Reckless Reforms

Why the Obama administration should ignore recommendations from the panel it established to review NSA surveillance.

In mid-December, the President's Review Group on Intelligence and Communications Technologies released its findings to great fanfare. The panel, established to evaluate government surveillance activities, joined a growing chorus of critics of the National Security Agency (NSA) and the Obama administration's aggressive approach to intelligence. Yet the group's report is seriously flawed. It reflects a misunderstanding of the function of foreign intelligence activities and offers some recommendations that are likely to harm these activities, while also doing little to nothing to protect individual rights.

The review group's report calls for an end to bulk collection of metadata -- information about when one person called another, but not the content of their conversation -- as well as new steps to protect Americans against what panelists fear is unjustified government surveillance. The panelists recognize the tricky tradeoff between better intelligence and civil liberties, especially in an era of rapid technological change. Yet the unmistakable theme in their report is that policymakers and intelligence officials have gone too far in the direction of security. Now is the time to put the brakes on programs the panel believes create "risks to public trust, personal privacy, and civil liberty." 

The report also calls for more stringent criteria about when the NSA can intercept the communications of foreign individuals. This recommendation is a response to news that the NSA listened in on cell-phone conversations of world leaders like German Chancellor Angela Merkel. Policymakers and intelligence officials, we are told, should be much more careful about whom they target and how much they data collect.  

Already, the report has prompted criticism from those who see it as threatening the capabilities of the intelligence community. One of the report's authors, former CIA deputy director Michael Morell, has recently attempted to rebut this criticism. He notes in a Dec. 27 Washington Post op-ed that the report does not say the NSA's collection of metadata "is not important to national security, which is why we did not recommend its elimination."

Morell is right that the report did not find the metadata program worthless (and it is noteworthy that he goes on to argue that the program would have prevented the 9/11 attacks). Yet his argument that the review group did not recommend the program's elimination is either disingenuous or backpedaling away from the report itself.

In its executive summary, the report clearly calls for an end to "government collection and storage of mass, undigested, non-public personal information about U.S. persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes." Instead, the report calls for such information to be held by a third party, such as a private contractor. This outsources a large part of the NSA's core business of signals intelligence. If not exactly elimination, this plan is quite close, preserving just some elements of the program in private hands.

More important than whether the plan constitutes an end to metadata collection, however, is the fact that it is perhaps the worst of all possible worlds. A public-private metadata-sharing protocol would face serious practical and legal obstacles, which is one reason both intelligence officials and industry leaders are opposed to the idea. At the same time, it would increase the risk of future leaks because more individuals (public and private sector alike) would have to be involved in sharing information. After the Snowden affair, it is bizarre that the review group finds putting more information in the hands of contractors comforting.

In addition, the review proposes two additional reforms that could inflict grave harm on U.S. intelligence collection, neither of which is mentioned by Morell in his op-ed. First, the panelists call for extending the protections enjoyed by American citizens and those living in the United States, such as the Privacy Act of 1974, to foreign citizens living abroad. The Privacy Act sharply restricts the government's ability to collect data on Americans, while giving people the right to access whatever information the government does have on them. The report notes that the Department of Homeland Security already accords these protections to non-U.S. citizens and that the intelligence community is already bound by the Privacy Act in matters like background investigations it conducts on employees. By extension, the report asserts that it would not be too much for the intelligence community to extend similar protections to non-U.S. citizens outside our borders.

While this position is fashionably cosmopolitan, in practice, it would turn out to be either meaningless or extremely damaging to intelligence collection. The intelligence community would not be likely to collect significant data from non-U.S. citizens through voluntary means like background investigations. As the report itself notes, the Privacy Act does not apply to systems related to national security, such as networks used for storing and transmitting classified information; if this exemption were continued, in most cases, the information available to non-U.S. citizens would be trivial or nonexistent, as most intelligence is classified and would be held in systems that the Privacy Act does not cover.

On the other hand, if the intent is to make some information from national security systems available, then the impact would be devastating. The Privacy Act, for instance, permits "any individual to gain access to his record or to any information pertaining to him which is contained in the system." If the intelligence community faithfully implemented the act, it would also have to allow a target of its espionage and "a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him."

At the risk of stating the obvious, this would demolish the whole purpose of spying.

