`With Edward Snowden on the run in Russia and reportedly threatening to unveil the entire “blueprint” for National Security Agency surveillance, there’s probably as much terror in Silicon Valley as in Washington about what he might expose. The reaction so far from private industry about the part it has played in helping the government spy on Americans has ranged from outraged denial to total silence. Facebook’s Mark Zuckerberg, he of the teen-nerd hoodie, said he’d never even heard of the kind of data-mining that the NSA leaker described—then fell quiet. Google cofounder Larry Page declared almost exactly the same thing; then he shut up, too. Especially for the libertarian geniuses of Silicon Valley, who take pride in their distance (both physically and philosophically) from Washington, the image-curdling idea that they might be secretly in bed with government spooks induced an even greater reluctance to talk, perhaps, than the Foreign Intelligence Surveillance Act, which conveniently forbids executives from revealing government requests for information.
But the sounds of silence from the tech and telecom sectors are drowning out a larger truth, one that some of Snowden’s documents might well supply in much greater detail. For nearly 20 years, many of these companies—indeed most of America’s biggest corporate sectors, from energy to finance to telecom to computers—have been doing the intelligence community’s bidding, as America’s spy and homeland-security agencies have bored their way into the nation’s privately run digital and electronic infrastructure. Sometimes this has happened after initial resistance, and occasionally under penalty of law, but more often with willing and even eager cooperation. Indeed, the private tech sector effectively built the NSA’s surveillance system, and got rich doing it.
Books have been written about President Eisenhower’s famous farewell warning in 1961 about the “military-industrial complex,” and what he described as its “unwarranted influence.” But an even greater leviathan today, one that the public knows little about, is the “intelligence-industrial complex.”
The saga of the private sector’s involvement in the NSA’s scheme for permanent mass surveillance is long, complex, and sometimes contentious. Often, in ways that appeared to apply indirect pressure on industry, the NSA has demanded, and received, approval authority—veto power, basically—over telecom mergers and the lifting of export controls on software. The tech industry, in more than a decade of working-group meetings, has hashed out an understanding with the intelligence community over greater NSA access to their systems, including the nation’s major servers (although it is not yet clear to what degree the agency had direct access). “I never saw [the NSA] come and say, ‘We’ll do this if you do that,’ ” says Rebecca Gould, the former vice president for public policy at Dell. “But the National Security Agency always reached out to companies, bringing them in. There are working groups going on as we speak.”
Indeed, the cooperation was usually “voluntary” in large part because companies couldn’t afford to seem uncooperative, says another private-sector official who would speak about classified issues only on condition of anonymity. “The ways that pressure works in Washington are very subtle,” he says. “No one’s getting bribed, or punished outright. But it’s the good little Indian that gets rewarded. And these companies needed the goodwill of the NSA and other agencies.”
Jeffrey Smith, a former general counsel at the CIA, says, “Generally as the IT community matured in this country, a number of things happened. They all opened Washington offices … and they came to an understanding, after some initial arrogance, that they needed to deal with the government.” The companies also came to understand that, in a very real way, they were now part of the nation’s infrastructure, and they would need plenty of help from the government in securing it.
So for the tech and telecommunications industries, the relationship has always been a delicate balance of patriotism and public image, and a public-relations tightrope walk between getting along and appearing not to bend to the NSA’s demands. “They have been, on the whole, cooperative,” says Greg Garcia, who served as the Homeland Security Department’s first Internet czar under President George W. Bush. “But at the same time, they are wary of being seen as instruments of the government.”
That wariness continues. The tech companies appear to understand that by keeping the whole process of cooperation supersecret, they have jeopardized their reputations, and possibly violated the law. After the first stories about the NSA’s “Prism” Internet surveillance program came out in The Guardian and The Washington Post in June, identifying some of the most recognizable names in American corporate culture—Apple, Microsoft, Google, Facebook, Yahoo, and AOL, among others—as having negotiated arrangements with government surveillance agencies, executives at some of these tech companies expressed surprise at the extent of the program. But on July 18, these same companies—among many others, including Reddit, Twitter, and Tumblr—sent a letter to President Obama and senior intelligence and oversight officials in the executive branch and Congress asking permission to make public the number of government requests for information about their users, as well as the number of individuals, accounts, or devices for which information is requested.
Company officials are also appealing to the Foreign Intelligence Surveillance Court to let them tell their side of the tale. In some cases, they want to show they were ultracautious about what they let the government see. Yahoo, for example, is asking a judge to declassify information about Prism from a 2008 case, in which the company challenged the NSA’s surveillance proposals but was overruled by the FISA court.
