Today I Briefed Congress on the NSA

This morning, I spent an hour in a closed room with six members of Congress: Rep. Lofgren, Rep. Sensenbrenner, Rep. Bobby Scott, Rep. Goodlatte, Rep. Mike Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren had asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me—as someone with access to the Snowden documents—to explain to them what the NSA was doing. Of course, I’m not going to give details on the meeting, except to say that it was candid and interesting. And that it’s extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

Surreal part of setting up this meeting: I suggested that we hold this meeting in a SCIF, because they wanted me to talk about top secret documents that had not been made public. The problem is that I, as someone without a clearance, would not be allowed into the SCIF. So we had to have the meeting in a regular room.

EDITED TO ADD: This really was an extraordinary thing.

Posted on January 16, 2014 at 12:27 PM140 Comments


edpo January 16, 2014 12:50 PM

Thank you for doing that. And thank those representatives for seeking out information and listening, instead of buying the admin’s continuing lies about the programs.

Felix Gaeta January 16, 2014 12:51 PM

Thank you!

You probably don’t want to answer this question, but I’m curious anyway: How did the folks from congress react, can you already see a goal or path that they intend to follow on this issue?

Bruce Schneier January 16, 2014 12:51 PM

“Wonderful that it happened, but saddening that so few Reps were present.”

Rep. Lofgren purposely kept it small.

Matt January 16, 2014 12:59 PM

I’ve seen news articles that basically say that Obama isn’t planning substantial change to anything the NSA is doing. My comment has been that this is Congress’ job. Glad to hear that some of them are trying to do it!

Stuke January 16, 2014 1:21 PM

It is VERY disturbing that congress does not information about the NSA’s activities, but a very good thing that Bruce was there to set them straight.

Fog Mountain January 16, 2014 1:31 PM

It’s worth pointing out that all of these representatives (assuming you mean Bennie Thompson of Mississippi or Glenn Thompson of Pennsylvania, and Bobby Scott of Virginia or Austin Scott of Georgia—there are three Rep. Thompsons and three Rep. Scotts) are cosponsors of Sensenbrenner’s “USA Freedom Act”. In other words, they are already on record as supporters of restricting the NSA’s surveillance powers. It’s good news that these members are interested enough in writing further legislation to listen to you, and particularly that they are interested in restraining the NSA’s monitoring of the internet—something existing proposals in Congress and the administration haven’t addressed so far to an even remotely adequate degree. But this meeting can’t be taken as a sign that Congress as a whole is showing a sufficient interest in restoring constitutional limits on surveillance or conducting effective oversight on intelligence agencies.

NobodySpecial January 16, 2014 1:32 PM

re: the SCIF
When I worked in a classified job there was a joke that we shouldn’t read Pravda because the Russians might publish something that we didn’t have clearance to know.

hjh54gbjhgb January 16, 2014 1:37 PM

Translation: Today I informed members of the department of government responsible for total government oversight what the government is doing, as someone with literally no internal knowledge or clearance..

If America is really a democracy what’s it say that the executive branch of government consists of people who have no qualifications to work in government? This isn’t anti-Obama either… G.W. Bush could barely do math or speak English and drove a car through a wall of a building while high on Cocain..

dafydd January 16, 2014 1:45 PM

Does legal provision exist for creating an empty SCIF? That is, a SCIF designed for people to bring in TS/SCI material in a secure way, share it with others within the SCIF, and then remove the materials in a secure way, so the SCIF is again empty when the meeting is over?

While I’m sure it’s physically possible to do this, I suspect a SCIF is defined by the secure information contained within it. Therefore, anyone entering must be cleared for that information. Which leads to situations like yours…

Dilbert January 16, 2014 1:47 PM


Before you disparage someone as being ignorant or uneducated, perhaps you should know a bit more about them.

Bush attended the Harvard Business School, where he earned a Master of Business Administration. He is the only U.S. President to have earned an M.B.A.

His manner of speech has led many to believe he was uneducated, and he wasn’t a stellar student, but I doubt you have an MBA.

Piper January 16, 2014 1:54 PM

I’ve never heard of a SCIF before now. What is the reasoning behind not allowing someone without clearance into a SCIF?

I can think of two. Perhaps you might learn things about how a SCIF is built that they want to keep secret. Or alternatively, they don’t want anything discussed inside the SCIF to come out of the SCIF in the head of someone without clearance.

Of course, explanation two is particularly perverse in this situation, as you are the one bringing in the forbidden knowledge in the first place. And not allowing you in results in the discussion taking place at a Starbucks instead.

Carlo Graziani January 16, 2014 2:02 PM


Without disagreeing that “this is Congress’ job”, I’d say that that job is so difficult and complex that the problem won’t be fixed soon, if ever, and in the meantime the rumors about the administration’s cosmetic reform plans still constitute catastrophic bad news.

The thing is, the policies of the Federal bureaucracy are influenced and set in proportion to the staff and budget of the various Departments and Agencies advocating those policies. This is a problem with respect to privacy and civil rights because almost all the institutions at the table with a say on such matters are the securocracies — Justice, the various law-enforcement agencies, the intelligence bureaucracy, Defense, the NSA. All of these very powerful institutions advocate non-stop for greater technical and legal surveillance power and for more powerful tools for legal compulsion to extract information and protect secrecy.

Perhaps this is as it should be — you could hardly expect the CIA to be tasked with making a case for protecting citizen rights. Some other institution at the table with a mandate to protect those rights should be doing that, so that the policies that emerge reflect some kind of balance. The trouble is, there is almost nobody in the Federal government who has both the mandate and the bureaucratic heft to swing that role. That’s the reason that the securocracies have been hampered only by technical limitations and whatever fig-leaf of self-policing they deign to institute.

“Almost nobody”: there is one major institution within the government that has both the mandate to protect citizen rights and has the power to balance the securocrats: the Office of the President. It is the President’s job to make sure that those rights are correctly balanced, that the intelligence and law-enforcement types don’t get everything they dream up. The President, as the only elected Constitutional officer in the Executive, is charged with protecting the rights established under the Constitution. That’s his job. You can tell he’s doing it if you see that the heads of the law-enforcement and intelligence bureaucracies are unhappy about limitations to their powers that they hate and complain about. Which is to say, at the moment, the President is not doing his job in this regard.

You would think that the first law professor elected President since Woodrow Wilson would understand this critical role, the nonfeasance of which is so damaging to our civil society. But in the case of Barack Obama, you would be wrong. The man’s inability to conceive of an actionable belief not arrived at by averaging the beliefs of those around him makes him eat out of the palms of the securocrats he should be frustrating, who are the only people he talks to about secrets and spying. It’s starting to look as if those people wrote his “reform” plan for him. I suppose that should have been expected, given his craven record in these matters.

Bruce Schneier January 16, 2014 2:04 PM

“I’ve never heard of a SCIF before now. What is the reasoning behind not allowing someone without clearance into a SCIF?”

My guess is that because I am untrusted, I might plant a bug in the SCIF. So it’s less that I’m not allowed in, and more that if I was allowed in they would have to re-SCIF the place.

Bruce Schneier January 16, 2014 2:05 PM

“It’s worth pointing out that all of these representatives (assuming you mean Bennie Thompson of Mississippi or Glenn Thompson of Pennsylvania, and Bobby Scott of Virginia or Austin Scott of Georgia—there are three Rep. Thompsons and three Rep. Scotts) are cosponsors of Sensenbrenner’s “USA Freedom Act”. In other words, they are already on record as supporters of restricting the NSA’s surveillance powers. ”

Bobby Scott and Mike Thompson.

And, yes, they are all people who want to rein in the NSA. I was speaking to allies.

Nick P January 16, 2014 2:06 PM

@ Dilbert

You quoted Wikipedia but left off all the important things that came before it:

“Bush attended Yale University… was a cheerleader and a member of the Delta Kappa Epsilon, being elected the fraternity’s president during his senior year. Bush also became a member of the Skull and Bones society as a senior… was a rugby union player… characterized himself as an average student. His average during his first three years at Yale was 77… similar average under a nonnumeric rating system in his final year.”

So, he was an average student, ran a frat, was in a secretive pro-elitism club, was a cheerleader, and played rough in sports. Each of these traits were clear in his presidency. The good financial, management and strategic skills of an MBA? Not so much.

JohnParry January 16, 2014 2:13 PM

Huh? If you have access to classified/stolen documents, you could be charged with several crimes.

John Gibson January 16, 2014 2:18 PM

I find your comment about access to a SCIF rather interesting. I tried for several years to gain employment to a company that would sponser me for an SCI clearance, but it never panned out. But the security and intelligence subculture has always interested me. That said, I saw a recent episode of The Good Wife, where the defense attorneys requested a session with the judge in a SCIF, because the prosecutors had earlier had a session in a SCIF with the judge, etc, etc.

Clearly another case of Hollywood going off the rails for poetic license.

Though I’m now even more interested in SCIF rooms. Are there rules and regulations that discuss the storage of sensitive materials in a SCIF? or rather, the prohibition of keeping sensitive data/documents in a SCIF?
I had found a website once that talked about building a SCIF, but it was a little vague. One last question: Are there non-government / non-intelligence community entities that build SCIFs? I’m thinking about corporate counter-espionage. Thoughts?


z January 16, 2014 2:20 PM

@Carlo Graziani

I agree. The problem goes deeper though.

