Why Wasn't the NSA Prepared?

In the coming weeks, Congress and the civilian defense leadership will have to ask a lot of questions about the National Security Agency's surveillance programs, and how to reconcile them with privacy concerns. But they will also have to ask a more basic set of questions: Why on earth wasn't the NSA prepared for this? Why didn't the intelligence agency's leadership have a plan to deal with the global outcry that would follow the leak of classified Internet surveillance programs?

Contingency planning is a critical part of every military operation, and is even more important for secret or covert activities. The Central Intelligence Agency and Special Forces Command examined every possible thing that could go wrong on the raid to kill Osama bin Laden, for example, and had clear plans to deal with any ensuing fallout. Although it has an intelligence mandate, the NSA is a Defense Department organization, and the director of NSA is a 4-star general. As such, it is troubling that the NSA appears to have no plan in place for how to respond once its spying program was made public and plastered on the front pages around the world. Instead, the best defense General Alexander could offer a room full of security professionals at the Black Hat convention, almost two months after the leak, was an explanation of FISA courts and the successful prosecution of a San Diego cab driver who sent money to a Somali militia.

The NSA leadership had ample warning signs that leaks were possible, and that public reaction in the U.S. and around the world would be overwhelmingly negative. In 2003, Congress shut down Admiral Poindexter's 'Total Information Awareness' program after concerns that building massive databases of electronic transactions generated too many privacy concerns to justify the anti-terror benefits. After Bradley Manning turned over classified State Department and Defense Department data to Wikileaks, the entire security establishment should have been on notice that sensitive programs could be disclosed.

The warning signs about fallout from the NSA Internet surveillance were even clearer: Senators Ron Wyden and Mark Udall publicly raised concerns about the program as far back as 2011, and directly communicated their worries to General Alexander in 2012. Yet leaders in the signals intelligence community appear to have paid little attention to how disclosure of these programs might impact anything other than U.S. intelligence efforts.

The disclosures have caused quite a bit of trouble. Our relationships with our allies have been tested, as global anger following the initial reports demanded a political response. Other priorities of the administration have been put at risk, from critical trade bills about digital goods, to American leadership in securing an open Internet free of government control and interference.

But perhaps the greatest fallout may come from the NSA's failure to safeguard the trust and reputation of American technology companies.

A 2009 Inspector General report details how NSA leadership understood concerns of private companies about legal liability, but what about the broader reputational risk?

When initial reports of the PRISM program asserted that there were backdoors and direct data access in some of the most important tech companies in the world, the firms' awkward denials were justifiably met with skepticism. They couldn't fully deny the charges without disclosing certain classified details, and the only affirmative statements they could make had to be cleared with the government first, which ultimately led to all of the companies issuing statements that included curiously similar phrasing, further fueling paranoia. By the time the record was corrected, over a week later, the damage had been done. Even if the surveillance programs are legally constrained and ostensibly target only a small number of suspects, the companies are perceived as being complicit in a massive, American government dragnet.

This mistrust of these companies is particularly damaging to the cloud computing services, a sector led by American firms like Microsoft, Google and Amazon. Many countries have talked about limiting use of American firms, or requiring data be kept locally, dramatically raising the cost of trade, and potentially locking many U.S. companies out of lucrative foreign markets. More generally, the complicity of American firms in safeguarding America has raised suspicions about all American firms.

The process of building a contingency plan would have made these concerns and risks explicit to leaders within the NSA. While we can't know how they would have reacted, contingency planning brings in the perspectives of those affected outside the immediate operation and thus supports more comprehensive policy. At the very least, it would have meant a ready plan sitting in a drawer for a faster and more thorough reaction by senior officials to support our companies and allies by correcting the record. Ideally, this planning might also have forced planners to question the value of certain types of surveillance relative to the costs to national interests.

That the leaders failed to prepare would be worrisome enough if the NSA's leadership team was only responsible for signals intelligence. But General Alexander also heads Cyber Command, the new 4000-strong military force responsible for protecting military networks, and attacking the networks of others, the most advanced cyber force in the world. (US cyber capabilities, incidentally, also require cooperation of private firms.) Decisions made about cybersecurity operations will have massive repercussions not only for our immediate defense interests, but the how we and other countries treat cyberspace. If we are seen as being careless, or overly aggressive, it could undermine American technical leadership, harm vital economic interests, and destabilize this new domain.

The solution, for both the immediate NSA context and the longer term concerns about Cyber Command, is to take advantage of the process of contingency planning. Rather than simply having lawyers explore the legal ramifications, contingency planning incorporates some of the adversarial approaches already common to war-gaming and other military planning procedures. Instead of focusing on the tactical alternatives, however, contingency planning in the cyber world involves bringing in voices from other aspects of the president's agenda, including the Departments of State, Commerce, and the United States Trade Representative, to understand the consequences of the disclosure of classified operations. Incorporating these voices into the planning stage avoids the trap of a program approval by the Congress and the White House framed as a choice between security and our other national interests.

Rather than the time-intensive and bureaucratic model of shopping proposed policies around a host of government agencies, it would be far more efficient to bring relevant concerns directly to the attention of NSA leadership under the framework of operational planning, before things end up on the president's desk or the front page.

The leadership of the NSA and Cyber Command will still depend on secrecy, but they cannot simply assume that their operational security will be sufficient. (Edward Snowden has surely shown that much, at least.) They must demonstrate that they can take into account more than just short-term intelligence collection priorities, and can consider the broader political, diplomatic and economic ramifications of their actions.

If they can't, Congress must demand much stronger and more fine-grained oversight of one of the most important aspects of our intelligence and defense establishment