Audio: Breaking up the NSA

Almost a year and a half after the Snowden revelations, it’s business as usual for America’s giant global eavesdropping and spying organisation: the NSA, the National Security Agency.

As revelations continue to unfold, legislative attempts to rein in the NSA's powers appear to be stalling. But, Harvard University security analyst Bruce Schneier says the situation is unacceptable.

In the future, argues Schneier, people will look back at the way we ignore privacy today and ask "how could we be that immoral?" He’s put forward his own plan for breaking -up the NSA, and in so doing, bringing its activities under greater civilian control.

Listen to the Audio on


Antony Funnell: Hello, Antony Funnell here with another edition of Future Tense.

In today's program, leading international security expert Bruce Schneier on surveillance and spying and his plan for the future of the NSA, the National Security Agency, the United States' global eavesdropping organisation. Breaking it up, he says, is the only way to ensure the NSA's functions will be effective, and effectively monitored.

Bruce Schneier: I believe we have to recognise that the rights of people don't stop at borders, that it shouldn't be that every country can do anything they want to the citizens of some other country, that we as Americans, as citizens of any country should bestow some rights to foreigners in other countries. That isn't addressed by splitting up the NSA, but it's certainly something that we have to do. This notion that rights stop at borders doesn't work in a global internet. You can't make it function.

Antony Funnell: Bruce Schneier, and the NSA.

And also today, University of Sydney academic Bunty Avieson on mobile technology and democracy in Bhutan. Facebook, it seems, actually can be a public square.

Bunty Avieson: Because it's such a small country, the MPs, the individual MPs have Facebook pages, most of them, and they interact with their constituency on Facebook. They will put up a policy suggestion and then they will look and see the responses they get, and they can have an active direct dialogue with their constituents through Facebook, and they do. And it's quite transparent, terribly egalitarian, it's rather wonderful.

Antony Funnell: Dr Bunty Avieson and Bhutan's blueprint for technology-assisted democracy; 'Best from the West and leave the rest'. That's coming up shortly.

Our program today though starts in New Zealand, right at the tail end of their national election.

Edward Snowden: So with all of that out of the way, we arrive at the thing that I think ought to be the most important part of the discussion tonight. The GCSB not only uses XKEYSCORE, they have expanded it, they have contributed to its development, they've proposed algorithms and those sort of fingerprints that are used to track people and targets…

Antony Funnell: Early last week at a political event in Auckland Town Hall the spectre of the NSA—America's National Security Agency—loomed over New Zealand politics, with whistle-blower Edward Snowden addressing the gathering via a telelink and telling those present that New Zealand's intelligence agency, the GCSB, and the NSA, had both been involved in ongoing mass surveillance of New Zealand's population.

That charge drew a quick denial from New Zealand's Prime Minister John Key.

John Key: Absolutely without doubt New Zealanders are not subject to mass surveillance by the GCSB and they never have been. What I can say is that yes, there are databases that New Zealand intelligence agencies might be able to access but there never has been any mass surveillance and New Zealand does not gather mass information and provide it to any international database.

Antony Funnell: It's not our intention to dwell on New Zealand politics, but the way in which the global NSA surveillance scandal once again reared its head in Auckland provides a good reminder that despite all the international outrage last year over the nature and extent of the NSA's snooping, very little has been done to bring the agency to heel.

Recently on this program we heard from the American Civil Liberties Union about the watering down of the USA Freedom Act, a bill with bipartisan backing that was introduced into the US House of Representatives with the specific purpose of reforming the Agency. Critics says the proposed legislation has now been amended so much as to make it all but irrelevant.

Now, most of those who are vocal in criticising the NSA tend to want it scrapped altogether. But the realists would acknowledge that given the current volatility of the international environment, that's unlikely to happen anytime soon.

So, leading international security analyst Bruce Schneier has put forward his own solution for consideration, a plan which he says would preserve what's good about the NSA's global mission, but place US surveillance activity under greater scrutiny.

Bruce Schneier is currently a fellow at the Berkman Center for Internet and Society at Harvard Law School.

Bruce Schneier: Traditionally the NSA has had two missions; attack and defence. Established during the Cold War, they were charged with eavesdropping on the Soviet Union, the Warsaw Pact, America's enemies, and also protecting the American military communications from eavesdropping by the Soviet Union, the Warsaw Pact, America's enemies. And these two missions were opposite but complimentary. The same techniques and expertise you needed to attack their communications you needed to defend our communications. And the reason that worked is because even though the techniques and knowledge was the same, the equipment was different. Soviet radios were different than American radios. Soviet telephone networks never carried American telephone traffic. So you could easily separate the two missions, combine expertise, but they wouldn't come into conflict.

