The Cybersecurity Canon: No Place to Hide (Part 2)

For the past decade, I have held the notion that the security industry needs a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education.

If you’d like to hear more about my Cybersecurity Canon idea, take a look at the presentations I made at this year’s RSA Conference and at Ignite 2014. As always, I love a good argument, so feel free to let me know what you think.

No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State (2014) by Glenn Greenwald

In part 1 of my discussion of this book, I talked about the history leading up to the Snowden leaks and what they revealed. Today let’s examine the various arguments and counter-arguments that have since emerged.

The Pro-surveillance Response: Discredit the Messenger

One thing that comes out loud and clear in this book is that Glenn Greenwald is acutely aware of the way the pro-surveillance side attempts to redirect the attention from the issue at hand.

Instead of debating the merits of the American intelligence community spying on its own citizens, that side first wants to flog Edward Snowden for breaking the law. It wants to criticize Greenwald for not being a great journalist. It accuses Snowden of running off to Taiwan and then to Russia to avoid incarceration as if that motive somehow weakens the revelation that the NSA collects all electronic communication, or at least as much as possible, from within the United States without a warrant. The pro-surveillance side says that if Snowden’s whistleblower attentions were so honorable, he would come back to the states to face the authorities. None of that matters, or if it did, it is at least secondary and causes confusion within the citizenry when we debate the topic: Should we sacrifice the tenants of the Fourth Amendment for the sake of a little more security?

The Pro-surveillance Response: If You Have Nothing to Hide, Then You Have Nothing to Worry about

Personally, I hate this argument. It is another misdirection by the pro-surveillance side and does not address the issue. What the pro-surveillance side wants you to think is that if you are a law-abiding citizen, then the only people who will be negatively impacted by mass surveillance are the criminals and the terrorists and all the rest of the bad people. According to Greenwald,

“Governments have long convinced populations to turn a blind eye to oppressive conduct by leading citizens to believe, rightly or wrongly, that only certain marginalized people are targeted, and everyone else can acquiesce to or even support that oppression without fear that it will be applied to them.”

In other words, this argument really implies that if a U.S. citizen completely conforms to the way the U.S. government wants you to think, then you are not at risk.

The danger, though, is when an individual citizen starts to think that the U.S. government may not be doing the right thing and decides that he or she may want to speak out against it. There are plenty of examples of the U.S. government collecting intelligence on its citizens when leadership felt threatened by a dissenting voice: The FBI’s surveillance on Martin Luther King Jr. and President Nixon’s Watergate operation are just two famous examples. There are so many divisive issues in our culture today—gun control, abortion, universal healthcare, etc.—that there is no way that an individual citizen won’t be on the wrong end of an argument depending on who wins the next election. If your side loses, then you are no longer in conformance. In today’s technology terms, it is so easy to collect intelligence and discover dissenting voices that entire swatches of the population could be affected. This “if you have nothing to hide” argument is really not an argument about protecting us from the criminals; it is about suppressing dissenting voices, and that is scary.

The Pro-surveillance Response: Terrorism Is Scary

Greenwald makes the point that the U.S. government’s answer as to why it needs a mass surveillance program is that terrorism is scary. I have worked for security vendors for the past decade, and I recognize this tactic. In the security space, we all recognize this as the fear, uncertainty, and doubt pitch. The idea is that we try to scare the hell out of you so that you buy our product. This is exactly what the U.S. government is doing here. When Greenwald asserts that the mass surveillance program has not stopped a single terrorist plot, the U.S. government has no answer other than that terrorism is scary.

U.S. Hypocrisy

On 19 May 2014, the U.S. DOJ indicted five Chinese nationals for the crimes of “computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.”

I attended a dinner of government officials in Washington, DC, just after the DOJ made this announcement, and of course the subject came up for discussion. I was struck by the hypocrisy of the announcement in light of the Snowden revelations and said so, but the government officials present drew the distinction between national security espionage and economic espionage claiming that the United States engages in only national security espionage while China engages in both. According to Fred Kaplan at Slate magazine, President Obama pushed this negotiating point with Chinese President Xi Jinping at a Summit in Palm Springs in 2013. According to Greenwald, NSA spokespeople claim that the agency

“…does engage in computer network exploitation but does ***not*** engage in economic espionage in any domain, including ‘cyber.’” [emphatic asterisks in the original]

I was stunned that American officials would draw that very thin line there, but Greenwald points out that there really is no line at all and uses more Snowden documents to prove it. In No Place to Hide, Greenwald says that the NSA intercepted communications on the Brazilian oil giant Petrobras and routinely collected information from various economic summits.

