Why The NSA Can’t Be Trusted to Run U.S. Cybersecurity Programs
This week, the Senate will be voting on a slew of amendments to the newest version of the Senate’s cybersecurity bill. Senators John McCain and Kay Bailey Hutchison have proposed several amendments that would hand the reins of our nation’s cybersecurity systems to the National Security Agency (NSA). All of the cybersecurity bills that have been proposed would provide avenues for companies to collect sensitive information on users and pass that data to the government. Trying to strike the balance between individual privacy and facilitating communication about threats is a challenge, but one thing is certain: the NSA has proven it can’t be trusted with that responsibility. The NSA's dark history of repeated privacy violations, flouting of domestic law, and resistance to transparency makes it clear that the nation's cybersecurity should not be in its hands.
In case you need a refresher, here’s an overview of why handing cybersecurity to the NSA would be a terrible idea:
- An executive order generally prohibits NSA from conducting intelligence on Americans’ domestic activities
no foreign intelligence collection by such elements [of the Intelligence Community] may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons.
If amended, the Cybersecurity Act would allow the NSA to gain information related to "cybersecurity threat indicators," which would allow it to collect vast quantities of data that could include personally identifiable information of U.S. persons on American soil. Law enforcement and civilian agencies are tasked with investigating and overseeing domestic safety. The NSA, on the other hand, is an unaccountable military intelligence agency that is supposed to focus on foreign signals intelligence—and it’s frankly dangerous to expand the NSA’s access to information about domestic communications.
- NSA has a dark history of violating Americans’ constitutional rightsIn the 1960’s, a Congressional investigation, led by four-term Senator Frank Church, found that the NSA had engaged in widespread and warrantless spying on Americans citizens. Church was so stunned at what he found, he remarked that the National Security Agency’s "capability at any time could be turned around on the American people, and no American would have any privacy left, such is the capability to monitor everything." (emphasis added) The investigation led to the passage of the Foreign Intelligence Surveillance Act, which provided stronger privacy protections for Americans’ communications—that is, until it was weakened by the USA-PATRIOT Act and other reactions to 9/11.
- NSA has continued its warrantless wiretapping scandalIn 2005, the New York Times revealed that the NSA set up a massive warrantless wiretapping program shortly after 9/11, in violation of the Fourth Amendment and several federal laws. This was later confirmed by virtually every major media organization in the country. It led to Congressional investigations and several ongoing lawsuits, including EFF’s. Congress passed the FISA Amendments Act to grant telecom companies retroactive immunity for participating in illegal spying and severely weaken privacy safeguards for Americans communicating overseas.Since the FISA Amendments Act (FAA) passed, the NSA has continued collecting emails of Americans. A 2009 New York Times investigation described how a “significant and systemic” practice of "overcollection" of communications resulted in the NSA’s intercepting millions of purely domestic emails and phone calls between Americans. In addition, documents obtained via a Freedom of Information Act request by the ACLU, although heavily redacted, revealed "that violations [of the FAA and the Constitution] continued to occur on a regular basis through at least March 2010"— the last month anyone has public data for.
- NSA recently admitted to violating the Constitution.Just last week, the Office of the Director of National Intelligence—which oversees the NSA—begrudgingly acknowledged that "on at least one occasion" the secret FISA court "held that some collection… used by the government was unreasonable under the Fourth Amendment." Wired called it a "federal sidestep of a major section of the Foreign Intelligence Surveillance Act," and it confirmed the many reports over the last few years: the NSA has violated the Constitution.
- NSA keeps much of what it does classified and secretBecause cybersecurity policy is inescapably tied to our online civil liberties, it’s essential to maximize government transparency and accountability here. The NSA may be the worst government entity on this score. Much of the NSA's work is exempt from Freedom of Information Act (FOIA) disclosure because Congress generally shielded NSA activities from FOIA2. Even aside from specific exemption statutes, much information about NSA activities is classified on national security grounds. The NSA has also stonewalled organizations trying to bring public-interest issues to light by claiming the "state secrets" privilege in court. EFF has been involved in lawsuits challenging the NSA’s warrantless surveillance program since 2006. Despite years of litigation, the government continues to maintain that the "state secrets" privilege prevents any challenge from being heard. Transparency and accountability simply are not the NSA’s strong suit.
We remain unconvinced that we need any of the proposed cybersecurity bills, but we’re particularly worried about attempts to deputize the NSA as the head of our cybersecurity systems. And even the NSA has admitted that it does "not want to run cyber security for the United States government."
Thankfully, new privacy changes in the cybersecurity bill heading towards the Senate floor have explicitly barred intelligence agencies like the NSA from serving as the center of information gathering for cybersecurity. We need to safeguard those protections and fend off amendments that give additional authority to the NSA. We're asking concerned individuals to use our Stop Cyber Spying tool to tweet at their Senators or use the American Library Association's simple tool to call Senators. We need to speak out in force this week to ensure that America's cybersecurity systems aren't handed to the NSA.
- 1. Executive Order 12333 was amended in 2003 by Executive Order 13284, in 2004 by Executive Order 13355, and in 2008 by Executive Order 13470. The resulting text of Executive Order 12333 is available here (pdf).
- 2. Three of the most common statutes that NSA uses to fight transparency: Section 6 of the National Security Agency Act of 1959 (Public Law 86-36, 50 U.S.C. Sec. 402 note), which provides that no law shall be construed to require the disclosure of, inter alia, the functions or activities of NSA; The Intelligence Reform and Terrorism Prevention Act of 2004, 50 U.S.C. Sec. 403- 1(i), which requires under the Responsibilities and Authorities of the Director of National Intelligence that we protect information pertaining to intelligence sources and methods; and 18 U.S.C. Sec. 798, which prohibits the release of classified information concerning communications intelligence and communications security information to unauthorized persons.