Our uninformed, risk-averse public means nobody in government has any incentive to do anything except make the surveillance state bigger, the government more powerful, and more opaque. If a Congressman successfully got a bill passed that removed the TSA security theatre, what happens when there’s an attack at an airport? He’s finished in politics forever, and so is everyone who voted for it, and possibly his party too. It makes no difference if the attack had anything to do with the changes in the TSA; they would be blamed regardless.

So what happens if the NSA’s surveillance capabilities are curtailed? The second an attack happens, irrespective of whether the NSA could have prevented it or not, the public will clamor for the government to “do more” to protect us, not knowing, caring, or understanding what “more” actually consists of. The people who called for the NSA to be curbed will be politically ruined, their parties will lose elections nationwide, and opponents will ram through more pointless, rights-infringing legislation.

We have a situation where common sense and rational thinking in government are punished, and extreme overreaction to events is necessary for political survival. That’s before you factor in the primary purpose of every government agency: perpetuating their own existence.

I expect the fallout of the Snowden leaks to be some window-dressing changes made to the NSA to satisfy the 5 second attention span of the public. Nothing will actually change, the public won’t care too much, and that will be the end of it.

Squark January 16, 2014 2:20 PM


Standard protocol would be to have you escorted at all times. It is not so unusual that someone without an SCI clearance would need access to a SCIF. That does strike me as interesting!

Tango January 16, 2014 2:23 PM

A SCIF is a secured facility, but there can be provisions for sanitizing it for non-cleared people. This happens any time things like contractors moving furniture in. Basically…. clean the place up, turn monitors off, and guard the stuff.

I say this as a former US Marine with TS/SCI (and a compartment that’s classified) that worked in the SCIF for awhile. Sanitizing is a pain in the butt, so they’re probably just lazy.

Russell Thomas January 16, 2014 2:31 PM

Surely this private meeting will be included in the up-coming movie of the NSA/Snowden affairs. Who will play Bruce S.??

Saul Tannenbaum January 16, 2014 2:41 PM

The SCIF paradox is like the weirdness that happened after Wikileaks, for example, the Library of Congress blocking the Wikileaks site because they were obligated to protect classified information, even if that information was available to the public.

StilleNacht January 16, 2014 3:00 PM

I doubt the SCIF denial was due to Bruce being uncleared. My thoughts for the denial is “What’s said in the SCIF, stays in the SCIF (or another SCIF)”.

By having the meeting in a more open meeting room, the Representatives can brief others who don’t possess clearances.

Bob S. January 16, 2014 3:01 PM

Re: “She said that the NSA wasn’t forthcoming about their activities…”

This is an important post because it addresses a commentary repeated a thousand or more times in the on the net:


Truth: NO, we did not.

The NSA and it’s many counterparts hide behind a curtain of secrecy and when cornered simply lie, deceive and manipulate.

No, we didn’t know and in many respects we still don’t know. We can only see the literal tip of the iceberg.

However, when Congress admits they “don’t know” right out loud it’s is refreshing in a distressful way.

They should know. They are right to ask.

I hope they know now more than they did yesterday.

hjh54gbjhgb January 16, 2014 3:23 PM

@Dilbert: I’m just a computer engineer. Sorry I don’t apply basic algebra to pseudo-sciences like psychology and applied economics and use semantics to explain why everything fails as a result..

How’s that national debt? You ever looked at the increases during the Bush and Reagan offices compared to the evil Clinton and Obama offices? Math IS a science..

Moderator January 16, 2014 3:30 PM

hjh54gbjhgb, you were off topic to begin with and are now going even more off topic. Please have some consideration for people who actually want to discuss the subject of the post, and drop this. (That goes for everyone.)

Jason Richardson-White January 16, 2014 3:31 PM

Bruce, interesting.

I would have thought that they could get up to speed just by having staff read through what you have released on your blog, etc. So, either you were there to do a little hand-holding, so to speak, in making very clear what exactly has been happening (summarizing, etc.), or you were giving them additional information that you have not released to us (the general public) yet. Perhaps you were even summarizing the materials that have yet to be released. So, essentially, that would make you a covert (not-so-covert, due to the missing SCIF) channel from the Snowden materials to (certain members of) Congress. However, since you may well have plans to release, co-release the materials with other Snowden-material recipients, perhaps it’s just advancing the cause a bit faster.

At any rate, I for one am happy to have you representing those of us who are, at the least, very concerned with the NSA’s role and want to see oversight restored & improved.


Benni January 16, 2014 3:33 PM

@Bruce: It’s good that you do this. It seems that the NSA is out of democratic control.

By the way, one question:
As you have read more of the snowden documents:
Have you found any links to industrial spionage. I mean, is there anything that indicates, the nsa spys on industrial companys and that the NSA then gives american companys that information?

Why does NSA for example, has an european cryptologic center in Damrstadt? I mean, sometimes, I just believe the NSA guys are a bit paranoid since 9/11 and are searching for terrorists among each of us. But then, this does not make much sense. Most terrorists are probably not based in europe. Also, e.g the embassy of the european comission is not a place to find terrorists.
We know that the NSA is spying on politicians who might be of economical importance.

But then, who are the clients of the NSA? Are the ones that recieve this information really only members of the US government?

Or does the NSA also tell general motors about the new cars that are currently designed by BMW, Daimler-Benz, and Volkswagen in germany?

Such a thing would perhaps make it much more easier for NSA to introduce backdoors into US products.

A company that is promised by the NSA to get the newest classified information on its competitors is perhaps more willing to create, e.g an NSA_KEY into an operating system.

Is there anything in the slides that indicates such behavior of the NSA.

pfogg January 16, 2014 3:40 PM

Bringing in an outside expert who is unaffiliated to the organization that Congress may potentially want to limit or restrain avoids an obvious conflict of interest that would be present when asking for a briefing from NSA directors or employees.

The only disturbing thing is the statement “This really was an extraordinary thing.” It should be SOP in this kind of review.

jig January 16, 2014 3:43 PM

I think the SCIFs are administered by the same people who probably aren’t all that happy to facilitate a meeting between publicly adverse congressmen and a vocal information security expert with valuable insight on the Snowden information. Bluntly: if there was an easy way to make the meeting happen in an SCIF, it’s doubtful that easy way was made available.

Secondarily, my understanding is that SCIFs actively discourage eavesdropping by any technical means. I’m on the fence as to whether an SCIF would or wouldn’t be automatically monitored by [acronym] in current practice, but assuming that [acronym] actually desire conversations without record, and SCIFs provide such, then the follow up reason not to make an SCIF available is that someone wanted (and had the ability) to record what was said in the room that eventually was made available.

Petter January 16, 2014 4:01 PM


I’m pretty sure NSA is feeding US corporations information some way or another.
They have been doing this before. Back in the days NSA helped Boeing to stop Airbus from expanding into the Saudi market. They did the same against other European companies as well as Toyota etc.

Usually NSA/CIA et al. play the act of “whistleblowers” when they see a non-US company doing (grey) business on the side and are in making of getting some big order.

So yes – this is big business.
My guess is that it’s as much in the hunt for terrorists as it is to gain market shares in the private sector.

3kjnf3kjfn3kfjn January 16, 2014 4:03 PM

So basically you met with around 1.3% of a group of people who can’t agree almost 100% of the time?

Daniel Murfet January 16, 2014 4:03 PM

Thanks for making these efforts, and writing about them. I’m curious why the focus is still on Section 215 and phone metadata, and not on the wider collection of Internet communications, such as the Gmail user data you refer to in your post of Jan 13?

In Tuesday’s senate judiciary committee testimony of the President’s review group, the wider collection was not referred to once that I noticed (with the exception of a very brief comment by Richard Clarke about 12333).

Do you understand why these programs not on the radar for reform? Are the members of Congress you talked to aware of these programs?

Jason Richardson-White January 16, 2014 4:06 PM

It’s worth mentioning that the security risks to (1) the Snowden materials but moreso to (2) Snowden himself increase as the amount of materials released increases.

For instance, suppose that Snowden’s life is indeed being safeguarded by a “doomsday” cache of documents. As the materials are released, if the government decides that the “worst” (in some sense) materials to which Snowden might have had access have been disclosed, then the gov’t might feel that it is okay to make an attempt to secure Snowden. Of course, this might mean diplomatic pressure rather than some kind of covert op (in Moscow, no less). At this point, the proliferation of people involved has escalated to the point that the security of the operation is becoming less tenable — Greenwald, his partner, his associate in film (I’ve forgotten her name), some material at the Post, perhaps some with Wikileaks, now Bruce… who else has pieces of the material? If we assume (as we should) that the NSA is continuously monitoring the entire set of all materials released by everyone who has had some access, and further that it has access (perhaps in real time) to all the unencrypted communiques among these various actors, then the danger is not inconsiderable.

Just a thought.


Nick P January 16, 2014 4:17 PM

@ John Gibson

Here is a manual on various aspects of SCIF’s with plenty of references included.

@ everyone

I also wonder if they even want someone like Bruce in a SCIF. He’s actively soliciting ways to stop NSA snooping on his blog. I’ve already promoted SCIF’s here as a way to do it. Bruce is also notable for finding flaws in government security and publishing the NSA exploit list. Knowing their mindset, I doubt they want him anywhere near SCIF or COMSEC equipment.

