It is an honor to return to Fort Meade. And it is a pleasure to be here under happier circumstances than the last time I was here, in the winter of 2004, in the midst of the mess over what became known as the President’s Terrorist Surveillance Program – a mess, I hasten to add, that was attributable to a breakdown in proper operating procedures not in the NSA, but rather in the White House and the Justice Department.
I deeply admire the National Security Agency, and I know at least a bit about how important this agency is to keeping our country secure. As a result of the multi-dimensional terrorist threat we have faced both before and after 9/11, persistent foreign policy challenges, unpredictable foreign policy crises like the ones occurring today in the Middle East, the growing cyber threat, and various battlefield demands, the appetite of military, intelligence and White House officials for timely and accurate communications and related intelligence about the capabilities, plans, activities, and intentions of foreign powers and persons is greater than ever. You also have responsibilities for defending the government and to some degree the private sector against the growing cyber security threat and other counterintelligence threats. You perform these and the many other vital national security tasks outside the knowledge and appreciation of the vast majority of Americans. Since you don’t hear it nearly often enough from ordinary Americans, let me say “thank you” for all you do for our country.
The occasion for my talk is, as you know, Constitution Day. On September 17, 1787 – two and a quarter centuries ago today – George Washington, James Madison, Benjamin Franklin, and 36 other delegates to the Constitutional Convention in Philadelphia signed the U.S. Constitution, a document that would prove to be the most durable and influential written Constitution in history. Despite the significance of this event, and despite the noteworthy anniversary, we would not be gathered today if the late Senator Robert Byrd had not slipped into a 2004 appropriations Bill a little-noticed amendment that, when it became law, created Constitution Day on September 17 of each year. The law requires the head of each federal agency to “provide educational and training materials concerning the United States Constitution to each employee of the agency or department on September 17 of each year.” I think my speech counts as a legally mandated educational material. And I believe that your presence here is a corporate act of compliance with federal law.
Legal compliance is something everyone in the NSA knows a lot about. Individually and as an agency, you spend a lot of time complying with the law, and – not the same thing – worrying about complying with the law. You are governed by a hornet’s nest of statutes, regulations, executive orders, court orders, and, of course, by the Constitution, most notably the First and Fourth Amendments. I understand that each of you takes several courses annually about your legal obligations. The NSA is scrutinized by the congressional intelligence committees, to which it has scores of oversight reporting obligations. You also have your very own court: the Foreign Intelligence Surveillance Court. You have an active Office of General Counsel, an Inspector General’s Office, and a Directorate of Compliance, all of which are involved, in different ways, in ensuring that you act in accordance with the various laws and regulations that govern your behavior.
If that were not enough, the Department of Justice has a strong presence at the Agency. The National Security Division and the Office of Legal Counsel provide legal advice and guidance to the NSA General Counsel. Under the Foreign Intelligence Surveillance Act as amended in 2008, the Attorney General has a role in making determinations and certifications about the “minimization procedures” governing the NSA’s incidental collection of “U.S. person” information. The Justice Department also has various other duties to audit the NSA. Last year I interviewed a senior lawyer in the Justice Department who is involved in DOJ’s oversight of the NSA. He described that oversight process as “a bevy of [DOJ] lawyers crawling up their asses all the time.”
In sum, the rule of law and legal compliance are vital components of your daily work lives. And yet, you might wonder, what is the point? Why so many ornate laws, many of which draw distinctions and impose restrictions that make little sense? Couldn’t you do your jobs better, and keep the country safer, if anachronistic distinctions between foreign and domestic activities, U.S. v. non-U.S. persons, and other limitations on collection, storage, and analysis were lifted? And why so many lawyers and auditors and compliance officers, some of whom may seem to step outside their lanes into policymaking, and all of whom ask you questions and force you to do things that take up your valuable time in ways that sometimes seems to make little sense to the national security mission?
These are some of the questions I hope to answer today.
Let’s begin with the obvious. Few Americans know what the NSA does because so much of what you do is secret. But we in the public have hints that your technical collection and code-cracking capabilities have grown significantly in the last decade, and that your ability to store and analyze electronic data has increased enormously as the costs of doing so have dropped, as you have built larger and larger data centers filled with more and more powerful computers, and as you are able to power all of your activities through access to more and more electricity. Rightly or wrongly, we imagine that you can collect and analyze whatever information you want. These developments help keep us safe in our complex and menacing world. But they also scare us and make us worry about what else you might be doing with your capabilities, and whether your conception of the national security interest matches the public’s. Like no other American institution, the National Security Agency represents power, scale, technology and secrecy – a combination that quite reasonably produces a healthy dose of skepticism and worry in the average patriotic American.
