TECHNIDIGM COMMENTS ON the 46 NSA Recommendations Response to LIBERTY AND SECURITY IN A CHANGING WORLD 12 December 2013 Recommendations Recommendation

1 We recommend that section 215 should be amended to authorize the Foreign Intelligence Surveillance Court to issue a section 215 order compelling a third party to disclose otherwise private information about particular individuals only if: (1) it finds that the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect against international terrorism or clandestine intelligence activities and (2) like a subpoena, the order is reasonable in focus, scope, and breadth. Comment 1: This recommendation puts unnecessary and damaging obstacles in the paths of law enforcement officials, who have previously met comprehensive criteria under the Patriots Act (Section 215). It contains ambiguous language (relevant to an authorized investigation) since the purpose of seeking a FISC order is indeed to obtain authorization. The language invokes private information terminology in reference to such things as phone call metadata that average (and even most or all) people would gladly share with law enforcement if asked. There are already extraordinary steps in place to constrain law enforcement to respect and pursue diligently the objectives of this recommendation. One need only read redacted, formerly highly classified records such as at http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary-order.pdf to make this case on behalf of the FBI and the initiating intelligence community research. The court would naturally ensure adequate focus, scope, and breadth in proposed activities being authorized by the court. Indeed, all persons involved with such authorizations have already been security screened to the highest standards possible in the United States since they are all accessing Top Secret information. It is an incredible position to believe that two or more cleared individuals would take false or mistaken steps toward obtaining and receiving such court orders repeatedly and not self correct any individuals acting contrary to the Constitution of the United States or contrary to law and order of the highest standards. Out of hundreds of thousands of cleared personnel, only a handful of INDIVIDUALS have been found to be untrustworthy and have invariably acted alone. Those knowledgeable regarding highly classified activities are well aware of the effectiveness of self-corrections when two or more such cleared persons are aware and involved with classified activities. Collusion of two or more people to perform contrary or illegal acts occurs mostly in political environments and not in law enforcement or national security environments. This recommendation is

unwarranted. Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that: (1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect against international terrorism or clandestine intelligence activities and (2) like a subpoena, the order is reasonable in focus, scope, and breadth. Comment 2: It is not appropriate for the Executive Branch to issue unilaterally constraints on citizens or on corporate entities if not constituted in law or the Constitution itself. If Congress passes a law, the Executive Branch is obligated to implement the law within the law as written, no more and not less, subject to Judicial confirmation as to the intent of Congress, should there be any doubt. It is curious as to how the letter would be worded and who would sign the letter, much less how it would be enforced if not already within lawful or current legal practices. Thus, the recommendation is valid or worthy relative to the rights of citizens, even if vaguely written. Use of the terminology the government is inexact since it is not clear which branch of government is to have reasonable grounds and what / who determines reasonable under various scenarios, especially if duplicative or redundant. NSLs in themselves are potential overreaches if they can be composed within the context or authority of only one branch of the Federal Government and if the issuance of one letter judicially determined to be reasonable would logically make the next similar application reasonable by precedent. Congress should simply pass a law that requires citizen/corporate cooperation with national security related data collections and lay out the context, principles, and objectives that pertain, as well as authorize payments and penalties that might apply to its enforcement or facilitation. The report recommendation is unwarranted. Recommendation 3 We recommend that all statutes authorizing the use of National Security Letters should be amended to require the use of the same oversight, minimization, retention, and dissemination standards that currently govern the use of section 215 orders. Comment 3: This recommendation purports to encourage uniformity among processes and standards (criteria?) but includes minimization as if it were a virtue, retention as if it were in need of uniformity, and dissemination as if such can be standardized and thus result in something good or better than previous practices. If Congress wants to pass a law and provide funds needed to pursue a one-size-fits-all approach, there may

be some accidental benefits here, even if some might be expensive to implement relative to the value returned. One might simply seek to apply reasonable terminology here rather than use same terminology. This recommendation is unwarranted. Recommendation 4 We recommend that, as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, nonpublic personal information about individuals to enable future queries and data-mining for foreign intelligence purposes. Any program involving government collection or storage of such data must be narrowly tailored to serve an important government interest. Comment 4: This recommendation seeks to limit data collection in the raw but not digested data (I suppose digested/processed data could be kept). If we are talking about telephone records in the form of simple meta data rather than content, it is hard to equate that with personal information. I suppose we could have a National Register of all US citizens who choose to release this information to the Government in the interest of National Security, leaving all the bad guys to stick out as caring about this information so much that they refuse to let Law Enforcement look at it. The act of datamining (looking for trends) in itself is self-limiting as you dont get hits unless there is a trend of interest, in this case of interest to National Security. It is difficult to perceive that there is a well-intentioned citizen who would not encourage such data-mining of whatever database could be collected if they knew what data-mining is all about and what it really means. With judicial oversight and insight, it would be valid to go forward with whatever data-mining and whatever databases are possible rather than self-inflict a narrowly tailored approach, while at the same time pretending that we are possibly going to all this trouble for something other than an important government interest. Again, it would be an incredible circumstance where multiple persons with Top Secret clearances would stray from national defense, national security, and other Constitutional interests and pursue objectives almost exclusively associated with lone activists or perpetrators carefully hiding their activities from even one other cleared person. This recommendation is unwarranted. Recommendation 5 We recommend that legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party. Access to such data should be permitted only with a section 215 order from the Foreign Intelligence Surveillance Court that meets the requirements set forth in Recommendation 1. Comment 5: This recommendations supposes that the Government is the bad guy and

