Assessing the Review Group Recommendations: Part VI
Chapter VI of the Review Group Report deals with proposed organizational changes at NSA, in the executive branch more broadly, and in the FISA court system. These changes are a pretty mixed bag. Some seem healthy. Some seem impudent. Some seem ill-advised. Let's take them (more or less) in order.
Recommendation #22 suggests that the director of NSA should be a Senate-confirmed position, that civilians should be able to hold it, and that the President should seriously consider making the next head of NSA a civilian. I wholly agree with the first point.
Published by The Lawfare Institute
in Cooperation With
Chapter VI of the Review Group Report deals with proposed organizational changes at NSA, in the executive branch more broadly, and in the FISA court system. These changes are a pretty mixed bag. Some seem healthy. Some seem impudent. Some seem ill-advised. Let's take them (more or less) in order.
Recommendation #22 suggests that the director of NSA should be a Senate-confirmed position, that civilians should be able to hold it, and that the President should seriously consider making the next head of NSA a civilian. I wholly agree with the first point. Senate confirmation would be healthy in every respect. It's a form of oversight and congressional consent. It's also a form of empowerment for the director to have senatorial consent to his or her service. Given the importance and size of NSA, it seems a bit anomalous for it not to have a Senate-confirmed director.
The other two components of this recommendation, however, are at this stage a bit of a moot point. The reason is that President Obama has already rejected the idea that became Recommendation #24: Separating the NSA director role from the head of Cyber Command. Since Cyber Command is inherently a military post, the continued dual-hatting with the head of NSA necessarily means that the NSA director will be a military officer.
What lies behind these two suggestions---and several others in this section of the report---is Recommendation #23: "that the National Security Agency should be clearly designated as a foreign intelligence organization; missions other than foreign intelligence collection should generally be reassigned elsewhere." This is a very complicated idea, the merits of which the report develops only skeletally over---amazingly, in my view---less than a page. There is something to the idea. NSA/Cyber Command as currently constituted is a signals intelligence agency. It is also a military command. It does offense, in the form of both stealing secrets and cyber operations in the covert and military contexts. It also does defense, in the form of information assurance, that is, making sure U.S. government communications are secure. These various missions involve a certain degree of conflict of interest. Should NSA encourage a given technology to be maximally secure, which would service its information assurance mission but perhaps compromise its offensive missions? Or should it encourage a back-door access, which would service its offensive ambitions but also potentially help adversary intelligence services who catch on to the vulnerability? This cluster of recommendations is designed to reduce the conflicts of interest and clarify that NSA is, at the end of the day, a signals intelligence group.
The problem with it is that the dichotomies between offense and defense, between military and civilian, and between foreign and domestic in this realm are no longer sharp. Offense and defense are, in real time, hopelessly intertwined. One learns how to defend in part by attacking. The line between exploitation (foreign intelligence) and military operations is very hazy indeed. And the lines between foreign and domestic bitstreams grow less meaningful every day. So it's easy to declare that NSA's foreign intelligence mission should be segregated from everything else it does, but without more, it's not even entirely clear what that means.What it means to the Review Group becomes clear over the course of several recommendations. One thing it means is (Recommendation #24) that NSA should be separated from CyberCommand. But the President has already rejected this. Another thing it means (Recommendation #25) is that the Information Assurance Directorate should be broken off and made into its own agency within the Pentagon. This seems to me like a really bad idea. If cyber offense and defense are two sides of the same coin, one ideally wants close collaboration between those who are trying to improve our defenses and those who are trying to exploit the weaknesses in other entities' defenses. Separating the functions into separate agencies seems like a bureaucratic move that pushes in exactly the wrong direction. The Review Group acknowledges that there are "strong technical reasons for information-sharing between the offense and defense for cyber security" and that "individual experts learn by having experience both in penetrating systems and in seeking to block penetration." I can't imagine that we would facilitate this information sharing by separating the functions into different agencies with conflicting missions.
Nor would doing so alleviate the ultimate conflict of interest. At the end of the day, the conflict is not NSA's conflict. It is the US government's conflict. If you put information assurance in its own agency, you would still need to resolve on an ongoing basis questions of whether offensive or defensive interests should prevail in a given situation. You would merely up the fight from a fight between components within NSA to a fight between agencies within DOD. And you would increase the chances that the decision-maker resolving this dispute is a DOD official without particular expertise in either area. That seems like a bad trade to me. I'd be interested in hearing from people who know more about how NSA balances its competing missions, particularly from people who disagree with me. But my instinct is that this recommendation should be rejected.
