PRIVACY JANUARY 15, 2014
David Sanger and Thom Shanker have a lengthy story in the New York Times about various National Security Agency techniques for penetrating foreign computers and networks, including a strategy for accessing seemingly air-gapped computers. Two thoughts:
First, this article shows how much publication norms have changed in recent years. (Sanger and Shanker note that the NYT did not publish some of the details in the current story when it reported on cyber attacks on Iran in 2012.) This is a story about the technical means and methods of surveillance against foreign countries, including our military adversaries, Russia and China. I believe this is the type of story that would not have been published until relatively recently. “There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States,” says the NYT, and the story does not hint at any illegality under domestic law. What then is the justification for publishing these secrets? I imagine that Sanger and Shanker would say something like: the scope of NSA’s foreign surveillance, post-Snowden, is a question of public interest and national debate, and the value to our democracy from publication outweighs the threats to our security. They might also add revelations about the NSA (including ones related to this story) are pouring out from scores of sources abroad, and that if they do not report this story someone else will. If these are the arguments, it is hard to see what NSA secrets the NYT would not publish. I am sure they still withhold information they deem too sensitive (or detailed, or lengthy) to publish, but the line for what is publishable has moved quite a lot. The particularly bad news for the NSA is that the NYT is more discreet than foreign journalistic outlets.
Second, the USG penetration of Chinese networks revealed in this piece looks a lot like the things the United States has been complaining about the Chinese doing in the United States for years. This implicates an old bugaboo for me—the obviously self-serving hypocrisy in the USG’s high-handed complaints in recent years about Chinese penetration of U.S. networks. The NYT quotes an NSA spokesman drawing the usual distinctions: “We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international competitiveness or increase their bottom line.” But I agree with Peter Singer of Brookings, who is quoted in the story as saying that “[t]he argument is not working...to the Chinese, gaining economic advantage is part of national security.” The USG argument is effectively that we want the Chinese to spy on and steal information from us only in the ways we spy on and steal information from them, because the ways we spy on and steal from them, if done to us, won’t cause us as much harm as the espionage and theft strategies that best serve Chinese interests. This obviously self-serving argument is not going to convince anyone outside the United States, especially since (a) the Snowden documents have made clear that the USG often steals economic information, just not for the narrow purpose of giving the stolen information to U.S. firms, (b) the Snowden documents have revealed broader USG economic-related espionage than many thought was going on, and the NSA descriptions of its theft of economics-related secrets has narrowed in recent years (compare the NSS statement above with James Woolsey’s description of NSA activity in this area in 2000), and (c) there is no reason we should expect our adversaries to adopt espionage strategies that serve our interests.
(For the record: I would be quite pleased if the USG could establish a rule of espionage that allowed us to best serve our interests and that disserved China’s interests. But it ain’t going to happen, and the rhetorical strategy for trying to make it happen, as Singer says, isn’t working. As I wrote last year, “[s]erious progress on global cybersecurity will not occur until we acknowledge—first of all to ourselves—that in most respects we are (and are widely viewed as) dominant aggressors in cyberspace, and until we contemplate which of our cyber activities we might tamp down on in exchange for reciprocal concessions by our adversaries.” That statement is all the more true post-Snowden.)