I’m not saying that I think it’s the reason for the denial. I just wouldn’t be surprised if they got paranoid.

NobodySpecial January 16, 2014 4:31 PM

Or does the NSA also tell general motors about the new cars that are currently designed by BMW, Daimler-Benz, and Volkswagen in germany?

Current evidence on the roads suggests not.

There was a conviction (in absence) of the US in France for a case where US/UK spying led to a French company losing a radar deal to a US competitor.

jones January 16, 2014 4:33 PM

Pulitzer-Prize winning journalist Gary Wills argues in “A Necessary Evil” that government oversight is fundamentally incompatible with government efficiency.

The idea is that you can’t be efficient if you have to justify your actions at every step.

He notes there’s a chance that a large part of the American public may have historically objected to the Manhattan Project on moral grounds, citing public reaction to chemical warfare in World War I. The way the Manhattan project was run was very efficient — time was of the essence — but totally unaccountable.

This is part and parcel of the states secret privilege — its purpose is to avoid oversight. The origin of this privilege is judicial, not legislative, and relates to witholding public knowledge of military negligence in the testing of an experimental airplane.

The Germans and the Soviets knew we were building the bomb — it was just the American public that was kept in the dark. The Cambodians knew were were bombing them, but it was from the American people that these actions were kept secret. Castro knew we were trying to invade it, but it was kept secret from Americans. Terrorists in the Middle East know where we’re using drones, its the American people who are kept in the dark.

Right now, half the voting public wants to cut government spending because they want more efficiency, but they’re really just reducing oversight.

Even if Congress had control of the NSA, there’s not political will for the costs associated with additional oversight.

Shunra January 16, 2014 4:35 PM

The SCIF/clearance issue effectively highlights the paradox at the heart of attempting to codify the foundations of trust: do they REALLY think Bruce is about to bug the SCIF? If he’s inclined to do so, he’d be much more likely to lie in the briefing (making it useless) or make up some sort of movie-lot exploit on the spot.

It feels like the U.S. authorities are in the throes of a fit of paranoia.

Christian January 16, 2014 4:36 PM


“I’ve never heard of a SCIF before now. What is the reasoning behind not allowing someone without clearance into a SCIF?”

My guess is that because I am untrusted, I might plant a bug in the SCIF.

It’s funny to consider yourself untrusted, because clearly these representative trust you more than the NSA. Otherwise they might have simply given up. (“Oh, NSA isn’t cooperating… how about lunch?”)

Benni January 16, 2014 4:51 PM

“I’m pretty sure NSA is feeding US corporations information some way or another.”

Well, I also assume this. My question was, wether there is proof of this in the snowden documents.

Up to now, we only have seen some techniques to spy, and we have seen reports how much data is gathered. We also have some targets, e.g. the european embassy, a german chancellor…

A direct proof, that all this is used for industrial espionage would be important.

Not only would it severely weaken the case of politicians telling us that this spy program is all just because of war against terror.

It would also be important for industry, to know, e.g which european companys the NSA is spying on and to which US corporations the NSA has given classified information.

Such a thing was, until now, not published from the snowden fields. Is there such a proof in these files?

DanT January 16, 2014 4:52 PM

Re: “She said that the NSA wasn’t forthcoming about their activities…”

Are any of those members of Congress members of the intelligence oversight committee, which are appointed by their leadership? Gee, maybe this has something to do with the fact that the NSA isn’t running over to brief them. Did Dianne Feinstein ask you for a briefing? I don’t think she is having any trouble whatsoever gettting info from the NSA on their activities.

Bauke Jan Douma January 16, 2014 4:58 PM

We want more details of what it is like to deal with some real dumb schmucks that have power, but are clueless enough to not know how to use it properly for the task they have been chosen to perform.

Joseph A. Sprute January 16, 2014 5:07 PM

Oversight has little concentrated power to effect beneficial change if there is in fact no true plan for what public data use represents in terms of evolutionary (graceful) steps that aid the representative ecologic balance concerning humanity.

StilleNacht January 16, 2014 5:15 PM

It also strikes me–considering the committees and leadership represented in Bruce’s briefing–the SCIF denial may be a political jab at the IC. A “if you don’t tell the oversight committees in private, we’ll make it ‘public’ ” bit, or along those lines.

Petter January 16, 2014 5:16 PM

@ Benni

Well thats an intresting thought.
As we can not know how many documents Snowden came across and got his hands on it’s difficult to know how much of the total amount he actually have released yet. And how much mr Greenwald is sitting on.

I can not see thats it is in anyones intrest to tell the truth on the exact amount.

anonymous coward January 16, 2014 5:36 PM

If those House members have clearance – and we know they must – then they have just willingly committed several security violations by a) discussing information they are not cleared for, b) discussing it with somebody who is not cleared, and c) opening it in an insecure space. Just because it’s been leaked does not mean it’s UNCLAS. They would be in deep trouble if they were not immune from the rules.

Of course they are “immune” from even knowing about this information anyway, so there is that.

And Bruce would be in deep kimchi too. If the rules were being followed. But IANAL.

@John Gibson: There is a group of contractors in the DC area that specialize in building SCIFs. There are others scattered around the country as well.

Rich January 16, 2014 5:43 PM

Bruce, do you anticipate possibly having any similar meetings with any members of the Senate? I’m thinking specifically of Ron Wyden (OR) and/or Mark Udall (CO), who have been aggressive about uncovering more of the NSA’s actions.

Bruce Clement January 16, 2014 6:22 PM

@Jason Richardson-White “I would have thought that they could get up to speed just by having staff read through what you have released on your blog, etc”

This assumes that they have staff who have the necessary training and background knowledge to analyse this.

I would assume that any congressperson would have a limited budget for staff and that budget would be taken up hiring people to carry out the congressperson’s normal buisiness. The Snowden leaks are atypical.

Asking the NSA or CIA for analysis in these circumstances would be counterproductive.

Doug Coulter January 16, 2014 7:04 PM

Industrial espionage? Petrobras, it was all over the news for the usual soundbite couple seconds. NSA told some oil companies which of the leases for sale had oil under them.
Brazil was (and still it) really pissed, since normally, the deal is you sell all the leases, and a few buyers get lucky, but the seller always gets good prices for all of them. With the info given out – only some brought a good price for Brazil.

Darren January 16, 2014 7:05 PM

Let us hope this meeting wasn’t just a ploy to try to gain knowledge about the documents Snowden took.

G46n January 16, 2014 7:10 PM

Having worked in SCIFs for many years…

Bruce not having clearance is bunk. I’m quite certain that there are many SCIF accredited rooms available with nothing in them except a meeting table and chairs. Even is this were not the case, there were many, many times that outside contractors with only secret or less clearances had to have access to install or fix things. We gave regular Secret level briefs inside the SCIFs, all that was required was the SCI material be locked up in the safes and the workspaces be clear of any sensitive material.

More likely is that the Congressmen didn’t want it in a SCIF because that would mean explaining to the Security Officer what they wanted to do, which would have been denied.


Secret Police January 16, 2014 7:45 PM

You can buy SCIF tents online, lot’s of R&D corps use them now to avoid industrial espionage.

At least somebody in your congress cares about preventing Totalitarianism level spying even if it’s just 1%. I’m in a 5 eyes alliance country doing the exact same thing as the NSA and none of our feeble technocrats could care less.

Skeptical January 16, 2014 9:14 PM

It also strikes me–considering the committees and leadership represented in Bruce’s briefing–the SCIF denial may be a political jab at the IC. A “if you don’t tell the oversight committees in private, we’ll make it ‘public’ ” bit, or along those lines.

None of those Reps is on the House Permanent Select Committee on Intelligence. They don’t know everything that the IC discloses to the Committee; they’re not supposed to know. The idea behind limiting certain disclosure to the Congressional Intelligence Oversight Committees is that secret information disclosed to 535 Members of Congress, plus their staff, will not long be secret. By allowing the Committees access, legislative oversight is enabled without compromising the efficacy of the IC.

Surreal part of setting up this meeting: I suggested that we hold this meeting in a SCIF, because they wanted me to talk about top secret documents that had not been made public.

Your heart is in the right place Bruce, but careful – that they have TS clearance doesn’t mean that they’re cleared for the particular information in any of those documents. In fact they’re almost certainly not.

David January 16, 2014 9:14 PM

A quick Google search for this (“schneier briefs congress”) shows that the story is getting some traction–mostly blog posts and summaries linking right back here.

Although I’m curious as hell about the rest of the Snowden documents and the meeting itself, I think there will be some really interesting things to learn about the way this particular event does or does not propagate–not just the facts (“The Bruce” gave insight to some Representatives), but the reactions, follow ups, and re-tellings.

In signal analysis, you can theoretically learn everything you need about a black box system by hitting it with an impulse–a short hard ping. The outputs tell you everything you need to know about the way inputs are handled.

Snowden was one such ping (a big one, and we’re probably going to see the reverberations for a good while longer), and I think @Bruce just delivered another one. How the “system” (people, politics, and reporting) reacts should be pretty enlightening.

Eli Katz January 16, 2014 9:53 PM


SCIF is primarily used in a military context but not restricted to it. If you’re in a faraday cage with tight ACLs and good governance then you are in a SCIF.

