The Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies, released last week, provided the President with some excellent advice and recommendations. Most of the news reports focused, naturally enough, on the big hits – major recommendations, contentious findings or lack thereof and the implications for the administration.
It’s a very long report and, for me, the highlights are the measured tone, sense of history and discussion of principles, things that don’t get reported as easily. I thought I’d take a moment to call out some of these b-sides and deep cuts for folks who don’t have time to work through the 300 plus pages of the report.
1. The review group did a great job conceptualizing security (p15 and p44) in a fashion that establishes the right intellectual foundation for the findings and alludes to the importance of our values in considering surveillance capabilities:
In the American tradition, the word “security” has had multiple meanings. In contemporary parlance, it often refers to national security or homeland security. One of the government’s most fundamental responsibilities is to protect this form of security, broadly understood. At the same time, the idea of security refers to a quite different and equally fundamental value, captured in the Fourth Amendment to the United States Constitution: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated . . . ” (emphasis added). Both forms of security must be protected.
2. The discussion on protections for non-US persons (p19, p151-157) would allow American businesses to operate internationally, set a benchmark that some nations don’t even apply to their own citizens and would avoid awkward press conferences where government officials unintentionally say to the world that we only protect the rights of U.S. citizens:
Significant steps should be taken to protect the privacy of non-US persons. In particular, any programs that allow surveillance of such persons even outside the United States should satisfy six separate constraints. They:
1) must be authorized by duly enacted laws or properly authorized executive orders;
2) must be directed exclusively at protecting national security interests of the United States or our allies;
3) must not be directed at illicit or illegitimate ends, such as the theft of trade secrets or obtaining commercial gain for domestic industries;
4) must not target any non-United States person based solely on that person’s political views or religious convictions;
5) must not disseminate information about non-United States persons if the information is not relevant to protecting the national security of the United States or our allies; and
6) must be subject to careful oversight and to the highest degree of transparency consistent with protecting the national security of the United States and our allies.
3. The report makes a strong argument for maintaining the current multi-stakeholder Internet governance approach (p214-5, p225-6). Note ‘greater state control’ means the potential for other nations to run more draconian surveillance programs than those of the NSA.
A competing model, favored by Russia and a number of other countries, would place Internet governance under the auspices of the United Nations and the International Telecommunications Union (ITU).
This model would enhance the influence of governments at the expense of other stakeholders in Internet governance decisions, and it could legitimize greater state control over Internet content and communications. In particular, this model could support greater use of “localization” requirements, such as national laws requiring servers to be physically located within a country or limits on transferring data across borders.
4. The discussion of ‘dual-use’ technology (p180-7) accurately described the changing technological and operational environment that has made these technologies both critically important and increasingly contentious.
1) From nation-states to well-hidden terrorists. During the Cold War, our intelligence efforts were directed against foreign powers, notably the Soviet Union, and agents of foreign powers, such as Soviet agents in the US who were placed under FISA wiretap orders. After the terrorist attacks of September 11, 2001, the emphasis shifted to fighting terrorism.
2) From domestic to foreign. For ordinary citizens, the distinction between domestic and foreign communications has eroded over time.
3) From wartime to continuous responses to cyber and other threats. In recent decades, the global nature of the Internet has enabled daily cyber- attacks on the communications of government, business, and ordinary Americans by hackers, organized crime, terrorists, and nation-states. As a result, the development of high-quality defenses against such attacks has become a priority for civilian as well as military systems.
4) From military combat zones to civilian communications. An important change, which has received relatively little attention, concerns the military significance of the communications devices, software, and networks used by ordinary Americans.
5. Finally, I’d like to give a shout out to the excellent researchers who helped the review group. In particular, whoever snuck this James Madison quote into the report (p. 124). Epic.
As James Madison observed, “A popular Government, without popular information, or the means of acquiring it, is but a Prologue to a Farce or a Tragedy; or, perhaps both.”
It will be interesting to see what becomes of this report beyond the recent news cycle. As Benjamin Wittes at Lawfare pointed out, it’s awkward for the administration. Ultimately, the Review Group has done the nation a great service with this report and, hopefully, it provides the President an opportunity to start turning this situation around.