Such skepticism and worry are, I think, proper and healthy. Presumptively in our democracy, important national public policies are vetted in the public, subject to criticism and analysis and review in the press and by elected representatives and civil society and by courts, and ultimately approved, or not, by the People in elections. This intense scrutiny forces public officials to constantly justify their actions, to address criticisms, to confront new and critical information and arguments, to consider new approaches, and to correct mistakes. The often messy process of public deliberation and review does not, of course, always produce optimal policies, and in some contexts there are serious structural impediments to good policy-making and policy-execution. But it is the operating assumption of our constitutional democracy – and one that I believe is true – that our messy system of public deliberation and review produces pretty good policies on the whole, allows for pretty good policy changes and error correction in light of new information, and in any event is a better and more legitimate system for carrying out public policy than one that takes place in secret, outside of public deliberation and decision.
Very few of the traditional elements of democratic scrutiny and deliberation apply to the National Security Agency. Occasionally General Alexander or another top NSA official will appear before Congress to testify. But these officials do not face tough questions in public sessions and do not reveal more than they want to – that happens, if at all, in classified hearings or meetings. And occasionally the press will report something on some classified activity or program of the NSA, but in most of these instances the public does not know how accurate the necessarily incomplete reporting is. And except on very rare occasions – the President’s Terrorist Surveillance Program was a notable exception – there is little public follow up in congressional hearings and little that the press and civil society can do to get more information or to test the legality of NSA action in court.
The NSA is of course governed by publicly enacted laws. But the public elements of your governing laws only distantly relate to your legal authorities and restrictions. An observer from Mars who read all of the publicly available laws and executive orders governing the NSA would have little idea what you actually do. The law that governs NSA activities results from decades of secret interpretations of obscure, esoteric, and often-outdated public laws by executive branch lawyers and judges on the FISA Court, all of whom seek to be faithful to the often-out-of-date law while at the same time allowing the NSA to do its mission. This law that has developed through interpretation and practice is more extensive and more complex – in its authorizations and in its restrictions – than the law on the books. This is not unusual, of course. In other contexts law accretes through interpretation and practice. But when this happens in the NSA, citizens and the press and civil society and ordinary federal courts cannot assess these accretions to determine whether they approve of them.
There are good reasons why the normal lawmaking, law interpretation, and public scrutiny practices of our constitutional democracy do not apply to the NSA. Surveillance techniques are quite fragile. Full public scrutiny of your operations would reveal those operations to our adversaries and would seriously undermine, if not destroy, their effectiveness. We need not be embarrassed about the need for secrecy in a democracy. The framers of the Constitution understood that secrecy was appropriate in the conduct of national security and they assumed that many executive branch national security activities – especially those related to intelligence-gathering and war – would be secret. But while we should not deny the vital need for secrecy in the conduct of national security, we should also not deny that secret government action is a departure from our usual constitutional requirements, a compromise in the name of national security that is fraught with the possibility of error, abuse, non-accountability, closed-mindedness, and other evils that democratic deliberation and review are designed to avoid.
This is the background against we must understand and assess the NSA’s system of legal compliance. In a nutshell, the system I described above – intelligence committee oversight and reporting obligations, scrutiny by the Foreign Intelligence Surveillance Court, lawyers all over the place, inspector general and compliance officer reviews, incessant legal and compliance training, and occasional reports about classified activities in the press – are substitutes for traditional checks and balances. You must understand: They are dim substitutes. In effect our government has decided to ramp up scrutiny behind the wall of secrecy as a replacement for the impossibility of normal scrutiny in public. But the scrutiny and review in secret, however robust it may seem, is less demanding and overall less robust than its normal public counterpart.
But, you might ask, why are the laws that govern your activities sometimes so convoluted? I mentioned the geographical and citizenship distinctions above that permeate your legal authorities and restrictions. Technological developments have made these legal distinctions difficult to respect, and respect for these distinctions pose increasing hurdles to your national security mission. More generally, some of your legal obligations were enacted in a different technological era and make little sense today. Granted that internal compliance will be extensive and serious, why can’t he laws be updated and be made more intelligent?
