Intelligence agencies have had widespread and long-running programs to gather, analyze and share electronic data for defence and security purposes. But the revelations of former National Security Agency contractor, Edward Snowden, have raised questions about the state of personal privacy and the role of government oversight as technology makes access to vast amounts of data more rapidly available.
In a week where European leaders were demanding answers to allegations that their personal data was being monitored and the British Columbia Civil Liberties Association filed suit against the Communications Security Establishment of Canada on the grounds its surveillance program is unconstitutional, General Michael Hayden, former director of the NSA and the Central Intelligence Agency, spoke with associate editor Chris Thatcher about the balance of privacy and security.
The revelations of recent months have probably left many of us pondering the scope of national surveillance of electronic data, without really understanding the roles of certain government agencies: What are intelligence agencies actually doing?
When you are doing espionage, you divide the work up largely by method of collection: you have an imagery agency, a human intelligence agency, and a technical or signals intelligence agency. The collection for each of those is quite different and requires different technology, different skills and even a bit of a different culture. Most intelligence organizations around the world are organized along those lines. With regard to signals intelligence, your effort is to go after communications in a lawful way – communications that your law does not protect – that allow you to provide meaningful intelligence to your nation’s policymakers.
Privacy commissioners in Canada have begun to talk of a new paradigm in which we need to re-think the concepts of privacy and security, particularly in light of new technology, big data, analytics and so forth. Do you see that?
I do. The traditional approach – and I recognize that technology has really changed this – is that each nation had its own laws as to what constituted privacy. Ours is anchored in our Fourth Amendment, which protects Americans against unreasonable search and seizure. The Fourth Amendment is not an international treaty – it applies to Americans, those in the United States and permanent legal residents of the United States. That seemed to be just fine through the first 55 or 60 years of the National Security Agency, which was founded in 1952. Now there are shifting standards globally as to what constitutes a legitimate expectation of privacy. And we are now involved in a global debate as to what those standards should or should not be. Happy for the debate, but I’m not prejudging outcome here. It remains a world of sovereign states and a world of enduring dangers, and signals intelligence is an incredibly valuable way for a state like mine to learn the plans and intentions of those who might mean harm.
The argument seems to be that the balance between privacy and security is shifting. You have lived much of your career in that balance: Are we in any danger of losing it?
No, not at all. I go back to our constitution: the standard is reasonable. It protects our citizens against unreasonable search and seizure. Even the definition of reasonable within our own political sphere changes with contemporary standards and levels of threat. It is based upon the total circumstances present at the time. I realize it is not a very comforting thought at all for me to define privacy as something that belongs to Americans, and a lot of American political leaders try to defend what the NSA is doing by pointing out that most of its activities are done against foreigners, which again isn’t very comforting to other people around the world. But this is an internationally accepted practice – all nations do this – and it is going to be an interesting debate: can you arrive at broader standards beyond each national entity when it comes to the protection of “privacy”? We are going to have to see where that leads. If there is a global privacy problem here, it is not just an American issue. We are the first wave hitting the beach just because of recent events but it is not just American intelligence services that have to balance this security and privacy question.
That’s a good question, and the answer is no. But it is truly policy and not international treaty, I think, certainly to a first order. Our president has already pointed out – he did this in Sweden before he got to the G20 in St. Petersburg – he candidly talked about maintaining the appropriate balance, that there are concerns about privacy, and three times in a press op, in answer to one reporters questions, he said: Just because we can do something doesn’t mean we should do something. So I think the president is open for discussion. Again, that is a policy question.
What should be the role of oversight? Certainly in this country there is a strong sense that it has been insufficient.
You have got to define the terms of reference. In most countries, to the degree they debate this, the debate is about what security services do domestically, not what they do abroad. And the really interesting thing about what is happening now – interesting and somewhat frightening for an American – is that this debate which began about what our security services are doing “domestically” – the metadata program, the PRISM program, and so on – this is now a debate about what our foreign intelligence services do against foreign targets. That’s really uncharted territory.
Is part of the problem that we have an all hazards approach versus a risk-based one, that with each incident – reported or otherwise – we feel the need to expand the security requirements to protect ourselves?
