Last week, Niskanen Center adjunct fellow Brandon Valeriano gave an excellent overview of the Vault 7 leaks in a widely-read article for the Washington Post. It even garnered some blowback from a Russian-friendly news outlet, the tone of which was largely reminiscent of Mr. Trump’s rhetorical prose. (Russian propaganda outlets are defending WikiLeaks and the current Administration by utilizing the same post-truth tactics so endeared by Mr. Trump and his close associates, you say? I’ll leave it to readers to make of that what you will.) Despite Brandon’s reasoned assessment of this recent data dump’s implications, I’ve been hearing a great deal of outrage over the mere existence of the CIA’s toolset.
Over at Reason, for example, Ronald Bailey quotes cybersecurity expert Bruce Schneier in order to make the point that “security is more important than surveillance.” The point being that the vulnerability equities process (VEP)—which establishes a process for the government’s disclosure of exploitable bugs discovered in software—is a better mechanism for achieving optimal cybersecurity in the online ecosystem than permitting the intelligence community a free hand to engage in supercharged surveillance. I would tend to agree (and more on the VEP later), but that argument is something of a red herring.
The ongoing debate over privacy and national security doesn’t boil down to whether or not we will have an intelligence community actively engaged in surveillance activities; it’s a question of how sizable a window of government surveillance we are willing to tolerate as a society. While I tend to view many of the intelligence community’s surveillance operations with suspicion, I also accept that national security necessitates the use of tools that can serve the mission of protecting American interests.
Furthermore, the CIA’s mission is not aimed at securing domestic cybernetworks; its job is to “preempt threats and further U.S. national security objectives by collecting intelligence that matter.” In order to fulfill that charge, the CIA requires the tools necessary to do the job. In an age of ubiquitously interconnected communications channels, many of the old “black bag” tools that sufficed in the pre-digital era simply cannot do. That’s not to say human intelligence operations are obsolete—there’s actually a compelling case to be made that in an age of information overload, it’s more important than ever to invest in human intelligence assessments to understand human motivation—it’s merely to suggest that as technology changes, so must intelligence agencies adapt.
The question, then, is not an existential one (Should the CIA have these tools?). Rather, this is fundamentally a policy question (When should the CIA make use of these tools and what should be done if and when they are abused?) On that last parenthetical question, it’s worth pointing out that a lot of folks are jumping the gun on crying foul over the mere existence of these tools. As Herb Lin points out in a recent Lawfare article:
Nothing in the documents suggests how, if at all, any of them have been used. In particular, nothing released as yet indicates they have been used against Americans. And it’s the CIA’s job to gather intelligence from non-Americans. Whether you think that’s a legitimate mission is an entirely different issue than the release of the Vault 7 documents.One of the issues that deserves more attention here is just how broken and disjointed the VEP is. We need to reconsider how to balance the national security needs of intelligence acquisition with the cybersecurity and economic risks inherent in hoarding zero day exploits. The solution to reforming the VEP ultimately will have to involve Congressional action to formalize a more standardized and certain process for disclosure. That’s a debate worth having, but it’s tangential to the more fundamental policy question: when and how we permit the state to gather intelligence.
Rather than promoting the unfounded idea that the CIA is acting in an extralegal fashion or that all government surveillance is a tool for Orwellian oppression, we should be focused on how to achieve compromise in this debate. To that end, policymakers should embrace the TAO of surveillance reform: transparency, accountability, and oversight.
- Transparency involves making as much of the process by which such tools are utilized available for scrutiny;
- Accountability serves to establish clear limits on the authority of analysts and operators, while also incentivizing clear lines of communications between those who would bear the responsibility for compliance infractions; and
- Oversight ensures that any infractions not ameliorated by internal procedures and incentive mechanisms are ultimately addressed by members of Congress with the appropriate clearance.
Instead, we should focus on reforms to surveillance operations that prizes TAO above illusions of perfect security or privacy. By establishing a system in which decisions, once made, can be reviewed in an ex post fashion, we move closer to striking the ideal balance between a protection of constitutional rights and a defense of national security. If an incident comes to light that is clearly illegal, or socially unpalatable based on the ever-changing goal posts of political acceptability, it is imperative to know who made the decision, when it was made, and how future episodes might be avoided. Unfortunately, this is not the conversation many are having in the wake of the Vault 7 leaks.
Many of the criticisms are instead focused on the constitutionality of the tools in question. On that note, it seems quite clear these capabilities do not, by mere incidence of their existence, constitute any sort of constitutional crisis emanating from within the “deep state.” Nothing revealed in the Vault 7 leaks should come as a surprise to anyone who follows surveillance policy issues. We would fully expect the intelligence community to have developed such cyber capabilities. Of course, it would be a loathsome revelation to discover such tools were put to use in violating the constitutional protections afforded Americans. Yet there is nothing thus far revealed that would suggest these capabilities have been used in an extralegal fashion. Rather, the concern here—as with many other surveillance programs revealed post-Snowden—is that the potential for abuse remains acute. It is that sentiment that resonates most significantly with concerned Americans.
There is another problem people seem to be overlooking with respect to the Vault 7 leaks and the accompanying “smash the deep state” tropes. In fact, it is the same issue I wrote about in a Lawfare article on the Trump Administration’s Russia connection: a breakdown of trust in the institutions of government. At a certain point, that deterioration of trust could lead to a stark and frightening choice—one best captured by Bill Kristol here:
However this all works out, one thing is certain: we need reconciliation between the needs of the intelligence community and the perceived threats to the Constitution. This is where the TAO of surveillance reform can help broker that peace. TAO reforms to the surveillance apparatus are necessary in order to address the concerns associated with potential rights violations. Whether past incidents have merely been incidental “technical issues” (as the PCLOB report on the Section 702 program discusses) or not, such compliance incidents cannot go unaddressed. And indeed, the potential for nefarious abuse of Vault 7 hacking tools or broader surveillance programs like Section 702 and PRISM is a compelling argument for more transparency, clearer accountability, and better oversight.