• IUB Newsroom »
• Indiana University cybersecurity expert calls for splitting the NSA

Indiana University cybersecurity expert calls for splitting the NSA

Law professor also recommends public debate, dedicated oversight agency amid further Snowden leaks

• Nov. 4, 2013

FOR IMMEDIATE RELEASE

BLOOMINGTON, Ind. -- The National Security Agency should be split into two halves -- one to secure the cyberinfrastructure of the Department of Defense and related agencies, the other to gather foreign intelligence -- in an effort to better protect the nation’s security and the privacy of its citizens and begin restoring the NSA's reputation in the wake of several damaging leaks, according to an Indiana University law and cybersecurity expert.

Separating the agency into two halves is one of 10 bold suggestions that Distinguished Professor Fred H. Cate made in a letter submitted this week to the President’s Review Group on Intelligence and Communications Technology. The panel will issue a report to President Barack Obama by the end of the year, if not sooner, on ways to mitigate damage to civil liberties and privacy while maintaining a robust national defense.

“The NSA’s activities should not operate outside of the law or be conducted in ways that are unnecessarily intrusive or costly or damaging -- to personal privacy, to the U.S. economy, to the integrity and standing of the nation or to the values that we purport to uphold,” Cate wrote. By splitting the agency into two distinct halves with two distinct missions, he said, the NSA’s intelligence gathering operation would be far less inclined to exploit weaknesses discovered by the team charged with protecting critical cyberinfrastructure.

After a summer of jaw-dropping revelations that proved American privacy is at or near all-time lows, the spy agency again came under fire last week after documents leaked by Edward Snowden purported to show the NSA’s ability to tap into data links to major service providers such as Google and Yahoo.

In response, Cate outlined nine other steps the Obama administration, Congress and the NSA itself should consider taking.

• Clearly define the NSA’s mission. The agency is no longer simply focused on international intelligence gathering. As the Snowden documents clearly illustrate, the NSA has taken considerable interest in collecting data of Americans.
• Establish and fund an effective oversight agency. “The disclosures over the last six months have made clear that the oversight mechanisms currently in place do not work well,” Cate wrote. Cate argued that an independent agency could help the NSA think more broadly about its activities, provide meaningful oversight, advise Congress and the president on compliance, and provide a basis for public trust in the mission and activities of the NSA.
• Enforce existing law. One of the most astonishing aspects of this summer’s revelations is how little attention seems to have been paid to the laws already in place that are designed to govern the NSA’s surveillance. Those who violated those laws must be held accountable, including termination and possibly prosecution, Cate said. In a veiled reference to testimony provided by some intelligence officials, Cate said “one might expect lying to Congress would invite perjury charges, not presidential endorsement.”
• Strengthen the role of the Foreign Intelligence Surveillance Court. “Despite the best efforts of the judges who populate the court, the FISC is not designed to provide effective, informed oversight of NSA surveillance activities,” Cate wrote. The most glaring hole in the process is that no one argues against the government. “In the FISC, where our most fundamental rights are at stake, no opposing views are ever heard,” he wrote. Allowing the oversight agency to provide security-cleared attorneys would at least prevent the rubber-stamp approach currently pervading FISC opinions. Lastly, making court opinions public would help restore some trust to the court and the NSA. Cate noted that the government, quick to put itself in a more favorable light amidst the Snowden leaks, declassified several FISC opinions with no harm.
• Deploy basic tools to secure data and enhance compliance. Cate pointed out multiple steps already agreed upon by multiple task forces that would help ensure data are protected and used appropriately and that misuse would be detected and stopped quickly.
• Prohibit the agency from collecting records in bulk on U.S. persons. The bulk collection of records on U.S. citizens and permanent residents, such as the metadata on billions of phone calls the NSA has been collecting for the past seven years, is illegal and inconsistent with the NSA’s “foreign intelligence” mission, Cate wrote, and so should be prohibited outright or permitted only by special congressional authorization.
• Tell the public what they can. Calling it an “over-classification problem,” Cate argued that keeping secret legal interpretations, data systems and other assertions of government power further incites mistrust among the public. “Claims that any disclosure will alert our adversaries and cause irreparable damage are made with such frequency and are so frequently proven wrong that I believe they should be discounted significantly,” Cate wrote. “Whatever we think of the good intentions of the current leadership of the NSA, this is the surest way to the abuse of power and, ultimately, to tyranny.”
• Foster a national, public discussion. While acknowledging the difficulty in doing so, Cate called this step the most important. “The data to which the NSA has access today is only the beginning of an avalanche of granular personal digital information that is increasingly becoming available,” Cate said. If the NSA is misusing the data already available, how, then, will they be kept in check when transactional, location, behavioral and medical data become even more prevalent in society? “The President has said he welcomes that dialogue, but he did little to foster it, and the NSA actively impeded it through false and misleading statements,” Cate wrote. “We must have a platform for that discussion, and for data to inform it, because in the absence of that national dialogue, the NSA’s expanded surveillance may be not only illegal, but illegitimate as well, compromising the very values the agency claims to be protecting.”
• Update and expand privacy protections. In today’s world, with email, voicemail, documents, photographs, recordings and more held primarily by third parties, the U.S. Supreme Court’s “Third Party Doctrine” is woefully outdated. Under the doctrine, constitutional protection for data is denied to anything held by a third party, effectively denying any sort of protection to the vast majority of data stored today. “Congress should amend the law to provide broader, more consistent privacy rights that apply not only to U.S. citizens and permanent residents, but to all people,” Cate wrote, noting the denial of privacy rights to non-Americans.

In calling for stronger privacy rights, Cate acknowledged the typical government response: Strengthening personal privacy means weakening national security. But he argued it could very well have the opposite effect.

“In the aftermath of the 9/11 attacks, no one claimed we lacked information on the hijackers,” he wrote. “The argument was that we couldn’t ‘connect the dots’ with the information we already had or find the needles buried in the government’s own haystacks of existing intelligence. While the government continues to suggest we need to find more hay, it seems to forget that the end goal of surveillance should be to find more needles.”

The full text of Cate’s comments can be read online.

Fred H. Cate is the director of the Indiana University Center for Applied Cybersecurity Research and the C. Ben Dutton Professor of Law. He is a member of the inaugural U.S. Department of Homeland Security Data Privacy and Integrity Committee Cybersecurity Subcommittee and one of the founding editors of the Oxford University Press journal International Data Privacy Law. He can be reached at 812-855-1161 or fcate@indiana.edu.

Related Links

• IU Maurer School of Law
• Center for Applied Cybersecurity Research