I had 39 years in the air force and in the first half of my career we were worried about the Soviet Union. I can’t find a civil libertarian who would raise a finger about the NSA trying to intercept Soviet high command communications emanating out of Moscow trying to go to an ICBM unit out beyond the Urals. That was a dedicated network, a known enemy. The 2013 version of that is al-Qaeda emails co-existing on a world wide web with your communications and mine. And free people have to decide: do you want these security services to provide you what they were providing when the threat was that one, but in today’s world? If the answer is, yes, then you are going to have to admit the reality that they are not going to be going after isolated communications on dedicated networks, they are going to be bumping into your stuff. The real question becomes: can I trust them to go after the other stuff and even though they may bump my stuff, they won’t do anything that makes me uncomfortable?
Does the nature of the technology and the fact that so much “intelligence” is open source change how we need to think about the problem?
Let me answer that question by making the problem bigger. I was head of CIA after I was head of NSA. I had an advisory board and I gave them hard questions. One of the hard questions was: will the United States be able to conduct espionage in the future, inside a broader political culture that every day demands more transparency and more public accountability from every aspect of national life? They went away and studied that problem and came back after six months and answered: we are not sure.
We are at a fundamental moment here in terms of the traditional ways that sovereign states have defended themselves in the past with their intelligence services. Look, and I really mean it, just tell us what the rules are. You have to understand that if you draw the box real small you are probably going to be a little more in danger than you would otherwise. But just tell us where the box is.
Do intelligence agencies then need to become better at telling their stories, despite that need for secrecy? How does an agency tell its success stories in that context?
That’s a real problem. If I just look at this through the narrow lens of intelligence effectiveness, I wouldn’t tell anything to anybody. But that was never possible. The citizens of a democracy have to have at least a reasonable idea of what you are doing on their behalf. And I think quite clearly what has happened in the last number of years is, if intelligence services expect public support they are just going to have to tell more of their story to their own citizens. That will shave some points off operational effectiveness, but the trade off there is that if you don’t do that, you won’t get to do anything because your citizens won’t have a sufficiently high level of confidence in what you are doing. So we are going to have to be more forthcoming. That is ahistorical for us.
How should citizens view this? We often hear the line, “I’ve got nothing to hide so why should I worry.” Clearly that’s not sufficient.
There are also citizens saying, “I don’t have anything to hide but I didn’t sign up for a government that is as intrusive as this one seems to be.” That’s a fair argument. In the North American political tradition, we have grown up with – maybe even a little more so in the U.S. – the distrust of government power, even when it has been used benignly. So I understand: you’ve got these bazillion phone records and this metadata database that Snowden revealed and our government has confirmed. The push back on that is, yes, we have a bazillion records and we’ve got yours, Hayden, but look at how we respect it, look at how we handle it. Frankly, that is satisfactory to me and many of my countrymen. But all of this requires a serious debate, and it’s not a serious debate unless it is an informed debate. Those who criticize the current program are guilty of making it too bumper sticker-ish; those who support and conduct the program are guilty of not saying enough about what they are doing soon enough.
You have argued that we are trying to put new ideas into old forms. Are the rules of engagement different in cyber space than they are in other military domains?
I firmly believe that the laws of armed conflict apply in the cyber domain as much as they do in physical space. The principles of proportionality, distinction, necessity – those are all the laws of war and they apply in the cyber domain, too. But cyber is still so new… In the other domains – land, sea, air, space – the government has a role and, more or less, a generally agreed role like police forces and fire departments and armies and the centres for disease control. We have worked out what it is we want the government to do and what it is we will allow the government to do in physical space. We have not done that in the cyber domain yet. We are still debating what it is we want the government to do for us there and what it is we will let the government do for us there. That’s what I mean by old patterns and which of these apply or don’t apply to this new cyber space.
Given the integration of critical infrastructure across our borders, do we need to consider something like cyber NORAD to better defend that space?
I really do. Our cyber space is more integrated than our air space. Therefore, it is absolutely clear to me that this requires close coordination between our two countries. That also means broad agreement on what constitutes a threat, what constitutes an appropriate response, what constitutes suitable privacy, and so on. We have two democracies that have figured out how to do that when you are controlling air space; now we are challenged with how do we do that in this entirely new domain.
Do you know if that discussion is taking place?
I truly don’t know. We have historical cooperation between our two country’s militaries and intelligence services, so I am sure there is work being done here, but I just don’t know the details.
General Michael Hayden was a keynote speaker at the 1st Digital Economy Congress, “The Challenges and Opportunities for Cross Border Data Flow,” hosted by Reboot Communications in San Diego in November. Reboot will hold its 15th Annual Privacy and Security Conference February 5-7 in Victoria: www.rebootcommunications.com.