As we approach the one year anniversary of the first set of Edward Snowden leaks, a reporter asked me what Americans have learned about the National Security Agency. My first take at answering that question is to reframe it slightly. Americans might think they know a lot about the NSA now, but the difference between what the public thinks it knows, and what it should know, based on the disclosures, is rather large.
1. The appetite for domestic collection increased significantly after Sept. 11, both as a a cause of and a response to the Big Bang-like expansion of the national security state. The NSA expanded the reach and scope of its domestic collection activities as the the domestic threat exceeded. (I define domestic collection differently; it's the set of programs and analytical policies that touch a large volume of American-to-American communications in some way without individual FISA orders having been obtained.) This includes the so-called business records FISA collection of telephone metadata, and the program, from roughly 2006 to 2009, that collected Internet metadata, known as PR/TT FISA.
Sometimes, we associate FISA orders with individuals. We shouldn't. From an NSA classification guide:
2.4. (TSIISIIINF) The fact that NSA seeks or obtains FISA authority against an international organization inside the U.S., with or without identification of specific communications entities.
2.5. (TSIISIIINF) The fact that NSA seeks or obtains FISA authority against an international organization that includes 2nd Party governments, with or without identification of specific foreign target entities or locations.
(TS/SI/NF) The fact that NSA seeks or obtains FISA authority against financial or commercial organizations, with or without identification of specific target entities or locations.
2.8. (TSIISI/INF) The fact that NSA seeks or obtains FISA authority against an agent of a foreign power in the U.S., with or without specific foreign target entity locations.
2. For the purpose of obtaining foreign intelligence, the NSA's ability to tap and sift foreign communications that transit through the United States has been invaluable. Invaluable — and hard to get right. In an ideal world, the NSA could figure out how to segregate wholly international communications from those that contain domestic or "U.S. persons" content. In the real world, the NSA found this to be impossible. Many U.S. persons communications were diverted by the NSA's filtering servers, deliberately. Advertently. That is, when the NSA discovered it could not master the technology to comply with U.S. law, the agency chose to err on the side of over-collection. It dutifully reported its own breaches to the FISA court, which gradually became more and more frustrated with the NSA's inability to be humble about the implications of its overcollection. (Sure, we can fix it. Uh, turns out we can't. But we need the intel, so, give us a waiver.). I refer here to the PRISM program, which operates in direct conjunction with content providers, as well as to the so-called passive "upstream" collection directly from cables. For a good breakdown of the NSA's operations under Section 702 of the FISA Amendments Act, go here.
3. These programs and their corollaries, when applied to international terror cells, have been phenomenally successful. At best, the bulk collection of telephone records and the willful collection of bundled domestic communications under the transit authority have been marginally useful.
4. The NSA tried, and failed, to own the internet. Routinely, its engineers overestimated their own capacity to adapt technology to the law. Slowly, the near-visceral fear about working with domestic communications eroded. The mishmash of different laws, technologies, and programs evolved into something greater than the sum of its parts. The NSA could not control the NSA's activities because it does not understand exactly what it was doing. Call it the first emergent intelligence agency.
5. Gradually, as the result of pushback from the FISA court and public disclosures, as well as its own efforts to comply with the evolving spirit of the laws that govern it, the NSA is getting better at getting it right. There is no evidence that the NSA used its powers or retained data to spy on American citizens or otherwise interfere with their freedom. Whether the FBI used NSA product to harass American citizens is not covered by the scope of the Snowden documents revealed so far.
6. The NSA looked for vulnerabilities in encryption technologies and protocols, including SSL and HTTPS, and in some cases attempted to seed their own back doors in order to be able to foil them.
7. Content providers and telephone companies were eager to comply with the NSA's "asks." The relationships between the NSA and these companies are long-standing and mutually productive, but they rely on mutual deniability. Now that the public can evaluate these relationships, the companies are rethinking the marriages.
8. Under the umbrella of its $652 million GENIE project, the NSA "has placed 'covert implants,' sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year, with plans to expand those numbers into the millions." It has successfully married traditional SIGINT and cyber SIGINT. (For more, see the TURBULENCE, TURBINE, and TUELAGE.)
9. The NSA is skeptical about the prospects for building a workable quantum computer.
10. Very few people inside the executive office of the president ever took the time to way the political ramifications of certain operations, which suggests that they had very little cognizance of what the NSA was doing, or what SIGINT collection after 9/11 entailed.