A rare window in the mindset of a top NSA official.
“Lots of lawyers like to say they’ve litigated through public controversy,” Rajesh De says with a chuckle, “but I’ve actually lived it.”
De isn’t kidding: He had been the top lawyer for the National Security Agency (NSA) for about a year when former agency contractor Edward Snowden leaked a trove of classified materials that instantly turned one of the most secretive arms of the U.S. government into the nation’s No. 1 topic of conversation. Snowden’s revelations about widespread government surveillance of the world’s electronic communication networks raised serious questions about the legality and ethics of the program. It was a controversy in which De, as the agency’s general counsel, stood directly in the center.
This scandal was hardly the first time De has lawyered his way through a high-profile, high-stakes position. Prior to joining the NSA, De worked as a legal advisor to the 9/11 Commission and as a staffer on the Senate Homeland Security & Governmental Affairs Committee. De also served as the White House staff secretary, personally managing the information flow going to President Obama.
After three years at the intelligence agency, De left government and now runs a rapidly growing team of over 30 lawyers in the privacy and cybersecurity practice at Washington, D.C.-based law firm Mayer Brown, which represented Ameritrade in one of the earliest high-profile data-breach cases, and the firm he left to join the executive branch during the early days of the Obama administration. (Full disclosure: Mayer Brown managing partner Kenneth Geller is the father of the Daily Dot’s deputy morning editor, Eric Geller.)
While De wasn’t able to respond to a few key followup questions—specifically two concerning the NSA’s reported purchase of zero-day exploits and its reported infiltration of major SIM card manufacturer Gemalto—De offered detailed insights into the spy agency’s efforts to find balance between security and privacy, why the NSA often has trouble defending itself in public, the culture of “No Such Agency,” and what it was like on the inside when the Snowden bombshell went off.
You gave a speech at Georgetown University in 2013 where you said the idea that the NSA “is a vacuum that indiscriminately sweeps up and stores global communications is not something that’s true.” Can you expand on that? There’s definitely a perception among much of the public that this is precisely what’s happening.
Rajesh De: It’s both not accurate within our legal and regulatory mandates, nor is it accurate as a practical matter. NSA conducts its activities in what I would characterize as the most robust legal and policy framework in the world for these activities. And that’s for good reason. I say that proudly because the U.S. intelligence community is one of the most powerful intelligence communities in the world, and we also have the strongest democratic tradition in the world.
Last January, the president issued a policy directive to the intelligence community. Without getting in the weeds, it’s called Presidential Policy Directive 28. The first section of that articulates the principles by which we will and will not conduct this type of intelligence. First among those principles is intelligence collected will be as narrowly tailored as feasible given our national security needs. That is a principle from the president of the United States. Even within that context, what is conducted is not indiscriminate collection; it’s because of certain intelligence requirements developed by policy makers.
Those who don’t pay too close attention think the NSA is out there gathering up whatever it can without rhyme or reason. But, in fact, [collection] is in response to things called intelligence requirements, which are made through a big, formal process across the executive branch, by which different parts of the policy apparatus articulate needs for information. That ultimately gets winnowed down and articulated for lots of different intelligence agencies, not just the NSA, about what they need to know about X, Y, or Z. That is what the NSA is out there trying to collect.
One of the things that surprised me most about serving as the general counsel at the NSA was that it was a lot like serving as the general counsel for a highly regulated business or enterprise, which isn’t how most people would think of the job. It’s actually quite a complex array of constitutional principles, statutory regimes, internal executive branch regulations and, on top of that, an auditing and oversight structure that is unlike anything I had seen before. That’s not an answer to every critique, but it’s a fact that I had to deal with. It’s really important to this question of what is pulled in and how the NSA is conducting itself with what is gathered.
So much of the NSA’s mission necessarily involves secrecy, creating an inherent difficulty in the agency’s ability to have the degree of transparency necessary to gain trust with a large segment of the public. How good of a job do you think the NSA has done in balancing secrecy and openness?
Well, there certainly is room for improvement. But I also think that it’s far more complicated than those who don’t have to actually do the job think it is. There are clearly things that the government is striving to be more transparent about. Things like what the framework within which intelligence activities—not just the NSA’s—are conducted. What is the value proposition of those intelligence activities? Is it useful? Is it helpful? What are the American people getting out of it?
“Last year alone, 60 to 80 percent of the information provided [to] the president in his daily brief came in part from the NSA.”
It’s complicated because you can’t always talk about intelligence successes, but I think the American people would be both pleased and surprised about the intelligence successes we’ve had. You need to understand that at a greater level in order to actually have a thoughtful, reasonable opinion about what the framework should be within which we operate. I certainly think that’s an area that can be improved.
