I've been thinking of Edward Snowden as the anti-CISO. Chief information security officers usually make the case to their boards for more invasive monitoring, tighter policies and more budget. Snowden, the former National Security Agency contractor who absconded with an untold amount of the NSA's data, has been making the reverse argument, to the entire nation.
He seems to be trying to prove that U.S. surveillance policy expends too much money for not enough return. Hardly haphazard, his disclosures have a method. If I am correct, they are being carefully orchestrated to build the case for less monitoring and looser policies. If this hypothesis is in the ballpark, then we should be able to predict the next round of disclosures from Snowden and his journalist proxies.
If you have been too busy to follow closely what exactly Snowden has and hasn't released or the timing of his actions, let me reconstruct the history for you, presented as a series of arguments Snowden is employing to make his case.
Argument No. 1: The U.S. government harvests Americans' phone records
Snowden was patient, waiting for a good moment to begin his disclosures. He spent years accumulating his evidence, and he has said that he contemplated leaking it back in 2008, only to decide to give the newly elected president, Barack Obama, an opportunity to change the course of the U.S. security apparatus. When that didn't happen, he still waited for what he saw as the right moment, which arrived in May 2013.
Americans have always expected that as long as we aren't involved in any criminal activity, our phone records will be private. That faith was shaken in May.
* AP records. On May 13, the Associated Press broke the story that the U.S. Department of Justice had secretly gathered from phone companies two months of the news service's phone records. The AP had become aware of this on May 10, when it received a letter from the Justice Department notifying it of the action. Just one week later, Snowden was on a plane from Hawaii to Hong Kong with a laptop full of NSA files he'd downloaded in previous years.
Verizon records. Snowden's timing for his first revelation seems designed to capitalize on the media frenzy. On June 6, as the AP controversy was still swirling in Washington, the U.S. online property of the British newspaper The Guardian broke the first Snowden story. Anonymously sourced, it claimed that an Obama administration-initiated court order on April 25, 2013, had forced Verizon to turn over to the U.S. government the daily telephone metadata of its millions of its mostly American customers.
This was startling news to the American public -- for a while. Once it became clear that actual recordings of phone calls weren't being captured, the story lost its momentum. It needed something more.
Argument No. 2: The U.S. government could have all of Americans' digital records
Once outside the United States, Snowden had time to deliberately plan his next several steps of exposing his identity, meeting his journalist contacts and planting backup copies of his files. What he revealed next is still causing reverberations.
Prism and Silicon Valley. From June 6 through July 10, The Washington Post published a series of slides from an internal NSA PowerPoint presentation that it had obtained from Snowden. The slides described two programs, called Prism and Upstream, designed to harvest user data from Microsoft, Yahoo, Google, Facebook, AOL and Apple, beginning as early as September 2007. The point Snowden was trying to make was clear: The foreign-intelligence apparatus was spying not just on foreigners, but on Americans, and just about everything was fair game.
NSA encryption cracking. On Sept. 5, The New York Times and The Guardian newspapers and the civil-liberties group ProPublica published a joint story based on files provided by Snowden detailing a decade-long NSA anti-encryption program. Code-named Bullrun, the program reportedly bullied American security companies for their encryption keys, or otherwise cracked them, and influenced standards-setting bodies to build into their encryption standards vulnerabilities the NSA could later exploit. The revelations painted a picture of the NSA being able to crack any encrypted email, file, smartphone or Web session and gain access to encrypted databases at home and abroad.
If Snowden's case ended here, the political blowback would result in a few NSA programs being curtailed, but not the kind of changes worth risking the death penalty for. Snowden was after bigger game.
Argument No. 3: There are few checks and balances protecting Americans' privacy from the U.S. government
It wasn't enough for Snowden to prove that the U.S. government collects more information on Americans than they thought. Reporters would know that congressional intelligence-oversight committees and a special court are charged with making sure this type of collection is used for legitimate national-security purposes. So Snowden's next round of leaks sought to challenge that premise.
FISA court as paper tiger. On June 9, The Guardian published a video of Snowden making general statements that the NSA collects and stores all communications it can for later analysis. In a subsequent Q&A with the paper, Snowden alleged that NSA analysts routinely used Section 702 of the Foreign Intelligence Surveillance Act (FISA) to justify human reviews of Americans' records with limited oversight. The revelations compelled NSA Director James Clapper on July 2 to publicly apologize for misleading Congress in March, when he had categorically stated that the NSA does not wittingly capture data about Americans. In addition, on Aug. 23, the NSA released a statement admitting that overzealous employees and contractors had unintentionally violated Americans' privacy over the years, but never in contradiction to FISA or the Patriot Act.