That changed with the rise of the internet. Now everybody in the world, the good guys and the bad guys, use Microsoft Windows, Gmail accounts, Cisco routers, the same software, the same hardware, the same internet. And the communications are combined. So you can find American communications on trunks that go through Eastern Europe or China or North Korea. So what that means is these missions are now in conflict and we have to choose whether we protect our communications, thereby protecting their communications, or leave our communications vulnerable, thereby leaving their communications vulnerable. Once you do one you get it for the other. You can't do both at the same time. So given that, we really have to divide the two missions better, that right now the NSA has kept the communications of the world deliberately weak so that it could spy on its traditional and modern enemies. I want to break up those two missions.

Antony Funnell: And essentially I guess then the major issue, as you say, is that because of that over time the NSA developed a propensity to prioritise intelligence gathering over security.

Bruce Schneier: Right, in the sense that they are the wrong organisation to make that determination, that's the wrong level. That should be made at a much higher level, whether nationally or internationally within NATO or some of the other Western alliances, that having the NSA decide if it finds (I'm going to make this up) a vulnerability in Microsoft Windows, should tell Microsoft, fix it so that we are all protected for someone else using it, or not tell Microsoft, keep us all vulnerable, and then use it to eavesdrop on the Chinese? So this has also changed the nature of the NSA's mission. It used to be government-on-government espionage, now it's more government on whole population surveillance.

Antony Funnell: You argue, don't you, for the breaking up of the NSA and the passing on of its respective powers to other organisations. Take us through your thinking there.

Bruce Schneier: Well, it is a little more complicated. I want to break up the defensive mission, that should be very public, there's no reason for secrecy there, we are defending, we are finding vulnerabilities, we are patching them, we are telling people how to secure their computers. I think that is a civilian mission. That should go inside a Department of Commerce potentially. It's very much an open mission, and that's very important. And in protecting US communications we protect everybody else's communications because everybody else is going to use the same stuff. If we help secure the backbone of the internet, everybody in the world benefits, including the Chinese dissidents who need that security to stay alive. When you get to attack there are two missions. There is the government-on-government espionage—attack, cyber war—all of those things should move under the Department of Defence where the NSA is, but it should be part of defence.

Last year there was a big scandal because we were spying on the German Chancellor Angela Merkel's cellphone. Well, maybe we should do that, but whether we should or not needs to be decided at a very high level in government, not just by an NSA analyst. So that stuff should be within the Department of Defence. Anything that is government-on-population should be in a civilian law enforcement agency. In the United States the FBI does a lot of counterterrorism. They are also much more open, their laws are much more about peace time and law enforcement and are more suited to doing things on populations. So that government-on-population surveillance mission should move into the Department of Justice.

So those are the three; defence goes within something like the Department of Commerce, attack goes within the Department of Defence, and then counterterrorism population surveillance goes into the Department of Justice. And I think that is a much better political tradition for the realities of today than keeping everything inside the NSA.

Antony Funnell: What has been the response to your idea when you've presented it to people in the know?

Bruce Schneier: It'll never happen, and of course 'never' is a short-term way of thinking of it. It's probably not something that is going to happen today. The President's review commission on surveillance last December came out with a very mild recommendation that US cyber command, which is the military cyber-attack division, the under a separate command than the NSA. Right now the same admiral or general in charge of one is in charge of the other, and they recommended that those two be split. It is a very mild version of what I suggested. And President Obama chose not to do that, he pointed Admiral Roberts recently to head the NSA and US cyber command. So this is certainly not something that will happen anytime soon, but I do think it is important.

Antony Funnell: Because there are vested interests, aren't there, fighting against that, and we have seen that with the passage…which we covered on this program recently, the passage of the USA Freedom Act through the House of Representatives there in the United States.

Bruce Schneier: Yes, it's unlikely the USA Freedom Act will become law. I think the bill is very flawed, it doesn't do a lot. It does some things and I think it should pass. It will certainly not reform the NSA. It's focused on one particular program, it's focused on a particular legal authority, but it does have some real teeth and it's a good first step. And we just saw James Clapper who is the head of US intelligence, director of national intelligence, came out in favour of the bill. I tell you right there that it's not going to do much. I think he decided that he would take this little reform and hope that's enough. But what we are hearing now, it's unlikely to get out of the committee and in the Senate, and unlikely to even get on Obama's desk. Obama has not signalled whether he would pass it or not.

Antony Funnell: You describe the NSA's historic attitude as overly aggressive. By breaking it up along the lines that you've suggested, is there a risk of simply spreading that aggression to other departments?

Bruce Schneier: One of the things that breaking it up does is it moves it under more civilian authority. The Department of Defence is the most permissive part of the US government, and it makes sense because the Department of Defence conducts war, and war by definition has fewer rules than peace time. The problem is we are conducting this sort of peacetime surveillance under the rules of war, and moving it under the FBI, even though there are FBI abuses, the FBI isn't perfect, puts it under civilian control. So rather than spreading the abuse, my hope is it will make it all more public.

Antony Funnell: Now, a critic could say…and I know you've responded to this in the past, a critic could say that what you are suggesting would lead to duplication. That's correct, isn't it?