The second major flaw in the report that Morell does not address is its call to eschew in almost all instances the exploitation of so-called "Zero Day vulnerabilities" in software. A Zero Day vulnerability is one whose existence is not known and therefore has not been addressed by the developer in a patch. These vulnerabilities can be used to infiltrate computer systems to collect intelligence, inflict harm, or both. The report asserts, with very little supporting argument, that fixing these vulnerabilities is more important than intelligence collected by exploiting them in all but a handful of cases. Though not discussed specifically in the report, this policy approach would likely rule out programs like the alleged exploitation of Microsoft Windows error reporting by NSA's Tailored Access Operations, used to gain insight into target systems.

Put simply, the exploitation of vulnerabilities is the core of intelligence. The panel's recommendation is akin to arguing that if one discovered a highly placed official of a foreign government with a drinking and gambling problem, then rather than attempting to exploit that problem, the intelligence community should guide him into rehab. Certainly, if a Zero Day or other system vulnerability affects sensitive U.S. government systems, then the NSA should act to repair it, but a general policy of non-exploitation needlessly handicaps the intelligence community. It flies in the face of the sort of careful analysis of costs and benefits that the review group's report calls for in other circumstances.

The root of these flaws in the report is the failure to distinguish between domestic law enforcement and foreign intelligence. Law enforcement, by definition, is meant to uphold the Constitution and protect the civil liberties of U.S. citizens. Policemen and prosecutors must obey strict guidelines on how they conduct surveillance on suspects and what kind of evidence they can use in court. Foreign intelligence, on the other hand, operates by breaking other countries' laws. Human intelligence organizations like the CIA try to convince foreign nationals to pass secrets to the United States. And signals intelligence organizations like the NSA consciously and deliberately steal private communications abroad without the target individuals' knowledge or consent.

The review group, however, recommends that the same criteria be used to determine when the government can collect information about U.S. citizens and foreign individuals on the grounds of protecting rights. In addition to recommending extending the Privacy Act to non-U.S. persons, it declares that intelligence agencies "must not target any non-United States person solely on that person's political views or religious convictions." While this is obviously crucial in terms of safeguarding the civil liberties of U.S. citizens, it makes no sense in the world of foreign intelligence. Intelligence agencies always collect information on foreign individuals because of their political views and other beliefs. Why else would they care about particular people, if not for the way they see and interact with the world?

Up to now, the debate about the NSA has focused on the balance between discovering information about terrorists and protecting the rights of citizens. This is understandable, as the legal basis for the NSA programs is the Patriot Act, and because the White House justifies metadata collection on the same grounds. But characterizing the issue as a choice between counterterrorism and civil liberties is simplistic and misleading. The review group admirably stresses that there are security concerns that go beyond terrorism, but it then fails to consider the value of metadata in addressing a host of challenges the intelligence community is facing. Efforts to combat state-sponsored industrial espionage, for example, require painstaking counterintelligence work. Efforts to break up transnational proliferation networks are also likely to benefit from metadata collection; this is a logical way to map the networks and see how they operate, which may be one reason why the Obama administration is fighting so hard to keep the NSA programs alive.

What's more, despite some fears that the NSA could use metadata to create a "mosaic" of someone's activities, in reality, this is a pretty inefficient way of encroaching on anyone's privacy. In the past, when the intelligence community has violated civil liberties, it hasn't bothered with such a roundabout approach. In the 1960s-1970s, for example, the CIA infiltrated various domestic political organizations, and the NSA intercepted the telegraphs of individual citizens. We have plenty of experience with intelligence agencies behaving badly, and they haven't been very subtle about it. Collecting and storing metadata is thus very different from what we've seen in the past -- and, in fact, Occam's Razor suggests that it is not a violation of civil liberties at all.

Ultimately, while generated with an admirable desire to preserve people's rights and privacy, the flawed recommendations in the review group's report threaten to do more harm than good. As the Obama administration considers reforming the NSA, it would do well to ignore them.


National Security

The Future of the Military is Robots Building Robots

Why tomorrow's arsenal can't be created with the tools of the past.

From the B-2 bomber to the M1 Abrams tank, the United States has for decades developed, built, and fielded the most advanced and capable weapon systems in the world. That's changing because of declining budgets, emerging technologies, and global competition from rising powers like China. Today, for the first time in recent history, the Pentagon is in danger of losing its vast technological advantages over potential adversaries. And the evolution of the Air Force's most recent warplane provides a cautionary tale of what may lay in store.

The development of the F-22 -- a next-generation fighter with advanced stealth and electronic warfare capabilities -- took 22 years and cost, in constant dollars, roughly 60 percent more than the Manhattan Project. Building each aircraft also took several years, and today, with production complete, the U.S. Air Force has roughly 187 F-22s. The aircraft is expected to stay in service through the 2040s, up to 66 years after engineers first began developing the plane. By comparison, the development of the F-4 in the late 1950s took about 6 years and cost nearly 95 percent less, in constant dollars, than the F-22.

