02 September 2019

The US National Security Agency, in check by the Inspector General

Liviu Ioniţă

There are significant risks that data collected through SIGINT (SIGnal INTelligence) could be non-compliant with legal requirements. This is one of the conclusions of the unclassified version of the quarterly report published, recently, by the US Office of the Inspector General, following verifications by the control and supervisory institution at the National Security Agency (NSA).

Image source: Mediafax

Surveillance of the NSA, a process made with vigilance and wisdom

The institution of the inspector general, created in 1777 for the US army, was later taken over by several government structures, and essentially had responsibilities in making inspections, audits, investigations, special inquiries, analyses referring to the programs and operations of departments over which it exerts its supervision and control.

The NSA instated the Office of the Inspector General (OIG) in 1961, and since it became a federal entity in 1996, a person from outside the agency was appointed to lead the office for the first time.

Significant changes were made last year, however, after the appointment of Robert P. Storch, a former federal prosecutor and inspector general in the Department of Justice, to lead the office. Previously, the NSA director was the one who hired and released the inspector general from office. Robert P. Storch is the first inspector nominated by a president (Barack Obama) and confirmed by the Senate.

In July last year, Storch issued an unclassified version of the half-yearly report containing the containing the conclusions of verifications made within the agency, which, also, had not been done before. A short time after, details on the rights and protections granted to whistleblowers were published on the OIG’s new independent public website.

It was a breath of fresh air, as claims Nick Schwellenbach, director of investigation at the Project on Government Oversight, a Washington-based non-profit organization investigating possible frauds, abuses, conflict of interest in the US government. A necessary change in the NSA culture on whistleblowing, as fear of reprisals remains a nightmare for security workers, of those people who bring to the public’s or authorities’ attention immoral or illegal activities.

Robert P. Storch insisted to make the change public by also replacing the OIG emblem, previously the same with the NSA, with another which should symbolize the bureau’s values: supervision, integrity, transparency and, especially, independence from the NSA. Because, in Storch’s opinion, symbols matter, they show the sense, in this case the owl on the OIG emblem suggesting that vigilance and wisdom are necessary when it comes to the agency’s combined missions, especially in the SIGINT and cybersecurity fields. Where the report found that there were no serious problems or abuses in NSA programs or operations, but significant risks.

A law which allows borderline control of communications surveillance

The Office of the Inspector General handled the assessment of how NSA respected requirements regarding data collected through SIGINT in accordance with Executive Order 12333 on the US’ information activities and with the FISA Amendments Act of 2008 (FAA).

Executive Order 12333, issued by Ronald Reagan in 1981, defines how the electronic surveillance performed by the NSA abroad is done. In contrast to the surveillance carried out by the intelligence agency internally (regulated by the FAA’s section 702), foreign supervision is not the object of a judicial verification, and the one exerted by Congress is limited. The order forbids individual surveillance, but allows for collecting mass data. For example, the NSA can collect and store all phone calls towards and from the Bahamas for 30 days.

The FAA is a Congress bill which modifies the Foreign Intelligence Surveillance Act and was used as a legal basis for the programs used by the agency and unveiled by Edward Snowden in 2013, including PRISM.

The bill’s 702 section allows the collection of information from non-US citizens outside the country. As the bill is made, in conformity with section 702, the US Government can carry out without a warrant the mass surveillance of phone calls, text messages, e-mail messages and other alternative electronic communication means. Although the section can be justified as an instrument to fight terrorism, it actually allows for extended surveillance, and the information can be used to investigate and restrict the freedom of individuals even for offences which have nothing to do with national security.

FAA was adopted in 2008 and eliminated the request set for the government in 1978, to obtain a warrant from FISA when it tries to intercept communications between a foreign target and a US citizen who resides in the country. Although the target must be a non-American abroad, it is considered that 702 surveillance can lead to the incidental collection of millions of US communications. Intelligence agencies make widespread use of these procedures, despite the fact that section 702 asks them to minimize the keeping and sharing of information regarding US citizens.

The Congress is obliged to renew section 702 every several years. It was last renewed in 2018 and will expire in 20203. The latest revision approves almost all unguaranteed searches in databases which have information on US citizens, and allows a type of surveillance considered invasive, which the NSA theoretically ended in 2017 after criticism from FISA.

Serious criticism of the NSA

The OIG assessment for October 2018 – March 2019 shows significant risks created by not respecting legal provisions to keep SIGINT data, which, according to the report, means that the identified deficiencies have a potential to impact civil liberties and private life.

The OIG considers that the NSA does not have the necessary control of the system which allows anti-terrorism programs to target certain individuals outside the US in legal conditions. This requires establishing new means to interrogate the collected data. The agency estimates that it will develop a prototype and establish a control system to pre-interrogate stored data until December 2020.

Until this system is applied, the agency will be exposed to the risk of making queries which do not conform with the authority it has, exactly what was criticized at the time of Snowden’s reveals in 2013.

With this analysis, the OIG also criticized the NSA’s security plans, considered to be frequently inexact or uncomplete, with data centres and equipment rooms not protected accordingly. It seems that the effort requested to the agency for better monitoring of software and hardware purchases by its contractors is still without result. A previous OIG report on the NSA’s compliance with the 2014 Federal Information Security Modernization Act already observed fundamental technological deficiencies, and process deficiencies which would make the agency unable to totally determine the risk of unauthorized use of software licenses.

The assessment was published in an uncomfortable moment for the NSA. The US media recently showed documents according to which the agency has collected a significant quantity of information from US citizen communications in October 2018.

It remains to be seen if Storch’s owl will be able not only to supervise the agency’s vulture efficiently, but also generate those real surveillance policy changes in the intelligence community, which was the “beneficiary” of serious public criticism in the past couple of years.

Or if it will impose a legal framework for carrying out NSA missions.

And all this while the leader in the White House was pondering whether to abolish (or cut the attributions or responsibilities) of the office of community director, considered… bureaucratic.

Translated by Ionut Preda