The Review Group then turns, in Recommendation #26, to beefing up internal executive mechanisms for privacy policy. It recommends creating a single privacy and civil liberties policy official both at NSC and at OMB. This idea raises no hackles with me, but people ought not to expect much from it either. Whenever a big set of policy issues requires a big response, somebody proposes the creation of a White House czar to coordinate policy. Fine. It's an easy one to adopt for the President. Appoint a Privacy Czar. Long may he reign.
More importantly, in Recommendation #27, the Review Group suggests strengthening what is now the Privacy and Civil Liberties Oversight Board into something of a bureaucratic player. The Review Group would, first, give it power not merely over counterterrorism issues but over all intelligence issues. This seems sensible, the privacy and civil liberties disputes in intelligence being far from limited to counterterrorism activity. The Review Group would also give the enhanced board the power to field whistleblower complaints from intelligence community employees. I'm attracted to this idea as well, though the board would have to have substantial investigative capacity if it were empowered to handle such complaints. This idea is worth serious study, though it is wholly underdeveloped in the report itself.
The report also suggests creating an Office of Technology Assessment within the board "to assess Intelligence Community technology initiatives and support privacy-enhancing technologies." I like this idea. The loss of the OTA was a substantial one and I am sympathetic to the idea of reviving the capacity it had. I'm not sure whether this capacity ought to reside within the board, but I agree with the Review Group that someone in government ought to be thinking systematically about the privacy implications of new technologies.
Last, Recommendation #27 suggests moving some compliance functions from NSA "and perhaps other intelligence agencies" to the board. This seems like a really bad idea to me. One of the reasons NSA's compliance program has been so effective is that it is the director's program. It's not a bunch of outsiders. While NSA has lots of outside oversight, compliance is thought of as an internal norm too. Take that out of the agency, and the consequences will be pretty disruptive. I suspect you will lose the sense of compliance as integrated with mission and generate a sense of compliance as an outside-imposed (and therefore resented) constraint.
The chapter's last recommendation, Recommendation #28, suggests four reforms of the FISA Court. The first, the creation of a Public Interest Advocate before the court involves a point that has become a matter of broad consensus: A politically diverse array of actors, including the administration and the bipartisan leadership of the Senate intelligence committee, now accepts the proposition that the FISA court needs more adversarial process and that someone should be making arguments against the government's position on controversial points of law. I certainly share that view. That said, the specific mechanism the Review Group proposes strikes me as very likely unconstitutional. It suggests "a Public Interest Advocate, who would have the authority to intervene in matters that raise" important legal issues. The advocate might be invited by the FISC to participate in cases, but it might also "intervene on [its] own initiative (that is, without an invitation from a FISC judge)." I'm really not sure how Congress can create standing for a government office to argue with effectively no client against the position of the Executive Branch, and I thus think this proposal would create significant Article III problems. The better approach, in my view, is create a mechanism by which the FISC can involve amici who have access to underlying case information.
Recommendation #28 also suggests giving the FISC access to better technological information and capacity: the ability "to call on independent technologists, with appropriate clearances, who do not report to NSA or the Department of Justice." This seems sound. Also sound, as I have argued before, is the idea of injecting greater transparency into the operation of the FISC and the FISA appellate court by publishing more opinions and reviewing opinions for declassification more systematically.
Finally, Recommendation #28 contains a proposal to revamp the selection process for members of the FISC. The judges are currently selected by the chief justice, and the composition of the FISC has faced some criticism for being too weighted to Republican-appointed judges. The Review Group would have the FISC judges named by the circuit justices, thereby spreading the appointment power around the Supreme Court. I have no objection to this proposal on the merits. I do very much object, however, to the way the Review Group has lent weight to a criticism that seems pretty frivolous. Whatever one says about the performance of the FISC and its judges, one simply can't make a case for a partisan inflection in their work. Indeed, among the non-FISC judges who have looked at the bulk metadata issue, it is the Democratic-appointed judge who agreed with the unified position of the FISC judges and the Republican-appointed judge who declared the program unconstitutional. By including this recommendation, the Review Group made this issue seem more serious than it really is. Revamping the appointment process for the FISC seems like an unobjectionable idea, but a very low priority item for reform.
That wraps Chapter VI.
Benjamin Wittes is editor in chief of Lawfare and a Senior Fellow in Governance Studies at the Brookings Institution. He is the author of several books.