Obama Weighing Security and Privacy in Deciding on Spy Program Limits
By David Sanger
If President Obama adopts the most far-reaching recommendations of the advisory group he set up to rein in the National Security Agency, much would change underneath the giant antennas that sprout over Fort Meade, Md., where America’s electronic spies and cyberwarriors have operated with an unprecedented amount of freedom since the Sept. 11, 2001, attacks.
No longer would a team of two dozen or so agency analysts be able to type into a computer that there was a “reasonable, articulable suspicion” about the person behind an American telephone number and, in seconds, see every call made to and from that phone — followed by the same records for hundreds or thousands of their contacts. Instead, an individual court order would have to be obtained — a far slower process that, just months ago, Mr. Obama’s intelligence team insisted would be too cumbersome in halting attacks.
On the same guarded campus, military and civilian computer hackers working for the United States Cyber Command would be barred from using one of the most important building blocks of their growing arsenal of sophisticated cyberweapons. Every day they exploit previously unknown flaws in computer programs, known in the industry as “zero-days,” to conduct both surveillance and attacks. A handful of such flaws — named for the fact that they have been known to the world for zero days, and thus cannot be defended against — were central to attacking Iran’s nuclear plant at Natanz.
Already, critics of the advisory report have called it a form of unilateral disarmament.
“Bad idea,” said James Lewis, the cyberexpert at the Center for Strategic and International Studies in Washington. “We’d be the only country in the world to knock ourselves out of the market — the Chinese, the Russians, the Iranians, every criminal gang would still be out there developing attacks” with these flaws.
For Mr. Obama — who in the past five years has grown dependent on the N.S.A. for countering terrorist threats, and dependent on Cyber Command for buying time to deal with Iran and other long-term adversaries — the choices he makes in the next few weeks may well define America’s approach to national security long after his term is over.
But it is a major balancing act between a security system that he has come to depend on and principles of privacy that he has said are dear to him.
One of the five experts in the advisory group, Michael Morell, says the task is possible. “We are not in any way recommending the disarming of the intelligence community,” said Mr. Morell, who retired over the summer as deputy director of the C.I.A.
But that is different from saying the choices are cost free. “Both of these have operational impact; there is no question about that,” Michael Hayden, a former director of both the N.S.A. and the C.I.A., said Thursday. “For sure, there are other values than just intelligence collection. Those may be worth it. But there is no doubt that this will make the collection of intelligence slower and more difficult.”
The advisory group is not the only one weighing and shaping Mr. Obama’s choices. His top counterterrorism aide, Lisa Monaco, is briefing him regularly about an interagency review that deals with many of the same issues as the outside advisory group. “Not all of their recommendations were things we had focused on, and not everything we are focusing on in our review is necessarily addressed in their report,” a senior administration official said Thursday.
The administration expects to accept “a good number” of the advisory group recommendations, the official said, and will “perhaps reject others.”
While few in the White House want to admit as much in public, none of this would have happened without the revelations by Edward J. Snowden, the former N.S.A. contractor now in asylum in Russia. While Mr. Obama has said he welcomes the debate about the proper limits on the N.S.A., it is not one he engaged in publicly until the Snowden revelations began. Now the president has little choice — this week alone a constellation of forces is pushing for change: A federal judge called the bulk-collection program “almost Orwellian,” while some in Congress, many of his allies and Silicon Valley executives demanded change.
Those represent very different pressures. Mr. Obama has already said that bulk collection of telephone records should continue. The unresolved question is whether he agrees with the advisory committee that the records should remain in private hands — either the telecommunications companies or a private consortium — and that individual court authorizations should be required for every use of metadata.
While Mr. Obama can deal with some of those issues by executive order, others would doubtless require congressional action — and even his own party is deeply divided about how much leeway the N.S.A. should have.
Mr. Obama has already acted on another recommendation, albeit quietly: The N.S.A. and the director of national intelligence are no longer able to monitor the cellphones and emails of leaders of other nations without White House approval. That does not mean no national leaders will be tapped; as Zbigniew Brzezinski said Thursday on MSNBC’s “Morning Joe,” “They are the ones we should be listening to.”
But now that one such operation has blown up in the N.S.A.’s hands — the monitoring of Chancellor Angela Merkel of Germany — Mr. Obama has begun to weigh their potential benefits against the huge diplomatic and economic costs if they are exposed. “The president has made it clear he never wants to be blindsided by one of these again,” one of his aides said. Under the advisory group’s proposal he would not be: He would have to approve such operations.
The president is also the one who must approve the use of cyberweapons. Gen. Keith Alexander, who leads both the N.S.A. and Cyber Command, said there were only “a handful or less” such attacks conducted by the United States. But designing the stealthiest cyberweapons occupies thousands of specialists and costs billions of dollars.
The pressure to rein them in is coming from industry, which fears that the N.S.A.’s abilities to crack data encryption and bore into foreign computer systems and the cloud will scare away business across Europe and Asia. Mr. Obama must now make a choice: to keep building the world’s most sophisticated cyberarsenal, or pare back for fear of harming American competitiveness.