that some undefined entities are good guys by virtue of being private providers or third parties that can be trusted more. Such third parties/entities would have to be paid and incentivized to do a good job, which could easily lead to more rather than fewer issues and certainly far more complexity and far less timeliness/effectiveness. While it on its surface seems like a good idea to have other actors involved, you already have credible actors involved, persons screened to Top Secret clearance levels and, also, constantly evaluated by both peers as well as subordinates and supervisors, all of whom already have the highest clearances the country can come up with and already know the circumstances, context, and objectives of most issues far better than any third party, defined or undefined. This recommendation has no merit at all. Recommendation 6 We recommend that the government should commission a study of the legal and policy options for assessing the distinction between meta- data and other types of information. The study should include technological experts and persons with a diverse range of perspectives, including experts about the missions of intelligence and law enforcement agencies and about privacy and civil liberties. Comment 6: This is what we thought the people who wrote this report were doing in coming up with their recommendations. Nevertheless, it is clear that such a committee would be no more able to do that since assessing the distinctions has already been done many times in just about every information technology course taught. Introducing experts to do a study on information types from their perspectives sounds good but would result in compromise rather than optimization since political perspectives (polarized perspectives) on missions by non-mission experienced technological experts and privacy persons, not to mention inviting generally more radical civil liberties advocates to the table, all there to discuss the obvious while pretending to offer insights not already evident to the average person. This recommendation is unwarranted. Recommendation 7 We recommend that legislation should be enacted requiring that detailed information about authorities such as those involving National Security Letters, section 215 business records, section 702, pen register and trap-and-trace, and the section 215 bulk telephony meta-data program should be made available on a regular basis to Congress and the American people to the greatest extent possible, consistent with the need to protect classified information. With respect to authorities and programs whose existence is unclassified, there should be a strong presumption of transparency to enable the American people and their elected representatives independently to assess the merits of the programs for themselves. Comment 7: Again, here we have a shotgun full of good wishes and vaguely defined intentions to involve both Congress and the average citizen on matters that they are

literally unable to comprehend without years of experience, which would require them to be familiar with classified information without having any of it to look at. The information relevant to all this is classified and should be accessed only by cleared persons with a need to know, a basic precept for all information classified for national security purposes. Again, there is no need for independent assessments of what is already constantly undergoing expert independent assessments by peers, subordinates, and supervisors already expert and familiar with the context, past experience, the law, and the Constitutional rights of citizens. This recommendation is unwarranted. Recommendation 8 We recommend that: (1) legislation should be enacted providing that, in the use of National Security Letters, section 215 orders, pen register and trap-and-trace orders, 702 orders, and similar orders directing individuals, businesses, or other institutions to turn over information to the government, non-disclosure orders may be issued only upon a judicial finding that there are reasonable grounds to believe that disclosure would significantly threaten the national security, interfere with an ongoing investigation, endanger the life or physical safety of any person, impair diplomatic relations, or put at risk some other similarly weighty government or foreign intelligence interest; (2) nondisclosure orders should remain in effect for no longer than 180 days without judicial re-approval; and (3) nondisclosure orders should never be issued in a manner that prevents the recipient of the order from seeking legal counsel in order to challenge the orders legality. Comment 8: There is actually little to disclose that is not already out there at this point in the public domain. If non-disclosure orders seem to be needed by those officials implementing a program, they should be allowed rather than compromising unnecessarily what is likely already a project that is important to national security. Ambiguous terms lie significantly threaten will fall on different ears differently, so one need only find a sympathetic judicial ear. Know what would put at risk anything in advance seems to be a province of the devine, so this recommendation will only serve to weaken national security, even if it could be carried out to some benefit on occasion. Legal counsel must always be available to US citizens and corporation, else we have a dictatorship and have already lost the war. Recommendation 9 We recommend that legislation should be enacted providing that, even when nondisclosure orders are appropriate, recipients of National Security Letters, section 215 orders, pen register and trap-and-trace orders, section 702 orders, and similar

