The Cybersecurity Canon: No Place to Hide (Part 1)

For the past decade, I have held the notion that the security industry needs a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education.

If you’d like to hear more about my Cybersecurity Canon idea, take a look at the presentations I made at this year’s RSA Conference and at Ignite 2014. As always, I love a good argument, so feel free to let me know what you think.

No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State (2014) by Glenn Greenwald

There’s much to talk about with many arguments to consider so we’re going to spend a bit more time with this book. Check back tomorrow for Part 2.

Glenn Greenwald and other journalists began releasing a seemingly endless supply of classified U.S. government documents to the public in summer 2013. Those documents describe just how deep the rabbit hole goes in terms of U.S. government surveillance of its own citizens and allies and in terms of potential threats to the U.S. government.

Ever since, politicians, military leaders, and talk show pundits alike have attempted to characterize Edward Snowden—the man who stole the documents from the NSA and released them to the journalists—in an unfavorable light. They say he is a traitor. They say he is a coward. They say he is a spy.They say he is a hacker. They say he was just a low-level analyst with no understanding of the impact of what he did. They say he was an insider threat.

All of these characterizations, whether true or not, divert the conversation away from the main issue -- the most pressing question that we all, as American citizens, should be asking ourselves: Should the U.S. intelligence community be allowed to spy on U.S. citizens without the benefit of a warrant and without the benefit of a checks-and-balances system managed by a trusted third party? Glenn Greenwald does not think so and wrote No Place to Hide to make the case.

The book is a strange concoction: part expose, part autobiography, and part screed “against the man.” Greenwald tries to accomplish many tasks here, and I think because of that, the important messages within it are not as clear as they should be. He tries to set the record straight on the mechanics of how Snowden was able to position himself with two U.S. government contractors—Dell and Booz Allen Hamilton—and as an employee of the NSA and the CIA in order to steal secrets that exposed the U.S. government’s surveillance programs on U.S. citizens. But Greenwald does not provide enough detail to make sense of the story. Readers must seek other sources to fill in the gaps.

Greenwald attempts to make the case that government-sponsored, unwarranted and secret searches of American citizens are a trespass on the U.S. Constitution and America’s notions on privacy rights. But his argument is fuzzy. Everything Greenwald says is absolutely true, but the way he says so is not convincing. If you want a concise and elegant explanation why this is an issue that everyone should be concerned about, not just U.S. citizens but all citizens from around the world, watch Stephen Fry’s short video on the subject.

Greenwald also launches an attack on the Fourth Estate, claiming that journalism has completely failed in its presumed adversarial role against the government and has not monitored and checked abuse of state power. He loses his credibility because instead of writing about the story, he is writing about himself in the story. It comes across as whiny.

That said, this is an important book. Greenwald puts constant pressure on the American political establishment in order to challenge the need for such invasive programs – he keeps us talking about it. And I believe we all must continue to talk about it. Just because No Place to Hide is not as clear as it could or should be does not mean that it does not have value.

This debate about how intrusive the U.S. intelligence community can be on American citizens, on American allies, and on potential American threats and about what the American political leadership decides to do about it will impact the character of the country forever. We have to get this right.

The Law

In order to understand the significance of the situation, we have to start with the Founding Fathers. In Greenwald’s interpretation, they passed the Fourth Amendment because of their experience with the British before and during the American Revolution. The Founders agreed that it was acceptable for a government to search individual citizens if it had probable cause of wrongdoing and produced a warrant approved by a judge attesting to the fact, but they viewed the practice of a government using a general warrant to make the entire citizenry subject to indiscriminate searches as inherently unacceptable.

The language in the Fourth Amendment to the U.S. Constitution is simple, elegant and clear. It is part of our Bill of Rights, and we fought a revolution to get it:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

According to Greenwald,

“It was intended, above all, to abolish forever in America the power of the government to subject its citizens to generalized, suspicionless surveillance.”

Greenwald quotes U.S. Supreme Court Justice Louis Brandeis, in the seminal 1890 Harvard Law Review article “The Right to Privacy,” to make his point:

“[R]obbing someone of their privacy was a crime of a deeply different nature than the theft of a material belonging.”