Grand Theft Universe January 16, 2014 11:06 PM

@David “In signal analysis, you can theoretically learn everything you need about a black box system by hitting it with an impulse–a short hard ping. …”

Since people are goal-directed and stateful (memories of a lifetime), their response to a stimulus is fundamentally not analogous to the behavior of a mechanical or electrical system under stimulus. In other words, both efficient and final causation apply to people.

More generally, there is an implicit equivocation built into systems theory methodology, where groups or assemblages are taken as primary, with elements regarded as secondary or derivative from the whole.

Reality is composed of particular individual things which have a definite nature.

The black box approach evades the natural identity of things, resulting a systematic dropping of context.

glasnost January 16, 2014 11:18 PM

“If those House members have clearance – and we know they must – then they have just willingly committed several security violations by a) discussing information they are not cleared for, b) discussing it with somebody who is not cleared, and c) opening it in an insecure space.”

This is both technically true, according to the current system, and also willful insanity. Congress is sovereign. In any remotely sane system, they not only have access to any and all classified information – all of them have access to all of it – but even the idea that any congressman could be denied, or not automatically granted access, to anything would be gibberish. Furthermore, the idea of meaningful restrictions on what Congress is allowed to discuss is nuts.

It’s as if Congress passed a law allocating the right to submit legislation or pass it to only two members. They passed a law to render themselves incompetent to govern, giving unelected bureaucrats control over what they know. It’s fundamentally insane.

And they could change it any time.

Anonymus Coward January 16, 2014 11:59 PM

I’m sorry if i got that wrong, but you gave them info about upcoming releases by the press in a possibly unsafe environment?

Nick P January 17, 2014 12:03 AM

@ glasnost

You might find this interesting:

Additionally, I keep pointing out that the SAP rules that block most of Congress are a risk for the public too. See “Groups of compartmented information.”

The unacknowledged and waived requirements are particularly risky. There are literally billions of dollars in SAP’s. The NSA accomplished its subversions with hundreds of millions [which might have been SAP’s too]. So much money flowing into mostly unaccountable programs by powerful groups can lead to problems for democracy.

Also, with the policies of “need to know” and “ownership of classified information” embedded into laws of handling it, it might conceivably be legal along some grey area to deny Congress access to some classified information. The system is currently spread over enough laws, agencies and rulings that people hiding stuff would have plausible deniability in that they had their hands tied by red tape & legal risk rather than trying to hide criminal activity.

All of this is why I previously posted here that classification laws are a huge part of the problem. We must fix them before accountability measures can even work. Congress probably should fix the classification laws as they’re enacting the oversight/accountability laws. Developing them together should help catch inconsistencies.

StilleNacht January 17, 2014 12:24 AM

None of those Reps is on the House Permanent Select Committee on Intelligence.

Incorrect. Rep. Mike Thompson is.

Also, at least four of the Representatives are on the House Judiciary Committee, including the Committee Chairman (Goodlatte), and the Chairman (Sensenbrenner) and Ranking Member (Scott) of the Judiciary’s Subcommittee on Crime, Terrorism and Homeland Security. This Committee has oversight of the Departments of Justice and Homeland Security, as well as “terrorism”.

Back on target, it is a possibility the SCIF-denial was due (at least in part) to politics. It is DC after all. Or maybe that had nothing to do with the decision. Like most of the comments here, it’s speculation.

z January 17, 2014 12:36 AM

@Milo M

No tech backgrounds, but fortunately they appear to have the common sense to find someone who does have one and isn’t part of the Executive branch. That’s critical, because typically when Congress wants a technical analysis of an issue like this they ask the NSA (or Cyber Command, or any other gov agency with expertise) to explain it to them. In this case, they can’t .

I would like to see a committee of civilian security experts testify before Congress on these issues for that reason. We can’t have just the NSA explaining what the NSA does to the people who decide if they get to keep doing it, especially when those people don’t have the technical background to know if they’re being told the whole story or not.

suomynonA January 17, 2014 1:47 AM

With regards to the details Mr. Snowden releases of his documents.

It would be more than wise for him to privately inform the upper crust of politicians and executive agencies specifically of examples highly damaging to them, to deter physical interdiction.

It would be logical to conclude based on Mr. Snowden’s actions that his operation has taken into consideration all relevant scenarios in a professional manor. He appears to be self educated, thoroughly.

Clive Robinson January 17, 2014 2:05 AM

@ Bruce and others,

    My guess is that because I am untrusted, I might plant a bug in the SCIF So it’s less that I’m not allowed in, and more that if I was allowed in they would have to re-SCIF the place.

Close but no “Banana glee” (if you will forgive the little joke)

What you have just seen may have been due to another issue starting to raise it’s head, and it’s the tip of a very large ice-burg that is being created by the US medical insurance industry. It recently came up with regards a well hated member of the US political class when they had their pace-maker modified and was probably mis atributed by journalists to being to stop a “Movie plot” terrorist attack.

The problem is emplanted/embedded and similar medical electronics. They are already causing problems with lie-detectors which is not going to go away and may result in people unjustly losing their livelyhood.

But importantly for SCIF’s they are not nor are they ever likely to beTEMPEST/EmSec approved. The basic requirment for SCIF’s is “no electronics unless EmSec approved”.

So you have to consider “The bug within” as a security vector.

I won’t go into details as to how even a standard unmodified pacemaker can be turned into a form of bug it’s been discussed on this blog before.

The “take away” point is a discussion on implanted medical electronics and the security issues that suround them is long overdue for reasoned discussion.

Another non security (except for the individual) aspect is why the US Med Insurance industry is pushin pace-makers and the like into people when in quite a few cases there is a lack of identified need. There are other occupations where having an implanted medical electronics device is considered a risk sufficient to bar employment.

Sweviking January 17, 2014 2:45 AM

Thanks for standing up for the world!

This calls for a new Schneier fact and T-shirt print 🙂

Adjuvant January 17, 2014 3:05 AM

@glasnost, Nick P, et al.:

I’m going to continue in a very US-centric vein here, so apologies in advance to foreign readers.
This discussion reminds me of a point I brought up earlier regarding laws which are kept secret from our legislators. The most egregious example of this phenomenon I have found is the fact that some unknown subset of that Continuity of Government provisions enacted on September 11, 2001 (and more formally two days later) continues in effect to this day, and the State of Emergency under which this national has been governed has been quietly renewed every year since. Not once in 12 years has there been a review of this State of Emergency by the Congress, as mandated by 50 USC § 1622(b).

I also previously <a href=″>reproduced Congressman DeFazio’s indignant speech on this issue, after both he and the chairman of the Homeland Security Committee on which he sits were denied access to the details of these programs on the grounds that they lacked the clearances.

Presumably 50 USC § 1622 is no longer operative, having been overruled by some supervening regulation, some “higher” secret “law.” Any attempts by members of Congress to ascertain how this might be possible have met with no success. The secret secret is secret, you see. According to Prof. Peter Dale Scott (Ph. D Poli Sci, McGill; former Canadian diplomat; Prof. Emeritus of English, UC Berkeley) who has researched this issue,

“Former Congressman Dan Hamburg and I appealed publicly in 2009, both to President Obama to terminate the emergency, and to Congress to hold the hearings required of them by statute.47 But Obama, without discussion, extended the 9/11 Emergency again on September 10, 2009,48 and again a year later.49 Meanwhile Congress has continued to ignore its statutory obligations.

One Congressman explained to a constituent that the provisions of the National Emergencies Act have now been rendered inoperative by COG. If true, this would indicate that the constitutional system of checks and balances no longer applies, and also that secret decrees now override public legislation as the law of the land.

I still maintain that the Continuity of Government provisions represent, as I stated earlier, “the [extra-]constitutional nest from which this army of legal cockroaches proceeds.” Consider their provenance. This time I will quote Project Censored’s summary at length on this point (emphases mine):

In July 1987, during the Iran-Contra Hearings grilling of Oliver North, the American public got a glimpse of “highly sensitive” emergency planning North had been involved in. Ostensibly these were emergency plans to suspend the American constitution in the event of a nuclear attack.

Oliver North was involved with the Federal Emergency Management Agency (FEMA) in plans to take over federal, state and local functions during a national emergency. This planning for ‘Continuity of Government’ (COG) called for ‘suspension of the Constitution, turning control of the government over to the Federal Emergency Management Agency, emergency appointment of military commanders to run state and local governments and declaration of martial law.’ Two of the key COG planners on the secret committee were Dick Cheney and Donald Rumsfeld, the two men who implemented COG under 9/11.

In other words extraordinary emergency measures, originally designed for an America devastated in a nuclear attack, are now to be applied to anything the White House considered an emergency. Cheney and Rumsfeld continued their secret planning when Clinton was president; both men, both Republicans, were heads of major corporations and not even in the government at that time.

What few have recognized is that, nearly a decade later, some aspects of COG remain in effect. COG plans are still authorized by a proclamation of emergency that has been extended each year by presidential authority, most recently by President Obama in September 2009. COG plans are also the probable source for the 1000-page Patriot Act presented to Congress five days after 9/11, and also for the Department of Homeland Security’s Project Endgame — a ten-year plan, initiated in September 2001, to expand detention camps, at a cost of $400 million in Fiscal Year 2007 alone.”

Project Censored goes on to mention 50 USC § 1622 and its mysterious non-application.