James Lewis, a famous analyst with the Center for Strategic and International Studies, says there is a distinction between collecting intelligence regarding international economic questions and sharing that intelligence with U.S. companies to improve their bottom line. He says there are many reasons why the state may want to know about the economic situation regarding a certain country, but that does not mean that the government collects it with any eye toward giving American companies an advantage. He says that the U.S. law called the Economic Espionage Act specifically gives the United States permission to collect on bribery and non-proliferation issues but nothing else.

However, as Glyn Moody from TechDirt opines regarding the Petrobras revelations,

I am not a foreign policy expert by any means, but I don’t see how pushing an obvious double standard in negotiations with the Chinese can bear any fruit. It is one thing to agree on what is out of bounds and what is in bounds in terms of acceptable cyber espionage on the world stage, but to formally indict five Chinese citizens for a crime that you are also perpetrating seems disingenuous at best and absolute hubris at worst.

The Argument against Mass Surveillance for Anti-terrorism

Greenwald cites five reasons why mass surveillance is a bad idea:

• The practice of mass surveillance is likely unconstitutional.
• President Obama’s own review panel said that the metadata program was not essential to preventing terrorist attacks.
• Mass surveillance collection, as opposed to targeted collection, makes finding terrorists more difficult.
• Mass surveillance is a draconian reaction when you consider the statistically small chances that you will die from a terrorist attack.
• Even if mass surveillance were necessary, allowing the government to do it without transparency is counter to the Founding Fathers’ design of the country.

Constitutionality?

On 16 December 2013, U.S. District Judge Richard J. Leon ruled that the government did not make its case concerning the need for mass surveillance in order to protect against terrorism in a timely manner. According to Leon,

“The Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time sensitive in nature… Thus, plaintiffs have a substantial likelihood of showing their privacy interests outweigh the Government’s interest in collecting and analyzing bulk telephony metadata and therefore the NSA’s bulk collection program is indeed unreasonable search under the Fourth Amendment.”

Review Panel Conclusions

In the wake of the Snowden revelations, President Obama directed a review of the entire program on 27 August 2013. On 18 December 2013, the panel published its findings. Panel members acknowledged that

“In addressing these issues, the United States must pursue multiple and often competing goals at home and abroad.”

The following are those goals:

• Protecting the nation against threats to its national security
• Promoting other national security and foreign policy interests
• Protecting the right to privacy
• Protecting democracy, civil liberties, and the rule of law
• Promoting prosperity, security, and openness in a networked world
• Protecting strategic alliances

With that said, the panel could not find any pressing need for the metadata collection program:

“Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional section 215 orders.”

Mass Surveillance Collection Makes Finding Terrorists More Difficult

Greenwald points to the NSA’s less-than-stellar record at preventing any number of terrorist plots in recent history:

• The 2012 Boston Marathon bombing
• The attempted Christmas Day bombing of a jetliner over Detroit
• The plan to blow up Times Square
• The plot to attack the New York City subway system
• The string of mass shootings from Aurora to Newtown
• Major international attacks from London to Mumbai to Madrid

He believes that the reason the record is so poor is that the actual collection of all of that data makes it harder to find and prevent terrorism activities compared to other more traditional law enforcement activities driven by warrants.

Is Mass Surveillance Necessary to Solve a Statistically Small Risk?

This is the classic risk equation that all security people are used to evaluating. Anybody can come up with a terrorism scenario that would be devastating to the country. As security professionals, our job is to evaluate these scenarios across a two-dimensional risk matrix.

On the x-axis, we plot how likely is it that this scenario will actually happen from “not very likely” on the left to “will absolutely happen” on the right. On the y-axis, we plot how impactful the scenario is if it were to happen from “no impact” on the bottom to “will materially impact the country” on the top. None of us has unlimited resources. Because of that, we focus on the risks that end up in the up-and-to-the-right section on our risk matrix. These are the scenarios that are likely to happen and that will have a meaningful impact if they do. The fact is that for most terrorism scenarios, they tend to sit in the up-and-to-the-left section on the risk matrix. The chances of them happening are not too likely, but if they do, they will have a medium to large impact.

These terrorism scenarios are outliers because they are not that likely to happen. According to Greenwald,

“The number of people worldwide who are killed by Muslim-type terrorists, Al Qaeda wannabes, is maybe a few hundred outside of war zones. It’s basically the same number of people who die drowning in the bathtub each year.”

Greenwald’s point is that we should seriously consider if we want to deconstruct the Fourth Amendment to protect ourselves from such an event, an event that is scary for sure, but an event that is not likely to happen.

Mass Surveillance without Transparency Is Counter to the Founding Fathers’ Design of the Country

There has always been a tension between national security and government transparency. James Madison -- one of the Founding Fathers and a primary contributor to the American Constitution – believed:

Transparency was an essential cornerstone of democratic governance.