After 9/11, Americans were afraid and rightfully so. More than 3,200 citizens died in a scant two hours due to the results of a well-executed, surprise, terrorist attack the likes of which had never been seen before on American soil.

The US’s reaction was immediate. Not even a month later, President Bush signed a Presidential Directive called the Presidential Surveillance Program that granted an unprecedented amount of surveillance powers to the NSA, in pursuit of terrorist activities, that allowed bulk collection of metadata from U.S. citizens. Shortly after, the U.S. Congress passed the Patriot Act that essentially made President Bush’s Directive the law of the land.

Section 215 of this act was the first legislation that authorized metadata collection. The Patriot Act also authorized the FBI to compel Internet service providers, credit card companies, and phone companies via a national security letter (NSL) to provide information relevant to a counterterrorism or counterintelligence investigation. They could also impose gag orders to prohibit NSL recipients from disclosing that they received the NSL. This change eliminated the former law enforcement restriction of collecting intelligence on only a foreign power without a warrant.

According to Greenwald,

“What made the Patriot Act so controversial when it was enacted in the wake of the 9/11 attack was that Section 215 lowered the standard the government needed to meet in order to obtain “business records,” from “probable cause” to “relevance.” This meant that the Federal Bureau of Investigation, in order to obtain highly sensitive and invasive documents—such as medical histories, banking transactions, or phone records—needed to demonstrate only that those documents were “relevant” to a pending investigation.”

In the mid-1970s, America clamped down on the intelligence community after scandals regarding CIA assassination plots and other abuses emerged in the public. But as these things normally do over time, the Patriot Act caused the pendulum to swing in the opposite direction in regard to how much leeway America wanted to give its intelligence community. We had taken almost all of the safeguards off of the intelligence community and told them to never let another 9/11 happen again.

What We Learned from the Leaks

According to Greenwald,

“Snowden’s files indisputably laid bare a complex web of surveillance aimed at Americans (who are explicitly beyond the NSA’s mission) and non-Americans alike. …Taken in its entirety, the Snowden archive led to an ultimately simple conclusion: the US government had built a system that has as its goal the complete elimination of electronic privacy worldwide.”

I think the biggest revelation about the Snowden leaks was not that the NSA was spying on U.S. citizens, although that was a big one, but that our assumed liberal-minded Internet start-ups were in on the deception. According to classified documents that Snowden stole, the NSA had deals with many of our favorite Internet companies to collect information directly from their servers pertaining to U.S. citizens, companies like the following:

• Apple
• AOL
• Facebook
• Google
• Microsoft
• Yahoo!
• YouTube

According to the documents, Microsoft vigorously cooperated with the NSA to allow access to several of its most-used online services: SkyDrive, Skype, and Outlook.com. Facebook and Google claim that they gave data only when the NSA presented a warrant. On the other hand, it is public record that Yahoo! fought the NSA in court against participating, but the company lost the case. Twitter declined to make it easier for the government to access Twitter data.

The next biggest revelation was that the NSA indiscriminately collects millions of phone records every day from Verizon without a warrant and from both within the United States and from other countries. This is the so-called metadata collection process that has been in the news from the start.

One revelation that the Fourth Estate has not talked about as much is that President Obama signed a Presidential Directive in November 2012 authorizing the Pentagon to start planning for aggressive cyber attacks. He directed the military to draw-up potential overseas cyber targets.

The most hypocritical revelation came from the documents that showed that the NSA is involved in economic espionage. The NSA targeted the Brazilian oil giant Petrobras, as well as other companies from Venezuela, Mexico, Canada, Norway, and Sweden for economic purposes, not terrorism. In light of the recent U.S. Department of Justice (DOJ) indictments against five military Chinese hackers for conducting cyber economic espionage against the US, this seems to be a little two-faced.

Check back tomorrow for Part 2 of this discussion of No Place to Hide, where I’ll get into the various arguments and counter-arguments surrounding this controversy.