In the hopes of retaining the interest of this readership, allow me take this discussion on a slightly different tack.

This blog has often hosted discussions on subversion of hardware, down to the level of the silicon. It is possible to insert backdoors which are ineradicable and capable of calling forth all manner of higher-level exploits, subverting firmware. I believe what we are witnessing here with Continuity of Government provisions is directly analgous: the backdooring of a national legal system at the [sub-]Constitutional level, using a mechanism originally meant to take effect in the most extreme existential emergency but reworked for nefarious purposes (a sort of legal JTAG header, if you will), and the wholesale suborning of the national legal framework thereby from the firmware (Constitution) up.

I have referred to this previously as a problem of “parallel constitutionalism”: we have our system of public laws, and we have the secret “laws” and interpretations which have in many cases superseded them. We are unable to directly observe this body of secret “laws” because it is, of course, secret (closed-source and obfuscated and/or encrypted code, to continue our analogy).

This duality has made itself manifest in a wide assortment of practical (legal) particulars, as one would expect in an compromised (legal) system. Addressing any of these particular manifestations individually will, of course, fail to reverse the overall system compromise if, as I hypothesize, they proceed (in whole or in part) from a subversive, alternative, and secret quasi-Constitution (reflashed BIOS/firmware) which has been enabled by the subversion of lower-level components (the silicon-level backdoor or JTAG header of our analogy — or the need for a plan for Continuity of Government in the face of nuclear Armageddon in fact).

If we are to make any sense of the secret laws (persistent and recurring infections of advanced, obfuscated and encrypted malware), we must first make sense of the subverted legal framework (hardware and firmware) within which they operate. To disinfect the system and neutralize the Advanced Persistent (Constitutional) Threat, we must attempt find and neutralize the [sub-]Constitutional-level (silicon) backdoor, then restore the original [Constitutional] firmware. For this to be done, the coders (legislators) must, at a start, be able to understand the silicon backdoor (Continuity of Government) and, ideally, decrypt or reverse-engineer the subverted firmware (Constitutional and pseudo-Constitutional law).

I am not the first, by any means, to draw the analogy between law and code (a hat tip, above all, to Stallman and Lessig) on that point). I hope that my extended analogy, unwieldy and imperfect as it is, will be found helpful. It’s meant only as a brief and extemporaneous sketch, but perhaps it may serve as a starting point for further discussion.

Ben F January 17, 2014 4:03 AM

Well, here’s another issue, Bruce; do you trust the representatives?

Maybe they actually knew more than they let on, or were trying to figure out what else you already know about the leaks…

I wouldn’t bet on that, though. Presumably, you did your own verification of them.

dermot January 17, 2014 4:11 AM

With luck, Bruce, you’ll also be asked to brief some Parliamentarians on what GCHQ is doing….

65535 January 17, 2014 4:21 AM

Good Job!

“…Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities…” -Bruce S.

That is an understatement. She probably didn’t like the “least untruthful” statement (well rehearsed lie) from the NSA.

Anonymous Coward January 17, 2014 4:59 AM

I only have two remarks / questions:

1) What can you talk about in only one hour? The amount of topics are staggering.

2) Shouldn’t it be better to talk with “the enemies” instead of “the allies”?

Skeptical January 17, 2014 6:03 AM

Stillenacht, Representative Mike Thompson (is not a co-sponsor of Sensenbrenner’s bill) wasn’t one of the Representatives who attended. Bruce is referring to another Thompson.

So none of them sits on an intelligence oversight committee. The intelligence oversight committees were specifically designed and designated by law, i.e. by Congress itself, to receive certain disclosures from the IC and to conduct oversight of the IC.

I’m sure Bruce consulted an attorney before doing this – there are some excellent attorneys working for the EFF – though his risk of liability here is very low (though I have no idea whether there is a private CA/NDA at issue). The Representatives may be at some risk of censure for encouraging and allowing the exposure of classified material to persons not cleared for it and in an unsuitable environment, but I doubt anyone wants to rock the boat at this point (although this is Congress, so God only knows).

Industrial espionage? Petrobras, it was all over the news for the usual soundbite couple seconds. NSA told some oil companies which of the leases for sale had oil under them.
Brazil was (and still it) really pissed, since normally, the deal is you sell all the leases, and a few buyers get lucky, but the seller always gets good prices for all of them. With the info given out – only some brought a good price for Brazil.

Nope. There was only one bid – at the minimum eligible amount – by a consortium of Petrobras, Shell, Total, and CNOOC. See, e.g. The Economist: Brazil’s Oil Auction

Interest in the pre-sal oil off Rio was high six years ago, when this was first announced, before shale fracking accelerated in the United States and elsewhere. Since then, private interest in the Brazilian fields, which are technically difficult to access, has evaporated. US companies didn’t bid.

Nothing to do with the NSA.

As to why the NSA would look at Petrobras, the answer is at least two-fold. First, Petrobras is a major state-owned company, and Brazil is economically and fiscally fragile in many ways. Analysts assessing different political scenarios in Brazil need economic analysis and analysis of the Brazilian government’s likely fiscal resources. Petrobras can affect both of those things. Second, because of how cozy state owned enterprises are with states, there are likely politically influential figures in Petrobras who would be of interest from a foreign intelligence perspective.

The US Government has very consistently, over the course of decades, and without ever being contradicted by any evidence, adamantly refused to engage in commercial espionage, i.e. the use of espionage to obtain information which is then given to a firm in order to benefit that firm commercially. A policy change was debated after the end of the Cold War, during the End of History nonsense (interesting nonsense though!), with some arguing that the US should engage in commercial espionage given how many other states were. But the answer was no, although I suspect that this is as much because the IC doesn’t like the idea of risking officers and resources to enrich a CEO as it is because major businesses in the US are heavily multinational.

It is for that reason that Western businesses are in reality less concerned about the NSA than you might think, at least from an intellectual property (IP) perspective. The big APTs from an IP perspective are, at the nation-state level, China and Russia. 🙂 They don’t get as much press these days, though.

Adjuvant January 17, 2014 6:24 AM


The US Government has very consistently, over the course of decades, and without ever being contradicted by any evidence, adamantly refused to engage in commercial espionage, i.e. the use of espionage to obtain information which is then given to a firm in order to benefit that firm commercially.

I gather, then, that that Section 10.7 of the European Parliament’s Final Report on ECHELON is merely a list of misunderstandings and fabrications?

gawaine January 17, 2014 8:51 AM

Uncleared people can absolutely be in SCIFs. At one that I’m familiar with, they have a red blinkenlight that goes on when there’s an uncleared person in there. Do you think the fire marshall, the coffee machine repair guy, and the furniture movers have TS/SCI clearances? Not likely. They’re just escorted by someone who does. (Most boring job ever).

The catch-22 is that, if they’re in a SCIF, no one can talk about classified stuff where they can hear it.

So, if you make the statement that you need to be in a SCIF to talk about something, then the follow-up is that you can’t be there while they talk about it.

The right answer is to have someone sponsor you for a clearance.

StilleNacht January 17, 2014 8:57 AM


Bruce stated above it was Mike Thompson. (And thanks for that clarification Bruce.)

Judicial has oversight over terrorism and homeland security.

Rep. Amash sits on the Committee for Oversight and Government Reform, and its Subcommittee for National Security, Homeland Defense and Foreign Operations. The Subcommittee’s oversight jurisdiction is:

The Subcommittee on National Security, Homeland Defense and Foreign Operations – Oversight jurisdiction over national security, homeland security, foreign operations, immigration, and emergency management;

(from here).

Tarzie January 17, 2014 9:20 AM

“Of course I’m not going to give details on the meeting”

Oh, mercy no. By all means, you and the keepers of the leaks know best. The people have no right to this information. This problem will be solved via secret meetings with the government that created the problem.

Let us all know when you’re done! In the meantime keep us fascinated by telling us shit we already more or less know and patting yourselves on the back for it.

Michael January 17, 2014 9:43 AM

Back in my youth, we referred to a SCIF as a “Cone of Silence”. They were notoriously unreliable.

Sorry to make light of a very serious subject. I hope that Congress will, against all odds, do the right thing, and that if they don’t, the people will replace them with legislatures who will. Again, probably against all odds…

Skeptical January 17, 2014 9:58 AM

Stillenacht, right you are re Mike Thompson. That was my mistake. One of the Members briefed does sit on the House Permanent Select Committee on Intelligence. But only one. The Subcommittee on National Security, on which Amash sits, last held a hearing on August 2nd, as best I can tell, entitled Missing Weapons at the National Park Service: Mismanagement and Lack of Accountability. Its function is nothing like the actual intelligence oversight committees in the House and Senate.

Adjuvant, ah, that old chestnut. The EU report (which I believe was compiled by a journalist for the committee creating the report) contains zero events in which the NSA or CIA participated in commercial espionage.

The EU report primarily notes events where the US Government detected, and told a foreign government, of bribery by various European companies, such as Airbus in Saudi Arabia. US companies are forbidden by law from attempting to bribe foreign officials, and it is a law enforced aggressively by the Justice Department. Of course, for some time certain European countries allowed their companies to do so, and were presumably annoyed when expensive bribery schemes were exposed. I think some higher officials at the CIA at the time found some of the protests quite amusing.