DEA parallel construction. Snowden certainly hoped that civil liberties and privacy advocates as well as mainstream journalists would jump on the bandwagon he'd created and unearth their own stories about U.S. government surveillance activities. On Aug. 5, his hopes materialized. Reuters broke the story that the Special Operations Division of the U.S. Drug Enforcement Agency (DEA) maintains a billion-record database, called DICE, that comprises NSA intercepts, foreign and domestic wiretaps, and tips from informants. More importantly, the documents and interviews Reuters obtained described a daily practice of agents using this database to "parallel construct" a false chain of evidence to be submitted to American courts that protected the original sources of information. In so doing, defendants' right to a fair trial appeared to be undermined.
With this third line of argumentation under way, Snowden's case is painting a much broader picture of a government apparatus run amok.
Argument No. 4: The U.S. government is increasingly oppressive and deceptive
Snowden's staged disclosures have demonstrated a good understanding of the short attention span of the American public and correspondingly short American news cycle. The increasingly alarming nature of his leaked content has ensured fresh press coverage with each disclosure. An analysis of his disclosures reveals a shift in Snowden's arguments for how much the federal government collects to allegations of malicious intent of the current administration.
The administration's crackdown on Snowden's asylum. From June 23 through July 24, attention shifted to Snowden's quest for asylum and the subsequent success of the Obama administration to pressure all countries except Russia and Venezuela to deny Snowden asylum. Extraordinarily, even the normally neutral UN chief, Ban Ki-moon, criticized Snowden, saying the benefit of his revelations did not outweigh the harm that his precedent set. During this time, Amnesty International and Human Rights Watch arranged for Snowden, trapped at the Moscow airport, to release a statement through Wikileaks accepting Venezuela's offer of asylum.
The administration's crackdown on Snowden's accomplices. On Aug. 9, Ladar Levison, the founder of Lavabit, the provider of encrypted emails that Snowden had been using, ended operations rather than respond to a National Security Letter (NSL) compelling him to release information. Levison said that responding to the NSL would force him to "become complicit in crimes against the American people" and that "we are entering a time of state-sponsored intrusion into our privacy that we haven't seen since the McCarthy era." On Aug. 18, Scotland Yard detained David Miranda, Guardian reporter Glenn Greenwald's domestic partner, who had received the Snowden files. On Aug. 20, under pressure from the British government, The Guardian destroyed its remaining 50,000 Snowden files, but not before sending them to The New York Times.
Spoofing Google. On Sept. 10, technology blog TechDirt deduced from details in two previous stories about Snowden's NSA leaks that the agency had been posing as Google to perform "man in the middle" attacks against targets, putting the iconic brand of an American company at risk of public mistrust.
Argument No. 5: The U.S. government is spending billions on all of this
One of the more mundane points Snowden has made -- and a sign that his case is about to shift -- is that all of these intrusions into American digital life have cost American taxpayers a sizable chunk. On Aug. 30, The Washington Post published the U.S. government's "black budget," leaked to it by Snowden. The apparent motivation of the leak was to disclose the billion-dollar expenditures toward cybersecurity operations.
Why did Snowden include this less sensational file among his trove? I think he's making a case about proportionality, and he and his journalist proxies are about halfway through.
These first three months have been dedicated to exposing the scope of the surveillance programs. The next logical step would be for Snowden to make the case that these expenditures of dollars and losses of privacy and civil liberties haven't yielded any significant gains in security.
Only looking at what's been reported so far, here are my predictions for what's left in the remainder of the 50,000 files sitting on a few New York Times laptops:
Broader scale of collection. If general Internet traffic is being monitored, then what about online banking and medical records, or the GPS positions of cars and mobile phones? What about the vast network of private and public surveillance cameras? These are all areas Snowden hasn't addressed yet.
Innocent Americans harmed. Snowden's case so far is only hitting things at the program level. He hasn't yet shown how a single named American has been harmed. Without showing how any group of Americans, such as libertarians or Muslims, is being targeted, it's less likely an advocacy group will form to press for legislative reforms. This is why I think he's buried this card toward the bottom of the files.
No terrorist attacks averted. If another 9/11 has been prevented primarily because of these surveillance programs, Snowden's case is dead in the water. He'll lose at least half of the American public. The trump card he has left to play is if he somehow got his hands on an internal memo summarizing the successes and failures of these programs. He seems to be a smart-enough guy to know this is the ace to keep in the hole.
If Snowden's next leaks swerve in that direction, he'll be like a CISO confessing that the security program has received too much money and power and has locked things down too tightly. He'll have to beef up his case in any event if he ever wants to see Hawaii and his girlfriend again.
For their part, the journalists have the tough job of deciding which leaks not to run because their veracity can't be confirmed with other sources or because their value to the public would be less than the damage to legitimate national-security interests. The journalists also have the weighty responsibility of knowing which leaks they must report to help other Americans know when their freedoms are being infringed by the very government that is charged with assuring them.
Read more about privacy in Computerworld's Privacy Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.