through Congress is something they manage. I would say that Congress members had the opportunity to make themselves aware, and a significant number of them, those assigned oversight responsibility, did have oversight. And you have chairs of those committees say that in public.
You mentioned them previously: cyberattacks are a huge concern. Is there a tradeoff between strategies? In weakening encryption to find the bad guys, might you open the door to cyberattack?
Two things. One, you said weakened encryption, I didn’t. The other is that the NSA has both those missions. We’re heavily biased towards defense. The vulnerabilities we find in the majority of cases we disclose to those responsible for manufacturing or developing products. We’re working on a proposal to be transparent and publish reports in the same way Internet companies can publish reports. We want to be more transparent. We eat our own dogfood, we use the products we recommend. It’s in our interest to keep our communications protected in the way other people’s need to be.
After his talk, Edward Snowden was wandering the halls here. I heard a number of people ask, and he was very complimentary about the people at the NSA, saying that it’s a impassioned group of employees who are seeking to do right thing. The problems have come from badly conceived policies. He came over reasonably and calmly. He didn’t come across as a crazy man. Even if you disagree with how, does the fact that he opened debate matter?
I think the discussion is an important one to have. I do not like the way he did it; there were a number of other ways to do it that would not have endangered our people and people of other nations by losing visibility into what our adversaries are doing. But I do think it’s an important conversation.
There seems to be some disagreement over giving him amnesty. Your boss has said that would be a terrible example to others, that we can’t negotiate with someone who broke the law in that way. Yet you’ve been quoted as saying that if he can prove he surrendered all his documents, then a deal could be considered. Where do you stand?
Yes, 60 Minutes took a part of what I said … What I actually said in response to a question about entertaining a discussion of mitigating action against Mr. Snowden was that yes, it’s worth a conversation. The Attorney General of the US and the president have talked about this, and I defer to the Attorney General as this is his lane. There is a strong tradition in American jurisprudence of having discussions with people charged with crimes as it befits the government to get something out of that. There’s always room for discussion; I’m not presupposing any outcome.
It seems like he has things to offer the US, and perhaps you and others can use his insights to put things right and figure out smarter policy way forward for the future. Has that been entertained?
That’s out of my lane. That’s a Department of Justice discussion. I’ll defer to them.
So the other day I asked Edward Snowden for his idea worth spreading. What would be yours?
Learn the facts. This is a really important conversation that impacts not just the NSA or the government, but you and the Internet companies. The issue of privacy and personal data is much bigger than government. So don’t rely on headlines or soundbites, or on one-sided conversations, That’s an idea worth spreading. We wear badges here, and the lanyard of those people who do crypto-analytic work says “look at the data.” So that’s my idea worth spreading: look at the data.

No comments:

Post a Comment