Other than cases where the US reported on bribery, there are incidents reported where the US detected and reported commercial espionage by other entities, and where the US conducted espionage in the course of negotiating treaties between itself and other governments.

None of those constitute commercial espionage.

Then there is Enercon. A US company sued Enercon for infringing on its patents for a windmill generator design, resulting in a ban in the US on some of Enercon’s products until 2010. Enercon claimed in defense that the NSA had stolen its secret windmill generator designs and given them to the US company. Problematically, Enercon failed to fact-check before telling this fantastic story – the US company registered the patents three years before the alleged espionage occurred. Nonetheless, it was dumped into the EU report.

So, zero incidents of commercial espionage. This despite Congressional investigations, tons of leaks on all kinds of activities within the Intelligence Community, plenty of espionage by foreign nations in good positions to reveal commercial espionage by the US, and, of course, the latest “independent audit” by Snowden.

Is it possible that there’s commercial espionage which we somehow have never heard about? It’s possible. But I would have expected that to be one of the very first stories reported by Greenwald et al, as it would be a huge scandal.

Bruce Schneier January 17, 2014 10:02 AM

“Bruce, do you anticipate possibly having any similar meetings with any members of the Senate? I’m thinking specifically of Ron Wyden (OR) and/or Mark Udall (CO), who have been aggressive about uncovering more of the NSA’s actions.”

If I’m invited, of course I will meet with them.

Marcos El Malo January 17, 2014 10:39 AM


I’m surprised that these secure rooms aren’t “re-scif-ed” on a regular basis as SOP.

ANON January 17, 2014 11:16 AM

So who are you an what have you done? Not jack you have been the dog to congress whee. You have seen docs that you will not tell, covering for the nsa? Where are all of these snowmen docs? I have seen none of them, so what I am being told is true? the papers are not censoring. THe F in truth is u me and all of us are F d There will be no oversight.Let them come out and say we have stopped spying. Yep and you’ believe it.

You sir are a toad in the works, go lick some more boots!

parser January 17, 2014 11:30 AM


“My guess is that because I am untrusted, I might plant a bug in the SCIF. So it’s less that I’m not allowed in, and more that if I was allowed in they would have to re-SCIF the place.”

Solution: Appear in the nude (following a quick frisk)! ha, ha

dec33var January 17, 2014 11:37 AM

There’s a lot of discussion regarding SCIFs here, and just wanted to provide my $0.02.

First, I applaude Bruce for attempting to hold these discussions in a SCIF. A SCIF obviously is not just about personnel security, but also physical security, compromising emanations / TEMPEST, etc. Knowing that the content of the discussion included information which could potentially cause grave danger to the national security of the US (the definition of TS-classified information), Bruce attempted to protect inadvertent disclosure of this information to outside parties, and a logical place to do this is in a SCIF.

As for clearances, SCIFs are frequented by uncleared personnel all the time. A SCIF’s contents need periodic maintenance; plumbing, electrical, furniture, even co-located (unclassified) PCs and telecom equipment are often serviced by uncleared maintenance personnel, who are closely escorted by cleared individuals who are aware of what to protect in a particular SCIF (whether there’s open or closed storage, etc.). There’s NIST 800-53 requirements specifically relating to maintenance conducted by uncleared personnel.

The interesting paradox here is that, while I feel the correct approach was to hold this briefing in a SCIF, the conversation would have been one-way with Bruce doing the talking. If any other cleared person were to confirm, correct or otherwise comment on Bruce’s advisement, that would have been considered inadvertent disclosure of classified information (“Title 18 inadvertent disclosure”).

Perhaps an alternative option would have been to hold these conversations in a TSWA. TSWAs meet physical security requirements (or the residual risk is accepted by their accreditors), and are considered SCIFs for the short duration they are needed. If there’s a significant concern that a rogue device, such as a bug could be planted, a TSCM sweep could be conducted to provide the necessary assurances that the area was infact sanitized after the briefing. TSWAs aren’t allowed anymore, but some legacy conference rooms and auditoriums still have TSWA physical accreditations.

I state these opinions as one who has had a TS clearance and SCI compartmented accesses for over a decade.

Alx January 17, 2014 11:56 AM

“Of course I’m not going to give details on the meeting, except to say that it was candid and interesting.”

Why “of course”? What a brown nosing, elitist comment that is. Wow. The ego you have is quite something isn’t it.

So i’ll play along …

“Thanks Bruce for doing this for us, the plebs. Thanks for talking to the powerful on our behalf and working hard at not bringing any meaningful change what so ever. You’re so great and we’re so unworthy.”

Ahahahahaha. What a joke.

vas pup January 17, 2014 11:59 AM

When Law regulates something in society, it should be deep understanding of those in Legislature of the nature of that ‘something’ meaning it is improtant to have in legislature people with professional background/eduaction/practice in subject matter under consideration as the first point. Law degree and MBA is fine, but 21 century required something plus: science, technology, medicine, security, etc. background. That let them understand civil or/and government experst testimony/input. Second point, is to have aides in legislature recruited not only with law degree, PR, political science, but with knowledge in those new impotrant areas required regulation in 21 century. That is good when legislators meet and
listen to the experts like Bruce. But I guess Bruce’s opinion is valuable in the sphere of his particular expertise. For other subject (e.g. medicine) they need to listen to the doctors (MDs), not IT security guru.

Jon January 17, 2014 12:14 PM


Can you comment on the opsec procedures you and the representatives took to best protect your conversation? For example disallowing cell phones, laptops, as well as the location selection.

This would be of benefit for those of us who wish to have as private conversations as possible without the benefit of our dedicated facility.


Nick P January 17, 2014 12:59 PM

@ Adjuvant

CoG is definitely a problem. Cheney and co. are certainly the guilty party in more than one scheme like that. However, I wouldn’t push any code, APT, etc. analogies. I’m sure connections or analogies can be drawn. The problem is that lay people will be the solution here and lay people can’t understand any of that crap. It’s better to create our models of the risks and problems using a mental framework they can understand.

Simple route to Congress cooperation

That’s why I keep referencing blackmail, effect of muckracking on elections, Hoover, vote rigging, etc. We’ve seen each of these in the past. Congress reps will understand their risks without explanation. We also know NSA and other agencies’ current capabilities give them potential to do far more. So, the trick is connecting the current NSA capabilities to previous events that would scare Congress people, showing NSA could repeat history many fold. Complex technical concepts should be avoided where possible.

You mentioned CoG. It’s basically a doppleganger government with a certain amount of power over the real one. So, a clear history of it that Congress people could absorb in 5-10 minutes would be a start. They need to see each event, each supporter, each piece of CoG legislation that overrides their own. The next step would be to show how CoG takes control away from them and gives it to secret people who “didn’t work to get elected like the rest of you did.”

Let them understand how all of these things threaten their control, undermine all of their efforts, and could be used to ruin their future. And then remind them they’re in control just enough to turn it around with votes [without any real risk to national security]. And then tell them to put down the Cuban cigars and go vote!

Paul A'Barge January 17, 2014 1:21 PM

Lofgren is an enemy of America. If you are briefing people like that, make sure that you shower and wash your hands afterward.

Giorgio Ganis January 17, 2014 1:37 PM

As already mentioned, would it be that surprising if these Congresspeople were not pushing as hard as they could, in reality, because they are worried the NSA may have something on them and retaliate? Once citizens have these kinds of doubts about their Congresspeople, I don’t see how trust can be repaired.

FluffytheObeseCat January 17, 2014 1:37 PM


Thanks for correcting @Skeptical’s false statement in your follow up post. He has made a bit of a habit of inserting false “facts” into his later posts (those written long after Bruce’s original piece). It is always worth reminding us readers what the truth is.

Thanks also — yet again — for reminding us that the House contains more than one committee tasked with responsibilities that require they investigate what has been released by Snowden.

As glasnost pointed out, the Congress is the representative of the sovereign. If we live in a representative democracy, Congressmen have both a right and a responsibility to look into these matters, completely irrespective of existing regulations. They have the power to alter or rescind any of them, by making law.

Douglas January 17, 2014 3:00 PM

Bruce Schneier • January 16, 2014 12:51 PM

“Wonderful that it happened, but saddening that so few Reps were present.”

Rep. Lofgren purposely kept it small.

If it happens again, be prepared: bring this, by that other Lofgren, with you,

The Party Is Over: How Republicans Went Crazy, Democrats Became Useless, and the Middle Class Got Shafted by Lofgren, Mike

Similarly, be prepared for more “freakiness”.

Ding January 17, 2014 3:52 PM

“re-SCIF” – I immediately defaulted to thinking of a SCIF as a place; what a great reminder of good ol’ “security is a process.” (It’s the “measure twice, cut once” of security!)

Clockmaker January 17, 2014 4:10 PM


I understand you feel that there is a way to bring the secret intelligence agencies back under some semblance of control through conventional channels. I respect your optimistic opinion, but it’s not one that I share.

Optimism is an understatement when grappling with the whole catalog of facts and testimony from insiders, much intertwined with multiple agencies such as CIA. The NSA is unfortunately, just the tip of the iceberg. If you didn’t think it could get any worse, look out. It’s 10 times worse.

One request I would ask of you is this: Could you please explain your rationale as to why you feel there is a possibility to roll back these programs through conventional government channels? I simply don’t understand your logic.