Of course, there is really no comparison between the quality of an F-22 and an F-4 -- they operate in different eras and face different threats. There is also no comparison between an F-22 and most current combat aircraft around the world. A recent RAND study anticipates an "exchange ratio" wherein the United States would down 27 adversary aircraft for each F-22 lost in combat. However, with such a small fleet, each aircraft becomes increasingly valuable. And in some operations, the loss of even one aircraft could turn into a public relations or strategic victory for an adversary -- even if that enemy cannot defeat U.S. forces outright.

We don't need to accept this situation as our future. Adm. Jonathan Greenert, chief of naval operations, argues the value of "payloads over platforms." Given the time and cost issues of developing platforms like aircraft and ships we should instead focus our innovation efforts on the equipment they carry like weapons, sensors, and communication gear. Admiral Greenert makes a valid case, but what if the process used for aircraft design, production, and fielding could provide us similar flexibility and innovation?

Taking an approach of process over platforms could maintain U.S. advantage by building unmanned aircraft using short development cycles and accelerated production schedules that would lower both the overall cost of the program and the cost of building each individual aircraft. A fleet of such aircraft could be developed and produced adaptively, changing and growing to address threats as they emerge. A vision for this approach involves using advanced manufacturing technologies, including 3-D printing (also known as additive manufacturing) and integrated robotic assembly, to rapidly produce unmanned aircraft systems. Making that vision a reality will mean using digital technology -- data files for the production of aircraft components, software-driven assembly using robotic builders, and computerized remote piloting -- to generate a paradigm shift in the development of combat aircraft. The ability to produce unmanned aircraft more quickly and add new capabilities rapidly will unleash the potential of these systems.

3-D printing was formerly a technology reserved for building prototypes and models, like machine tools or topographic models; but recent advances, including the ability to produce higher-quality products using a variety of materials, are opening entirely new frontiers in rapid design and production. The technology has the potential to reduce the amount of time and money that go into producing new aircraft. All defense contractors that build U.S. military aircraft currently use 3-D printing to a modest extent, but a significant expansion of these efforts could see production move from parts to entire systems.

Robotic assembly is neither new nor unique to manufacturing. Car companies like Toyota and General Motors have extensively used robotic assembly for flexible manufacturing for years. Using this type of automated assembly to build planes would mean they could be finished in weeks or months -- not years. In a crisis, robotic assembly would also allow contractors to build more aircraft in a hurry: instead of training highly skilled workers to man additional shifts or facilities, an automated assembly line could operate around the clock when needed with reduced manpower.

Unmanned aircraft have proven to be a game changer in recent military operations because they can stay in the air longer than human-piloted aircraft and cost far less to use. Newer generations of unmanned aircraft will be able to fly further, take off from aircraft carriers, and fight alongside F-22s and F-35s. And they'll be able to fly themselves so effectively that human operators can be trained faster and potentially fly multiple aircraft simultaneously.

Using automated production lines to build unmanned aircraft would allow defense contractors to move new aircraft models from development to production to operation faster and more cheaply than is possible today. That would allow us to experiment with a variety of unmanned aircraft, from a model that specializes in aerial combat to, say, a model focused on suppression of enemy air defenses -- even though some wouldn't make it to large-scale production. Rather than trying to predict combat needs 50 years in the future, planners would focus on near-term, clearer needs. We would build aircraft that last just 5 or 7 years, not 40 or even 70, and the military could update new models quickly, with improvements in communications or electronic warfare.  In times of peace, that would keep potential adversaries guessing about what the Pentagon was actually moving into wide-scale production. During times of war, we could take the best prototypes and build whole fleets faster and cheaper than could be done today.

The current acquisition process is optimized for 20th-century threats, and therefore is not suited for the rapid pace of technological change that we now face. Digital, adaptable, and automated production can take advantage of rapid change, and would force adversaries to try to be more innovative and fast-paced, an inherently cost-imposing strategy. That would be more valuable than any one-weapon system.

Unmanned combat aircraft and advanced 3-D printing haven't fully arrived, but they're not as far away as many people think.  More importantly, experimenting with these technologies could significantly change the national security dynamic. Now is the time to change the game -- if we don't, someone else will.

Official U.S. Air Force / Flickr Creative Commons