James A. Baker, who for a long time ran the Office of Intelligence Policy Review in DOJ (which focused on FISA), and more recently worked in the Deputy Attorney General’s Office on cyber issues, gave a Constitution Day address at Dickinson College. The speech is about “national security and the Constitution as it relates to the collection of intelligence information for cyber-security purposes” – a topic that, as he notes, “has received far too little attention in the recent debates about government surveillance post-Edward Snowden.” I highly recommend that anyone interested in surveillance reform or cybersecurity read this speech.
Here are a few snippets. On what the government will need to do to meet the cyber threat:
To do everything that I’ve described [to meet the cyber threat], the President will need metadata about cyber-activities. . . . In addition to metadata, the President will also need access to the content of communications; that is, he’ll need to understand the substance, purport or meaning of the communications themselves, in addition to information about the existence of the communications and the identities of the parties to the communications. Among other things, this is because he’ll want to understand what the malware is doing or is intended to do. The “meaning” of the malware is content. I note that not everyone agrees with me on that point, but I think it is correct.
If you haven’t figured it out by now, in order to provide the President with such a comprehensive picture of the cyber landscape the Intelligence Community or some other element of the Executive Branch, such as the Department of Homeland Security (DHS), will want access to, and the ability to store for later examination, a huge amount of data. And that data will need to pertain not only to individual devices on a network, such as someone’s smartphone, iPad, or desktop computer, but also to the myriad of devices and networks that control and operate our critical infrastructure, such as our power grid and transportation system. Moreover, in order to do everything that I have described, the President would need access to a considerable amount of data pertaining to the Internet itself, or, as some have argued, all of the data on the Internet. Let me repeat that: there are arguments that in order to defend ourselves, the government needs to be able to monitor all Internet communications. All of them. Is this possible, even if it is necessary? Maybe. The key limiting factors are money and access. And you would need lots of both.
On the current legal framework:
However, in my view the complex patchwork of statutes and rules that exists currently and that impacts intelligence collection for cyber purposes is simply not up to the task of protecting both our security and our privacy in the cyber area in a thorough, thoughtful, and comprehensive manner. Our surveillance and privacy laws need an overhaul. For example, it is often still too difficult to figure out what is lawful and what is not. This negatively impacts both intelligence collection and privacy protection. Out of confusion, lawyers can say no when they should say yes, and yes when they should say no. There are many legislative proposals out there to address some aspects of this, although everyone seems to acknowledge that none of them are perfect. But that should not prevent us from acting. Why should we wait for the malicious cyber actors to force our hand and enact sweeping reforms following a major crisis?
These points set the stage for what Baker describes as “ten issues that any legal reform effort will need to address.” Worth a read.