Full disclosure or an American Glasnost must occur to have any chance at some semblance of civil society.

cntrfldr January 17, 2014 4:32 PM

Thanks Bruce for responsibly doing what you can & kudos to the members of congress trying to educate themselves. But is anyone else troubled that the supposed overseers cannot compel answers from NSA? Why aren’t subpoenas, contempt citations, threats of budget cuts, and other traditional methods being employed? What other agency heads wouldn’t be rolling by now if they defied or deferred classified congressional queries?

The apparent lack of enough power to even get questions answered seriously undermines confidence in any actual oversight.

diane January 17, 2014 5:45 PM

snoop …

… bizness kids making movies of themselves … ya know they don’t give a damn about anybody else, …


Steely Dan

diane January 17, 2014 7:06 PM

You’ve been tellin’ me a genius since you were seventeen ….and all this time I’ve known you, I still don’t know what you mean …

Steely Dan

Do ya ever wonder about those homeless in Sly Con Valley – along the banks of the Guadalupe “River” (heh) – more than a few of whom once held promise for their coding ability, until they refused to go along with the program? Bruce?

Maxwell Smart January 17, 2014 7:13 PM

Micheal mentioned the SCIF = “Cone of Silence” and I think that maybe you should have used the Cone of Silence as it pretty well publicized everything said and that is what the people need.

Truth to people not “truth to power”, those in power already know the truth.

diane January 17, 2014 7:47 PM

… well you wouldn’t even know a diamond if you held it in your hand …. the things that pass your knowledge ….I just can’t understand


The things you think are useless I just can’t understand.

Steely Dan


diane January 17, 2014 8:09 PM

Truth to people not “truth to power”, those in power already know the truth.

truer words and all ….. for as long as humans are able to survive in this increasing nightmare.

‘agent 99’

Douglas January 18, 2014 1:37 AM

My guess is that Bruce thinks it can be done legislatively. Probably what they want to hear after router/ISP hacks began to be focused on.

Judge telephony Pauley would LIKE you to believe it’s maybe only the Patriot Act that should be addressed, after sidestepping his constitutional responsibilities. But then again telePHONY also would have you believe there’s firewalls in the big banks, that the O.C.C. actually regulates, etc.

In the end, my money is on they looking for insider trading angles.

Congress Quietly Repeals Congressional Insider Trading Ban

phreebie January 18, 2014 3:34 AM

Is it not possible that they were on a fishing expedition, to see just what information you may have, and how potentially damaging it might be?

Theoretically the fact that you have knowledge of the information negates the need for a SCIF, since you don’t have clearance anyway. The info is already out. I’m sure they had absolutely no intention of divulging anything to you that may still be classified that you don’t know.

You say the purpose was for you to brief them, not the other way around.

To Dilbert January 18, 2014 7:03 AM


“Dilbert • January 16, 2014 12:54 PM
This reminds me of Mudge/lopht: “Hackers Testifying at the United States Senate, May 19, 1998”


You mean, I hope, except for the fact that most of the people who were involved in the ‘hacking scene’ then quickly decided to work for and create many of the subcontractors that provide these services to the government, or at least become very complacent and remain friends with the friends of theirs that did, right? It’s easy to romanticize the past but to paint broad comparisons that have nothing to do with one another is horrible.

Bruce’s actions should stand as laudable on their own. Just as Zimmermann’s should. And Soghoian’s.

To Bruce January 18, 2014 7:15 AM

Bruce, I don’t really agree that this can reasonably be done legislatively (how can you take power away from an agency that is so used to power and abuse of power that they take it for granted?), nor am I sure the US would ever go for what would happen if they did attempt to dismantle things, so I have two questions, if you would please reply here (or in a future blog entry):

(1) If you do believe this can be done properly through the legislative branch and executive branch, do you have any rough idea of what sort of a timeline might possibly be involved (and what might happen in between those time points)?

(2) If there were a slight (or more) dismantling or scaling down, what happens to the people who are finely tuned and skilled at doing these things and who have made it their life’s work? When the Soviet bioweapons programme was dismantled, just like the Japanese, the US took in a lot of specialists as immigrants, ostensibly because they did not want those people on the free market (and did want them working in ‘defense’). Given the ever-increasing demand for these sorts of subcontracted skills (and the attendant TS/SCI clearances that come with them), what happens to the employees that get ‘scaled down’? Would they get reassigned? Would the government be willing to just ‘trust’ that they would not sell their services to a bidder (however innocently or maliciously)? Specialized skills are a dangerous thing to have, especially when it goes into the exploitation/backdoor/trojan/sniffing/etc category instead of ‘just’ the crypto category (the low costs of such a program being part of the reason why I stress this over crypto). I’m curious how you believe this might be handled, because it is a discussion that needs to be had. Not that I believe the NSA (or any of the other three letter agencies) will actually stop doing things — just shift how they’re doing things.

I’ve been horrified for a long time by the excessive power stances that have been taken, so please do not take question #2 as anything other than what it is meant to be — a question meant to stir a dialogue because I haven’t heard anybody else talk about this in a public forum (but you’d better believe ‘they’ have — and I’m sure you do).

Best regards,
A long-time reader.

To Bruce January 18, 2014 7:22 AM

BTW with regards to #2, one of my top ten concerns is that they will use this precise reasoning to prevent these programs from ever shutting down — not to mention the potential FUD factor they would most likely leverage themselves via such a question (addendum because I am absolutely not a shill and hate the idea that my question might be construed as FUD itself).

Skeptical January 18, 2014 11:34 AM

Fluffy, I’m careful with facts, but since these are comments on a blog, I also write quickly. Sometimes even I will make mistakes. When someone points one out, I’ll go and check; and if they’re right, I’ll happily admit the error. But I also tend not to write anything unless the subject is one I’m familiar with and knowledgeable about.

And it’s possible that the US did engage in commercial espionage. There are always possible points of failure in an analysis. Occasionally even very strong analysis, like a well-built and well-operated aircraft, can suffer a series of coincident failures. The available evidence points to “no” however, and over the course of years, after investigations by many interested parties, that evidence has become quite strong.

I’ve found that those who strongly disagree with that finding tend to fall into three categories.

(1) Some simply have performed no research into the question, but have a general worldview in which all governments conduct commercial espionage, and are simply too rigid to allow for the possibility that they are wrong;
(2) some have performed research, but are from countries in which governments are extremely corrupt, and they begin their analysis of the US with that image in mind – for them, particularly those from closed societies, it’s easier to believe that the US is simply very good at hiding commercial espionage;
(3) some have performed research, are from open societies, but for whatever reason have a worldview in which government is almost cartoonishly corrupt – and that worldview is deeply enough ingrained that it’s very difficult for them to allow evidence to change their minds.

Where I become most concerned about the possibility of state-sponsored commercial espionage is at the intersection of two circumstances: (a) weak intellectual property protection for foreign companies where the beneficiary of the commercial espionage operates; and (b) very strong association, to the point of complete ownership and control, between the beneficiary and the state-sponsor.

Think about where those two circumstances are most strongly in evidence, and you’ll likely find where state-sponsored commercial espionage is the greatest threat. And while there are other factors to consider, those two alone can provide pretty good guidance.

Adjuvant January 18, 2014 2:25 PM

@Nick P

The problem is that lay people will be the solution here and lay people can’t understand any of that crap.

Quite correct about the uselessness of drawing such any technical analogy for the consumption of Congress or the public at large. I was making it here for the benefit of this specific readership. I certainly don’t take for granted that anyone reading this has even heard of the Continuity of Government issue before, so I put it forward as a sort of thought experiment to facilitate reflection. One way to reduce and overcome the cognitive dissonance surrounding such uncomfortable matters is by making comparison to familiar systems and problems.

You say that the solution lies with lay people. I’m not sure I entirely agree on that. In a technological society, the boffinate wields an outsized degree of power. My hope is that my contributions here will encourage technical people to broaden their own research and reflection on these legal and deep political issues, rather than dismissing them out-of-hand as many are inclined to do. To that end, I’m trying to point people here in the direction of quality information from credible sources that they might not otherwise encounter. To mangle Jefferson: “an enlightened boffinate is indispensable for the proper functioning of a technological republic.”

They need to see each event, each supporter, each piece of CoG legislation that overrides their own. The trouble here is that the research necessary to provide that overview runs into brick walls early and often, as Rep. DeFazio et al. have personally experienced. Much of the necessary information is classified and compartmentalized, so it’s a Catch-22. Again, I can’t resist the comparison (in the company of this blog) to self-encrypting malware, polymorphic code. Absent disclosure, it’s impossible to proceed except by painstaking research and reasoned inference — reverse-engineering, if you will. Urgently needed: more “legal malware” analysts. Also urgently needed: more awareness and outrage at this Kafka-esque subversion. And for the record, I don’t think I’m sounding that call in the wrong place.

I’ve found that those who strongly disagree with that finding tend to fall into three categories.
Actually, I’ll readily admit that state-sponsored industrial espionage has not been a subject of much interest for me, so my research has been tangentially related at best. Accordingly, I have no strong opinion: I just wanted to ping you on the question 😉

Nathanael January 18, 2014 3:47 PM

It’s become clear that the NSA is run by traitors who refuse to acknowledge the US Constitution, and refuse to acknowledge the overriding authority of Congress under the US Constitution. They’re engaging in acts of war — espionage, sabotage, etc. — against the legitimately elected US government.