I don’t think people realize how much of a driver the NSA is within the intelligence community. Last year alone, 60 to 80 percent of the information provided [to] the president in his daily brief came in part from the NSA. That’s astonishing. I do think there’s a need for the government to be more proactively transparent about what the intelligence community is asked to do at a high level and what value it provides.
Was the job of the NSA, in explaining both its mission and the controls on intelligence gathering it has place, made more difficult by not being more forthcoming about its activities prior to the Snowden leaks?
I certainly think the government would be well served to explain what it does in any situation. The history of “No Such Agency” did not serve it well when people start asking questions and wondering what the agency does. When there is a vacuum, people will naturally think the worst; we all do that. It would behoove the intelligence community to be more forward leaning and proactive.
You had been at the NSA for about a year before the Snowden leaks. What was the atmosphere inside the agency when it happened?
I was relatively new at the time, so I probably had a different experience than many of the people who had worked at the agency, in the culture of “No Such Agency” for many years.
My sense of it was that there were two overriding emotions among the workforce. The first was a deep, deep [feeling] of betrayal. Someone who was sitting next to them—being part of the team helping keep people safe, which is really what people at the agency think they are doing—could turn around and do something so self-aggrandizing and reckless.
“When there is a vacuum, people will naturally think the worst.”
There was also a deep sense of hurt that a lot of what was in the media was not entirely accurate. Questioning the motives and legality of what NSA employees were being asked to do to keep Americans safe—all within the legal policy construct that we’ve been given—that was difficult for the NSA workforce. The good thing is that it’s a mission-oriented place. Folks do tend to put their heads down and do what they’re supposed to do. They worked through it.
You’ve said that the NSA is bound by a whole set of regulations aimed at protecting Americans from unlawful surveillance. Can you give an example of something the NSA could do with the technology that it has, but is electing not to do because of legal or privacy concerns?
I can’t give you a particular example, not because I can’t think of them, but because I can’t talk to that level of granularity.
That question does raise a very good point. In the context of a lot of disclosures that have come out post-Snowden, often the focus is on technical capabilities without considering the complete legal framework within which we have to operate. Talking about any program or activity, one very simple principle adheres: Under the Foreign Intelligence Surveillance Act (FISA), targeting a U.S. person for the contents of their communications anywhere in the world requires a probable cause finding by a federal judge. There’s lot of talk about what the NSA could do, but that is a legal principle, enshrined in FISA. There is sometimes a disconnect between technical capability and legal framework. Whenever one reads about technical capabilities, one has to think about it in that context. But it’s very rare that anyone actually writes about that latter piece.
There have been multiple government review groups that have gone through things like the phone metadata program and charged that there haven’t been too many tangible benefits outside of what could have been obtained through more traditional targeted phone records demands. How do those sorts of reports play into the agency’s decision-making process?
What happens, unfortunately, is that there tends to be polarized discussion about if X is the most important thing in the world, what terrorist attack has it stopped? As opposed to a thoughtful discussion about how intelligence works. How complicated the landscape is? How different tools interplay with one another? How should one measure [a program’s] contribution to public safety? Those are all really hard questions. Effectiveness should be, and is in fact, part of what intelligence agencies think about.
There is sometimes a disconnect between technical capability and legal framework.
One program that has been closely discussed is an email metadata program that was in place up until 2011. The decision to shut that program down was not made because there wasn’t legal authority to do it but because it didn’t make sense as an operational or resource matter. That is very good public example of a program that wasn’t worth continuing that there was legal authority to conduct. It’s hard to talk about those generally, but that folks would be well advised to understand that far more consideration other than what’s been going on come into play—operational effectiveness, resource issues, privacy considerations, risk considerations, etc.
Through leaks and government reports, there have been disclosures of certain compliance violations by individual NSA employees. There were the analysts who were caught spying on former love interests and people collecting data outside of the limits of FISA. Have there been any criminal prosecutions for those violations? Are there other enforcement actions that have taken place?
I don’t have any details of the particular cases. But if you look at the public correspondence between the folks at the NSA and senior folks at the Justice Department that have articulated what’s happened in some particular cases, there are a couple big picture points. One is that the Foreign Intelligence Surveillance Court (FISC) opinions that have been released should put to bed any notion that the FISC is somehow a rubber stamp for the executive branch. If you take a moment to read some of those opinions, they can be quite harsh on the executive branch when mistakes happen. They’re quite useful in that regard.
Two: Some of this should give some confidence that the auditing and oversight mechanisms that are in place actually work—whether it is audits from outside the agency or automatic auditing from within the agency, [or] other sorts of methods that are in place. It’s not an accident that we haven’t seen widespread abuse of the intelligence apparatus. We have structures in place, at least in that respect, that actually work. We should feel confident and good about that as the American people.
Photo via NSA.gov