One of the more recent reports from The Guardian, which has had unique access to NSA documents because of the personal relationship between its correspondent Glenn Greenwald and Snowden, said Microsoft “has collaborated closely with U.S. intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption.” The documents show, among other things, that Microsoft effectively helped the NSA bypass the company’s own security features so the agency would be better able to intercept Web chats on the new Outlook.com portal.
In an interview with National Journal, former NSA Director Michael Hayden indirectly confirmed Microsoft’s involvement. “This is a home game for us,” Hayden says. “Are we not going to take advantage that so much of it goes through Redmond, Washington? Why would we not turn the most powerful telecommunications and computing management structure on the planet to our use?”
Most of this co-opting of the private sector has happened with the full-throated support of both Republicans and Democrats in Congress, again behind closed doors. Today, Hayden says, the agency itself is all but indistinguishable from the private sector it has exploited. Its best technology is designed by the private sector—“There isn’t a phone or computer at Fort Meade that the government owns,” he says—and its surveillance systems are virtually interwoven with their products. The huge controversy over Snowden’s employment by one of these private contractors, Booz Allen Hamilton, was just the barest tip of the iceberg, according to intelligence and industry officials. One by one, Hayden says, the NSA contracted with companies to “make them part of our team,” as he puts it.
Among these contributing companies reportedly is Palantir Technologies, the Palo Alto, Calif., company that The New York Times and other news outlets have identified as a close associate of the NSA. Another is Eagle Alliance, a joint venture of Computer Sciences and Northrop Grumman that runs the NSA’s IT program and describes itself on its website as “the Intelligence Community’s premier Information Technology Managed Services provider.” Because of these close relationships, no door revolves more quickly in Washington than the one between these companies and the intelligence community. Booz Allen’s current vice chairman, Mike McConnell, was director of national intelligence in the George W. Bush administration and, before that, director of the NSA. The current director of national intelligence, James Clapper, is also a former Booz Allen executive.
A LONG HISTORY
The origins of the intelligence-industrial complex date back to World War II and a program called Shamrock, under which the NSA came to an agreement with ITT and other companies to collect outgoing telegrams and international cables. That secret program was exposed in the 1970s, in an earlier incarnation of the current scandal, and helped lead to the famous Church-Pike congressional hearings on intelligence abuses (which in turn led to the FISA law).
But the latest chapter in the saga, involving Silicon Valley, begins in the immediate aftermath of the Cold War, when Hayden and other senior NSA officials, including his predecessor, Ken Minihan, were in a state of near-panic. Not only had the Soviet Union—the chief object of the NSA’s spying, and its raison d’etre—disappeared from the map, but now the agency also realized that the main threat was going to be “super-empowered” individuals—terrorists—who might be talking on cell phones or computers anywhere on earth. Above all, these new bad guys were using private technology, rather than the sort of intra-government communications systems that the NSA used to monitor in the Soviet Union or China. Not by coincidence, during the Cold War, the NSA often had the biggest hand in designing its own detection equipment. “We were America’s Information Age enterprise during America’s Industrial Age. We had the habit of saying, ‘If we need it, we’re going to have to build it,’ ” Hayden says. “But in the outside world, there was a technological explosion in the two universes that had been at the birth of the agency almost uniquely ours: telecommunications and computers. The Internet began as a combination of those two—you could probably draw a good history as to what we did to create the American computing industry back in the ’50s.”
Yet once that computing industry took off in Silicon Valley, to be followed by the rise of Internet technology and “smart” phones, the NSA found itself left further and further behind, never to catch up. In a period of a decade or so, Hayden said, the agency went “from chasing the telecommunications structure of a slow-moving, technologically inferior, resource-poor nation-state—and we could do that pretty well—to chasing a communications structure in which an al-Qaida member can go into a storefront in Istanbul and buy for $100 a communications device that is absolutely cutting-edge.” And he could then contact other terrorists in every country, particularly in the United States.
The NSA’s early response was to try to barge its way back into the domestic-surveillance business with devices such as the “Clipper” chip, an encryption tool developed by the agency that it wanted telecommunications companies to adopt. Consumer-protection and computer-privacy groups howled in protest, and industry resisted the government telling it how to manage its technology. The idea was dropped after a few years in 1996.
Then, in the late 1990s, a furor erupted over export controls on software encryption. The NSA sought to bar exports of the best encryption technology, fearing what would happen if enemies got hold of it. As it had done with the Clipper chip, Silicon Valley countered that by holding the tech sector back, the government was hurting U.S. national security. It argued that the U.S. would fall far behind other nations in a critical industry unless those controls were lifted.