The official, Constitutional solution for this is for Congress to defund the NSA and fund a grand jury to investigate and prosecute the traitorous NSA leadership. The British Parliament has shut down traitorous government agencies in the past, though it was a long time ago…

Unfortunately, it seems difficult to get Congress to do its job. This is the core problem here. I don’t know how to make that happen.

Adjuvant January 18, 2014 4:27 PM

Start by educating yourself and those around you the best you can. That is the prerequisite to any change. If I could make a single recommendation, it would be to start here with Scott’s The Road to 9/11. University of California Press has made Chapter 1 available at that link, but Chapter 15 contains the best recommendations I have seen for a way forward.

Petrobras January 18, 2014 4:43 PM

“Is it possible that there’s commercial espionage which we somehow have never heard about? It’s possible. But I would have expected that to be one of the very first stories reported by Greenwald et al, as it would be a huge scandal. ”



Petrobras ?

It’s been mentioned above, you even saw it, and magicked it out of relevance without even any arguments, and you have the gall to ask ?

Douglas January 18, 2014 4:46 PM

@ Adjuvant,

The Continuity of Government issue you speak of is most likely best described at this link,

(The proprietors of that link would do well to take the reference to “Jewish” out of the banner, and perhaps be a bit more honest that the number of warnings ex-Mossad far outnumbered those of the Mossad’s.)

Would The Rumsfeld assist those shenanigans and help it to grow truly out of control?

“Investigators within the DEA, INS and FBI have all told Fox News that to pursue or even suggest Israeli spying … is considered career suicide.”

“Many factors have led to increased dependence on code developed overseas…. We buy rather than train or develop solutions.”

And the NSA’s only permitted response to such lack of control is to automate hack attacks?

And so a business has sprung up, that of spying on spying, cascades of hacks with cascades of funding.
Insider trading, run amok.

Douglas January 19, 2014 1:01 AM


Really? Then where do you think CoG, your CoG, now resides as Rumsfeld/Cheney’s people are presumably no longer in power?

In my view the Patriot Act was a buyoff for technocrat-level people that Bush needed to buy to guarantee political support. The NSA cannot claim a single terror event block, and similarly what has DHS really done? Now we had telePHONEY Pauley as a writer of bad fiction and falling back on telling us bad bread has been broken and he will do nothing to hinder further bad bread.

We’ll start with where you think CoG resides currently. Hopefully it’s not merely in the neighborhood of the mere mention of Israel, as someone stated way above in this discussion.

Lobbyists seem to have found Congresspeople have an inordinate interest in junkets to Israel,

Your CoG: where is it now?

Douglas January 20, 2014 4:37 AM

Continuity of Government, most recently expressed by telePHONY Pauley and continued support for the FISA courts,

“The big problem with the FISA court is the creation of secret judge-made law that is capable of reinterpreting anything that Congress passes in order to make it acceptable for the NSA to engage in bulk collection activity,” Assange said.

Boot it to the judges, boot it to Congress, boot it to the FISA courts, and boot it to the Oaf in Charge.

The Party Is Over: How Republicans Went Crazy, Democrats Became Useless, and the Middle Class Got Shafted by Lofgren, Mike
The Continuity of Dysfunctional Government

Douglas January 20, 2014 4:48 AM

A rather lurid circle, wouldn’t you say? If there’s a nation that can speak of another’s “exceptionalism” it is Russia. 25 million killed by the Germans: how aware must they be that their ticket got punched when the most logical target for the Germans was their neighbor, the British?

Modern “exceptionalism”: how many warnings did Putin’s Russia send the U.S.’s way on 9/11, and now a new exceptionalism has taken root to justify surveilling its own citizens.

Some things never change, including alliances and the defining of “splendid arrangements”.

Ian Woollard January 20, 2014 1:39 PM

I’m assuming the NSA didn’t want the meeting in a secured room, because then they wouldn’t be able to monitor it; and so they made up a reason for not letting them do that.

Ardent January 20, 2014 3:41 PM

Bruce can go into a sanitized SCIF. However since Bruce is uncleared, no one is supposed to speak classified words with Bruce. It doesn’t matter that the classified Snowden documents are now in the wild; the government still considers them classified (they are considered to have ‘spilled’), and a cleared person should not speak to or touch the contents of these documents without obtaining special dispensation in writing from an authorized security officer, for fear of getting a security violation for possessing or transferring classified information he was not cleared to possess–one must have both the clearance at the appropriate level and a need-to-know for such information. Some of these documents are apparently even SAP (special access program) which requires even more authorizations. Hopefully the honored representatives thought about these issues, but I’m willing to bet on ‘no’.

Such is the pathology of USG security processes.

That these representatives felt compelled to discuss these things with Bruce to me speaks volumes about how dangerously broken the IC has become with regards to oversight. The representatives apparently don’t trust their executive colleagues (the IC from POTUS on down), the judiciary (the FISC), and apparently don’t have anybody on their own staff to speak to them about these things. Very scary and depressing.

The fact of the matter is that there isn’t any organization capable of penetrating oversight for any government program that can attempt more objective measures of effectiveness or legality. While OPM, the AG, and the GAO regularly attempt to monitor the beast of government they are constrained by politics, the massive scale of government (DoD has admitted it’s incapable of auditing itself), and security containers. As others have pointed out there’s no incentive to kill ineffective programs, and in particular no political incentive to kill programs perceived as “counterterrorist” and/or National Security.

DerekM January 20, 2014 5:30 PM


Frito: Yah I know this place pretty good, I went to law school here.

Pvt. Joe Bowers: In Costco?

Frito: Yah I couldn’t believe it myself, luckily my dad was an alumnus and pulled some strings.

Douglas January 20, 2014 11:55 PM

Ardent, your comment “and in particular no political incentive to kill programs perceived as “counterterrorist” and/or National Security.” strikes closer to the issue.

The history of the NSA tells their role to break codes and diplomatic codes is one of their priorities. Hence weakening encryption, backdooring chips. How many countries today do you think have unbroken embassy communications? military communications?

The NSA IS DoD auditing itself.

Douglas January 21, 2014 5:56 PM

Joe Rochefort and Laurance Safford must have felt equally positive about their work’s warnings before Pearl Harbor, and the Brits, after sending Dusan Popov to warn of the Pearl attack, a similarly-sized affirmation, an affirmation assisted by Donovan, their man on the scene before (not silent) and after (decades of silence) ..

A Sense of History is prescribed for the Rancor Fellas, above ..

Evan January 22, 2014 10:11 AM

In my experience, things like Bruce’s situation with the security clearance for the SCIF (or the more mundane “I can’t do that without authorization”, etc) are more a matter of an official believing one of their superiors will find a reason – justified or not – to fire them if they do. This is partly a structural problem, in that rules are so vague or complex that they can be interpreted in ways that nearly any given action can be construed as rule-breaking or not depending on the mood of the interpreter, and partly a work environment problem, in that damage control in the US intelligence community is a higher priority than actually doing the jobs they’re assigned to do.

Douglas January 22, 2014 10:25 AM

“It’s not the smears that mystify me,” Snowden told me. “It’s that outlets report statements that the speakers themselves admit are sheer speculation.”
Snowden went on, “It’s just amazing that these massive media institutions don’t have any sort of editorial position on this. I mean these are pretty serious allegations, you know?” He continued, “The media has a major role to play in American society, and they’re really abdicating their responsibility to hold power to account.”

It’s the way an empire defends itself, Mr. Snowden.
Let’s look at how Judge telePHONY Pauley speaks of his own “bold jiujitsu” with regard to the role of “contractors”,

“Pauley said the fact that the ACLU would never have learned about an order authorizing collection of telephony metadata related to its telephone numbers but for Snowden’s disclosures added ‘‘another level of absurdity in this case.’’

‘‘It cannot possibly be that lawbreaking conduct by a government contractor that reveals state secrets — including the means and methods of intelligence gathering — could frustrate Congress’s intent. To hold otherwise would spawn mischief,’’

Media outlets don’t seem to mind that government contractors like Booz Allen Hamilton have access to the kinds of information that were leaked or mind what purposes they’re being put to.
Speaking of Booz Allen, weren’t they one of the contenders for the contract Ntrepid won?
Those media outlets also don’t mind adding “level[s] of absurdity” with positions of clowns like Maher serving as “social media personas”.

State secrets privilege, absurd arguments, and phony judges. The empire of the business of spying defends itself “spawning mischief”.

Karl Rove, from a NYTimes article by Ron Suskind.
“We’re an empire now, and when we act, we create our own reality. And while you’re studying that reality — .. we’ll act again, creating other new realities, which you can study too, and that’s how things will sort out. We’re history’s actors … and you, all of you, will be left to just study what we do.””
Rove, as creator, seems to have fallen to a lowly position from one so formerly favored: was it the loyalty that did it, Mr. Rove?

n0n3 January 29, 2014 1:19 AM

I really want oversight to work better in this country.

noun: oversight; plural noun: oversights

an unintentional failure to notice or do something.
"he had simply missed Parsons out by an oversight"
synonyms:   mistake, error, fault, failure, omission, lapse, inaccuracy, slip, blunder, faux pas, miscalculation;

I think you mean to use a different word ;D

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.