Bruce Schneier: And it would, of course. We accept inefficiencies in government all the time, for moral purposes, for legal purposes. The goal of government isn't maximal efficiency, that's a dictatorship. We deliberately want an inefficient government because it gives us more liberty and more freedom. So yes, that is certainly a criticism, I accept it and think that it is an acceptable price to pay for the more security, the more liberty, the more freedom we get because of it.

Antony Funnell: If your suggestion was followed through, and I know you said it's very unlikely, at least in the short-term, that the US government will go down this type of path, but if it was followed through, what would the flow-on effects be for countries other than the United States and for individuals other than American citizens, because one of the things that has come out of the NSA Snowden scandal is the level of hurt and distrust that has been built up around the world against the United States because of what the NSA was up to.

Bruce Schneier: That's certainly a separate thing that we have to deal with. Even recently President Obama repeatedly said this to Americans; don't worry, we are only spying on non-Americans. And everyone else in the world is saying, hey wait a second, that's us, what are you guys doing? Mark Zuckerberg of Facebook even said, 'Can you stop doing that? You're just telling the world that you are only spying on non-Americans and most of my customers are non-Americans.' I believe we have to recognise that the rights of people don't stop at borders, that it shouldn't be that every country can do anything they want to the citizens of some other country, that we as Americans, as citizens of any country should bestow some rights to foreigners in other countries. That isn't addressed by splitting up the NSA, but it's certainly something that we have to do. This notion that rights stop at borders doesn't work in a global internet. You can't make it function.

Antony Funnell: The NSA, as you say, is unlikely to be split up. But has the American government learnt a lesson from the experience of the NSA and the way it developed over time and the way its mission expanded over time?

Bruce Schneier: I don't know. Really we are at the very early stages of this. My belief is that Snowden's ultimate legacy will be a worldwide right to privacy that is enshrined in international and domestic law. But I think that's a couple of decades in coming. Really the lessons from all of this are mostly still to be learnt. Right now the lesson the government has learned is the obvious and wrong one, which is we should have protected our secrets better and not let him leak that. The greater lessons—that maybe we went too far, we did something wrong, we need to roll back surveillance, we need to re-enshrin privacy and liberty into what we do—those lessons really haven't been learned yet, and I think they are maybe a decade away from being learned.

Antony Funnell: And in speculating about the future, how would you see that type of right to privacy, how would you see that coming into being? Who would be the driving force behind pushing for that, do you think?

Bruce Schneier: I don't know. I expect it will be Europe primarily. Europe is interesting in that they have some much stronger rights to privacy than the United States does. But it's mostly corporate privacy. They tend to allow much greater government access to data and much more restrictive corporate access to data. But privacy reform is more likely to come from Europe first and spread outward from there.

Antony Funnell: Of course they are often criticised though, aren't they, for that.

Bruce Schneier: They are, but it is still something I think is valuable and I think in the future will be where we see the first stirrings of the right to privacy. I actually think that 50 years from now people will look back at today and look at the way we ignored privacy in the same way that we look back at child labour laws and workplace conditions and all of those things that we say, my God, how did we do that, how could we be that immoral? Privacy really is that important. But sometimes it does take a generational change to realise those things. I'm not sure which international institutions or domestic bodies this will come from, but I do believe it is coming. I don't think this is the end of the democratic movement for our society. We'll figure this out. We've figured out even harder things.

Antony Funnell: And yet we don't see…around the world or in the United States we don't see an ongoing campaign of demonstration against the NSA or against the spying powers that we see and against the…because of the Snowden revelations, in the way that, say, we saw in the '60s and '70s a mobilised and consistent anti-war protest movement. Why don't we see that, given the level of fear and the level of concern that many people say they have about privacy violations?

Bruce Schneier: I don't know. I think you're asking a larger question than the particular political movement, you know, how people respond to government power and what protest means. A lot of things are in flux. Certainly a lot of people just don't care. Either they trust their government or they trust Google or Facebook, and they accept that this kind of intrusion is happening, there is nothing they can do about it. I encounter that a lot. So it might take people who do care. You know, why we are not seeing the same level of protest that you would see in an anti-war movement, well, an anti-war movement is trying to stop people from dying, that's much more visceral, that's much more real. Privacy is a little more abstract. It's something you tend to take for granted until you don't have it any more.

So maybe it will take another few years of us losing our privacy before people say, hey wait, this just isn't okay. But I think we have to get to that point for the average person to say this isn't okay, I don't want this, this isn't the government that I think we should have. And when that happens you will get change. It will be hard. There are lot of entrenched movements. Certainly a lot of corporations are making money by spying on us, the Google, the Facebook, there's a lot of profit in invading our privacy. So there will be hurdles to overcome, but I do think we can do it. You're right, the time isn't now. The things we are going to do are going to be around the edges. That's why the USA Freedom Act only addresses a very small piece of the problem. There isn't the appetite in the United States Congress to address the entire problem.

Antony Funnell: And that was Bruce Schneier, security analyst and fellow at the Berkman Center for Internet and Society at Harvard Law School.

Categories: Audio, Recorded Interviews, Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.