One answer to this question is that the geographical and citizenship distinctions that technology does not respect still reflect important American values. Our citizens and lawmakers might be willing to compromise these values, or further compromise them, if respect for them weakens our defenses too much. But one of the lessons of the last eleven years is that Americans are willing to accept increased national security risk in order to preserve additional liberty for U.S. citizens and within the geographical homeland. I believe that one day – I am not sure when, but probably after a cataclysmic attack – we as a nation will be forced to jettison, or at least significantly weaken, these distinctions in exchange for more security. But we are not there yet.
Another reason the law often seems so convoluted is that it is difficult to change. Most of your activities are governed by a 1978 law – the Foreign Intelligence Surveillance Act – and related laws that were enacted in a different technological universe. These laws have of course been amended, but their essential structure, and in many respects their essential technological assumptions, remain in place. Why not update these laws to reflect current technological realities? One answer is that you cannot have a fundamental change in the law through public means without revealing a lot about your capabilities. Such revelations, of course, would be self-defeating. Another reason, I think, is that opening up your authorities to fundamental reform might make things worse for you, either because Congress might inadvertently narrow your authorities, or because robust public debate about the scope of your authorities might lead Congress to purposefully narrow them. And so for the most part the Executive branch has decided to muddle through with encrusted interpretations of old laws by executive branch lawyers and the FISA court, on the theory that a less-than-optimal law you know and to some degree control is better than one you don’t know and might not be able to control.
I hope what I have said thus far helps you to appreciate a little bit the challenges faced by lawyers in the General Counsel’s office and elsewhere in the Executive branch and on the FISA court, and the importance of their role to the legitimacy of what you do. Let me say a bit more. These lawyers operate in an extremely complex and controversial legal environment. The laws they interpret before telling you whether you can or cannot do something, or how you must do something, are always complex, often outdated, and usually ambiguous to some degree. Moreover, the technology that the laws purport to govern is itself complex and constantly changing, making it extremely difficult, and a constant battle, to keep the rules and regulations up to date in ways demanded by relevant laws. To make matters worse, the validity of an executive branch lawyer’s interpretation of the complex, outdated, and ambiguous laws is usually determined not in the context in which the lawyer made the decision, but rather after the fact, in a different threat environment, often when things have for some reason gone wrong, and the lawyer is blamed.
A lawyer can be blamed for a mistake in two basic ways. If a lawyer says “no” to an operation or collection, or narrows or changes that operation or collection, and that advice results in a failure to act or to collect that in turn results in a breach of national security, it is the lawyer who gets in trouble. A lot of the blame for 9/11 was laid at the feet of lawyers whom it was claimed, were overly restrictive in their interpretations of vague national security laws. A lawyer can also get blamed for saying “yes.” In the last decade national security lawyers throughout the executive branch who gave good faith advice in times of crisis about complex laws have been subjected to threats of criminal prosecution and to financially and reputationally damaging ethics investigations and public denunciations. Every national security lawyer in the government knows that some version of this might happen to her if she authorizes an operation or collection that later goes bad or proves controversial or is deemed to be illegal.
I am not asking you to feel sorry for the lawyers. The risks I just described are a standard part of the job. Nor do I want to deny the potential downsides of national security lawyers in the NSA and elsewhere. Lawyers slow things down when dispatch can be important. Lawyers can fragment responsibility for action. Lawyers sometimes seem to offer policy advice under the guise of giving legal advice. And lawyers, under the pressures I just described, sometimes cover their own asses and chill operators from acting aggressively – for example, by giving less-than-clear advice when clear advice would have been possible and appropriate. Great national security lawyers try to minimize these costs, and I have every reason to think that the lawyers in the NSA today succeed in this task. But it is worth acknowledging that lawyers can make the task of policymakers and operators more difficult. The same is true of their auditing, scrutinizing cousins in the Inspector General’s office and in the Directorate of Compliance, who can also slow or chill aggressive action, fragment responsibility, engage in policymaking, and the like.