After months of battles, a quiet quid pro quo was struck, according to a former senior intelligence official: We’ll let you export first-rank encryption, the government said, but we want to get a first look at what you’re developing and a back door into it. A Clipper chip wasn’t needed, after all, if the government was going to get access to servers and telecom data. “The way the encryption deal was worked out was that, in the end, controls were liberalized in various stages, in 1997, ’98, and ’99, and all of the liberalizations had a single bottom line: All products had to be reviewed by the NSA,” says William Reinsch, who was undersecretary of Commerce during a critical period in the 1990s when the NSA was undergoing a dramatic decline from the chief innovator of America’s spying technologies, and instead finding itself falling behind Silicon Valley and the telecom industry. “That review meant [NSA] got to look at them.… It was a source of considerable irritation to companies—not the basic fact of it but that NSA wanted to continue to do it for every product.
The NSA came to understand that it was better for them if the world was fully populated with technologies that they knew and understood.” Especially if the agency had the consent of industry to penetrate those technologies. If industry refused, the NSA had the unique ability to both reward and punish, thanks to its implicit veto power over deals and exports, Reinsch says. Though the public didn’t know it, the agency also became a major presence when the nation’s telecom industry went through a revolution, moving from the Bell system to a flurry of start-ups and a blizzard of mergers. “The NSA’s ability to access [telecommunications data] became a factor in all those telecom acquisitions,” Reinsch says. It and other intelligence agencies “weighed in and said we want to review this transaction. We want to say no if we think it’s a bad idea.” The NSA rarely exercised that right, but its leverage was useful in co-opting the tech and telecom sectors into its plans.
Smith, the former CIA counsel, says there is a “direct lineage” between that era and today’s secret Silicon Valley-aided surveillance programs. He adds that those early disputes led to the “maturing” of Silicon Valley hotshots who once looked down on government cooperation but then came to realize that they were major players with a responsibility for helping in national security affairs. “It was an understanding that they need to take their place at the table,” he said.
Even so, the NSA fumbled its relationship with private technology early on. The most notorious example was the $1.2 billion “Trailblazer” program developed in the early-to-mid-2000s by SAIC and other companies, which led to the attempted prosecution of another whistle-blower, an NSA career employee, who sought to expose the program as a wasteful failure. “One of the things we tried to do with Trailblazer was to hire out a solution to our problems,” Hayden says now. “It was kind of a moon shot.” Afterward, Hayden says, “we began to do this in increments,” still using the private sector. “It’s the companies responding to your requests.... You look for a Palantir, and you make them part of our team. It was always the same objective; our phrase was ‘V cubed’: volume, variety, velocity.”
After 9/11 especially, when the NSA was fiercely criticized in a 2002 joint report of the Senate and House Intelligence committees for its “failure to address modern communications technology aggressively” and its “cautious approach” to domestic intel-gathering, the process of courting the private sector really took off, and government-industry cooperation boomed. This is documented in a series of lobbying efforts in 2002, when a group of the top trade associations in America covering everything from chemicals to financial services urged the support of “legislation to ensure that the private sector can voluntarily share critical infrastructure threat and vulnerability information” with the intelligence community and DHS.
This often happened under the benign rubric of protecting America’s “infrastructure,” and in a post-9/11 atmosphere of patriotic cooperation. In November 2002, as part of the creation of the Homeland Security Department, Congress passed legislation to “promote the voluntary sharing of cybersecurity information between the private sector and government,” as Bruce Heiman, then the head of Americans for Computer Privacy, described it at the time in a letter. Another letter sent to every senator on July 22, 2002, by these same industry groups described how much help the government needed. “Nearly 90 percent of the nation’s critical infrastructure—physical and computer networks for production and delivery of energy, food, water, telecommunications, financial services, health care, chemicals, and other raw materials, essential products and services—are owned and controlled by the private sector,” the letter said. “The new Department of Homeland Security and other agencies obviously need to know more about these facilities in order to evaluate threats and vulnerabilities, and take necessary actions. Thousands of companies want to help in this effort by sharing critical infrastructure threat and vulnerability information with the government.”
The signers included the American Chemistry Council, the American Gas Association, the American Petroleum Institute, the American Society for Industrial Security, the Business Software Alliance, the Edison Electric Institute, the Financial Services Roundtable, the Information Technology Association of America, the Internet Security Alliance, the Interstate Natural Gas Association of America, the National Association of Manufacturers, and the U.S. Chamber of Commerce.