And Patrick Henry said:

The liberties of a people never were, nor ever will be, secure when the transactions of their rulers may be concealed from them.

Greenwald points out,

“Democracy requires accountability and consent of the governed, which is only possible if citizens know what is being done in their name. The presumption is that, with rare exception, they will know everything their political officials are doing, which is why they are called public servants, working in the public sector, in public service, for public agencies.”

The point is that whatever we as a nation decide is the legitimate use of the U.S. intelligence apparatus, we must also insist that the mechanical process of that apparatus be completely transparent to the American citizen.

Why the Leaks Were Good

Putting aside the issue of whether Edward Snowden is a hero or a criminal, Greenwald contends that his release of the Snowden documents to the public has far more positive impact to the United States and to the world at large than any negative consequences that may have occurred to the U.S. intelligence apparatus because of it. Greenwald lists the following positive outcomes from the Snowden leaks:

• The entire world is debating the merits of the ubiquitous state surveillance, pervasive government secrecy, and the value of individual privacy.
• The world is challenging America’s hegemonic control over the Internet
• Journalists are reconsidering the proper role of journalism in relation to government power

Thoughts on Snowden

Throughout No Place to Hide, Greenwald presents a personality picture of Edward Snowden. Compared to Chelsea Manning,the other notorious whistleblower in recent U.S. history, Snowden seemed to think long and hard about what he was doing. He may have been naïve and uninformed, but Greenwald’s picture of him is of a person who has seen an egregious wrong, thought about what to do about it, considered the consequences for him and the nation, and executed a plan to try to create change. Greenwald quotes Snowden,

“My sole motive is to inform the public as to that which is done in their name and that which is done against them. The U.S. government, in conspiracy with client states, chiefest among them the Five Eyes—the United Kingdom, Canada, Australia, and New Zealand—have inflicted upon the world a system of secret, pervasive surveillance from which there is no refuge. They protect their domestic systems from the oversight of citizenry through classification and lies, and shield themselves from outrage in the event of leaks by overemphasizing limited protections they choose to grant the governed.”

“I’m not afraid of what will happen to me. I’ve accepted that my life will likely be over from my doing this. I’m at peace with that. I know it’s the right thing to do.”

For all of the things he may be—traitor, coward, spy, hacker, low-level analyst, insider threat—Snowden is a man of his own conviction. You may not agree with what he did, and you can point to his naiveté about the impact of what he did to the intelligence establishment, but he stood up for what he thought was right and decided to do something about it regardless of how that affected his own personal life.

The Solution

In No Place to Hide, Greenwald would prefer not letting the U.S. government spy at all, but he recognizes that is probably a bridge too far. In the meantime, he offers these four intermediate solutions that are not that unreasonable:

• Enact legislation that will provide oversight, accountability and transparency for the entire intelligence community
• Convert the FISA court into a transparent judicial system so that there is an adversarial relationship to both sides of the argument
• Encourage international efforts to build new infrastructure so that all traffic does not go through the US
• Encourage individuals to adopt COMSEC tools and demand that vendors make them easy to use

Conclusion

No Place to Hide is not what I would call rigorous reporting. Greenwald conveys what happened to him as he followed this story and thus became part of the story himself. As I sought to corroborate the details presented within, I found I had to go to many other sources to fill in the gaps.

That said, Greenwald’s telling of the story is important enough to the security community, the United States and to the world at large that I think it is required reading. He discusses everything from the Fourth Amendment and why it should be anathema to all American citizens to allow the government to spy on its communications without a warrant, to NSA programs and their scope, to the government’s justification of mass surveillance by attempting to discredit Snowden.

He then lays out the arguments against mass surveillance without a warrant,  describes why the world is better off today because of the Snowden leaks, and describes the detailed timeline from when Snowden initially contacted Greenwald to their meetings in Taiwan to Snowden’s eventual escape to Moscow. Finally, Greenwald describes his reasonable solution for the problem: better legislation to provide oversight, accountability and transparency for the entire intelligence community, convert the FISA court into a, adversarial judicial system, encourage international efforts to build new infrastructure so that all traffic does not go through the United States and finally, encourage individuals to adopt COMSEC tools so that all intelligence agencies have trouble intercepting communications.

Greenwald tries to present a lot of complicated material in No Place to Hide. He was not completely successful at doing so, but he is writing about the fundamental principles of how we want the United States to behave in the digital world. Governments have a lot of capability to present their side to this debate. Greenwald is one voice on the other side that has grabbed center stage because of his relationship with Edward Snowden. Because of that, we should pay attention to what he has to say. Despite the less–than-stellar prose, No Place to Hide is a Cybersecurity Canon candidate, and you should have read it by now.