But lawyers and other internal scrutinizers of your actions also bring many benefits, some obvious, and some not so obvious. One benefit that lawyers offer is cover, or protection. When the General Counsel’s Office authorizes a collection or some other action, those who rely on that advice can rest assured that whatever else might go wrong, they will not face legal jeopardy for actions within the scope of that advice. This may not seem like much. But because the laws that govern your actions are often vague and complex and outdated, and because many of them are criminal laws that invite criminal punishment for violation, and because national security policy mistakes and controversies are often fought in the language and process of law, the lawyer’s approving advice is actually quite important to your ability to carry out your task.
A second benefit brought by lawyers and their friends in the Inspector General’s office and Directorate of Compliance comes under the heading of good government. These officials interpret the commands of Congress and the Constitution, put systems in place to ensure that you can comply with those commands, and tests these systems for effectiveness and efficiency. In trying to replicate in secret the role that checks and balances normally play in public, these officials, if they do their jobs well, help policymakers and operators to avoid or reverse illegal actions, to uncover and correct mistakes or bad practices, and to generate information that NSA leadership and the Congress can use to improve operations.
The final benefit that results from the internal checks and balances I have discussed is the least obvious but perhaps the most important. These internal checks and balances are empowering. The constraints of legal review and audit and other forms of scrutiny are vital prerequisites to your receiving enhanced authorities you need to do your important jobs.
Let me give an example from the 2008 amendments to FISA. As you no doubt know, by 2008, President Bush needed new legislation in order to continue the warrantless wiretapping program. To the surprise of many, a Congress controlled by the Democratic Party obliged, and gave President Bush, whose approval ratings were historically low, new and in some respects broader powers to engage in warrantless surveillance of persons reasonably believed to be outside the United States. Many critics characterized the law as a cave to fear-mongering. The simpler truth was that the Congress was convinced, after extensive arguments, that the pre-9/11 surveillance regime had been overtaken by technological developments and needed to be more flexible to redress modern terrorism and related foreign intelligence collection challenges.
The problem was that Congress did not trust the Bush administration or the NSA to use these new powers faithfully. Nor did Congress trust itself to undertake the hard work of oversight needed to ensure compliance with its mandate. A major part of the solution to these problems was the secret but credible checks and balances that I have described today. The Foreign Intelligence Surveillance Court was charged with determining that the government’s general targeting procedures are reasonably designed to stay within statutory guidelines. Congress imposed various privacy requirements, most notably “minimization procedures,” that are themselves subject to ex ante review and approval by the Foreign Intelligence Surveillance Court. It also imposed numerous ex post oversight mechanisms: The Attorney General and the Director of National Intelligence must assess legal compliance and report to Congress every six months, and inspectors general across the intelligence community and in the Justice Department must perform annual reviews for legal compliance and effectiveness. And of course lawyers in the NSA and the Justice Department were given significant responsibilities for ensuring compliance with these and other directives.
The NSA likely would not have received the modernized surveillance powers that are so crucial in the fight against hard-to-find terrorists and other threats if not for the existence of credible lawyers and inspectors general and the FISA court and other auditors that Congress trusts to monitor and enforce restrictions on presidential discretion in secret. These internal checks and balances, precisely because they are so credible and so robust, led Congress to entrust the executive branch with new powers. In short, the executive branch and the NSA were empowered by the constraint that these institutions bring.
The 2008 law will, I think, be a model for the new authorities you cherish. The NSA has received many new authorities and responsibilities over the last decade, as well as an enhanced budget. But your leaders believe you can do more and they say they are held back by inadequate authorities and excessive legal restrictions. To take just a few examples, your leaders say publicly that the NSA wants and needs more freedom to collect, store, and analyze information; a more direct role in protecting private sector networks and infrastructure, with all of the surveillance that that entails; and more flexibility in complying with the still-annoying, still-reticulate FISA restrictions. If and when you get these additional authorities – and I predict you will get them all, eventually – they authorities will come with many conditional strings attached in the form of General Counsel and Inspector General and Foreign Intelligence Surveillance Court reviews and audits.
The point I want to leave you with, then, is that these often annoying, often painful, and sometimes-seemingly-counterproductive internal checks and balances are necessary to legitimate the actions that you take in secret, and will be a necessary feature in any growth in your authorities. The Congress and the American People simply will not give you more leeway to exercise your extraordinary capacities in secret without the existence of robust and trustworthy internal institutions that can watch what you do, ensure compliance with the law, and check your mistakes, in ways that the Congress, and the American people, find credible.
Thank you.