Critically, the companies involved in such “incremental” cooperation often sought, in legislation, exemptions from the Freedom of Information Act for cybersecurity information shared with the government, so they would not have to reveal the extent of their cooperation and would be protected from liability. And they, of course, had their own worries about being the targets of terrorism. They needed the government as much as it needed them.
These moral issues—the balance that the intel community has tried to strike between surveillance needs and privacy concerns—have never been resolved, as illustrated by the intense public debate over whether Snowden is a whistle-blower or a traitor. “There were no privacy concerns in intercepting German communications to their submarines, or Russian microwave transmissions to missile bases,” Hayden notes. “But I told Congress in 2002 that now all the data you want to go for is coexisting with your stuff. And the only way NSA succeeds is to get enough power to be able to reach that new data but with enough trust to know enough not to grab your stuff even though it’s whizzing right by.”
Based on polls, most Americans are willing to offer up that trust—or at least don’t much care. And despite the furor over the Snowden revelations, with some in Congress threatening to revoke parts of the FISA law, there was little dissent by anyone involved in developing the system, whether industry or Congress, especially after 9/11. The fast-spinning door between the NSA and industry reflects that. After all its false starts, the NSA transformed itself from a dying Cold War-era dinosaur into the eyes and ears of the “surveillance state” largely by drafting private-sector companies with far more technical know-how.
Still, many of the toughest legal and ethical issues are unresolved. Companies still feel vulnerable to exposure because of FOIA or subject to expensive lawsuits because of their cooperation. (A number of lawsuits have already been filed by groups ranging from the left-of center American Civil Liberties Union to the right-wing Freedom Watch.) “The companies have got to operate in their shareholders’ interest. Disclosing information to government opens you up to a lot of different vulnerabilities,” says former Rep. Tom Davis, R-Va. “But the laws were written for a different time and era.… You had different technologies and strategies than you have today.”
And when the Bush administration sought to go around FISA altogether and undertake warrantless surveillance in the early 2000s, some corporations began to get very nervous. One telecom company, U.S. West, even refused to comply, arguing that it needed legal immunity if it was going to cooperate. That was provided in an amended FISA law in 2008. Former Rep. Jane Harman, D-Calif., who worked in the Carter White House when FISA was first enacted in 1978, describes the long process by which the original law grew more and more obsolete as information moved faster and was more dispersed in the age of terrorism. At the time she was rising to become ranking member on the House Intelligence Committee. “Back in the old days, Congress used to review FISA applications,” she says, but gigabytes of data flowing on servers made that almost impossible.
Some intelligence experts believe one of the biggest problems about the extent of the government-industry surveillance program is that both government and industry have tried to keep it all secret for too long, rather than just being frank with the public about America’s national security needs. “It might have been better if they’d shown a little ankle,” says a former senior CIA official. Adds Harman, “I think the FISA opinions should be declassified to the extent they don’t compromise sources and methods, and Congress should have a robust debate about whether the law and the way it works is too broad.”
But the debate will almost certainly change little about the intelligence-industrial complex. The government has little choice but to continue enlisting industry cooperation in surveillance. That’s because the dispersed nature of the threat remains largely the same, and, notwithstanding the image of a Big Brother-like NSA, the agency has still not caught up in data collection. “We’re so analyst-poor in the nation in general that much of the data just sits there and nobody looks at it. There are massive gaps in our ability to actually analyze data,” a former top NSA official says. Despite the aggressive and largely successful assault on “core al-Qaida” overseas, the Boston Marathon bombings in April demonstrated that the NSA can still miss a threat next door on any given day. “The end game here is that power has concentrated in the hands of a few people because of technology, and some people can do some pretty horrific things on their own, whether explosive devices, or chemicals, or biological agents,” says the former official. “Who knows what it is? Everybody’s walking around with these devastating weapons. How are you going to stop that? In the long term, there are going to be so many of these threats out there—crazies with enormous power in their hands.”
John Arquilla, an intelligence expert at the Naval Postgraduate School, agrees that if the government is to keep up with unknown threats, it really has no choice but to undertake a permanent mass-surveillance program deploying the systems and technology of the private sector. “I think there’s a realization that we’re in a constant race between using big data to disrupt the terrorist networks before they become truly lethally armed, and terrorists with chemicals, bugs, or some kind of traditional capability,” he says. Or as Hayden puts it, “If we weren’t doing this, there would be holy hell to raise.”