orders issued in programs whose existence is unclassified may publicly disclose on a periodic basis general information about the number of such orders they have received, the number they have complied with, the general categories of information they have produced, and the number of users whose information they have produced in each category, unless the government makes a compelling demonstration that such disclosures would endanger the national security. Comment 9: The number of orders received/implemented could be released with minor adverse implications, but the categories of information would aid the potential adversaries. The goal of this recommendation seems to be to force the release of hints about what the Government is doing to find terrorists directly to those potential adversaries, all under the umbrella of openness for openness sake, as if this is a politically correct approach to providing such hints to adversaries. This recommendation is unwarranted. Recommendation 10 We recommend that, building on current law, the government should publicly disclose on a regular basis general data about National Security Letters, section 215 orders, pen register and trap-and-trace orders, section 702 orders, and similar orders in programs whose existence is unclassified, unless the government makes a compelling demonstration that such disclosures would endanger the national security. Comment 10: The Freedom of Information Act already manages this requirement for any citizen who inquires about Government information. Just because something is not classified does no mean that it can be released to the public without adverse results. The FOIA process already does exactly what this recommendation suggests, at least to those citizens who raise such questions or make requests for information. FOIA processes are important for authors of history books, and the Government has already put in place an extraordinarily demanding process to ensure unclassified information of all kinds is released unless exempted under a specific FOIA exemption. This recommendation is unwarranted. Recommendation 11 We recommend that the decision to keep secret from the American people programs of the magnitude of the section 215 bulk telephony meta-data program should be made only after careful deliberation at high levels of government and only with due consideration of and respect for the strong presumption of transparency that is central to democratic governance. A program of this magnitude should be kept secret from the American people only if (a) the program serves a compelling governmental interest and (b) the efficacy of the program would be substantially impaired if our enemies were to know of its existence. Comment 11: This recommendation inherently suggests that keeping secrets from the

American people in the interest of national security works against transparency, which is a very obvious conclusion. National security programs that are transparent to the American people are also transparent to potential adversaries. It should be sufficient for the American people to know that they can trust their elected officials to do the right thing, transparent or not. The recommendation suggests that compelling government interests and the efficacy of the programs were not substantially impaired or, at least, that our government officials and highly cleared personnel do not already know what needs to be kept secret. Agencies already write and use classification guides that are approved by senior managers to protect national security. The recommendation asserts itself on management of big programs of importance to national security as if there is a difference ethically for big programs as compared with lesser programs. Whatever should be released to the public will in time be determined at the highest, most applicable levels of government, but that seldom includes the highest levels such as the White House since expertise is limited and ramifications not apparent, which is why we have cabinet officials (who themselves are seldom qualified to do more than ask for advice from their subordinates). This recommendation is unwarranted. Recommendation 12 We recommend that, if the government legally intercepts a communication under section 702, or under any other authority that justifies the interception of a communication on the ground that it is directed at a non-United States person who is located outside the United States, and if the communication either includes a United States person as a participant or reveals information about a United States person: (1) any information about that United States person should be purged upon detection unless it either has foreign intelligence value or is necessary to prevent serious harm to others; (2) any information about the United States person may not be used in evidence in any proceeding against that United States person; (3) the government may not search the contents of communications acquired under section 702, or under any other authority covered by this recommendation, in an effort to identify communications of particular United States persons, except (a) when the information is necessary to prevent a threat of death or serious bodily harm, or (b) when the government obtains a warrant based on probable cause to believe that the United States person is planning or is engaged in acts of international terrorism. Comment 12: This in general is de facto what has been going on, so no change is needed. The exception to this general evaluation relates to the issue of purging information about a US citizen, which is nave and contrary to national security interests. A data point called up today might also be called up tomorrow, so it should not be purged today in an attempt at redemption from trespassing on a perceived

mistake, which is not at all a mistake. Obtaining a warrant to pursue a US citizen based on national or international intelligence information actually seems easier than current processes that isolate the information in an effort to conform with judicial pursuit limitations, anyway. This recommendation is unwarranted. Recommendation 13 We recommend that, in implementing section 702, and any other authority that authorizes the surveillance of non-United States persons who are outside the United States, in addition to the safeguards and oversight mechanisms already in place, the US Government should reaffirm that such surveillance: (1) must be authorized by duly enacted laws or properly authorized executive orders; (2) must be directed exclusively at the national security of the United States or our allies; (3) must not be directed at illicit or illegitimate ends, such as the theft of trade secrets or obtaining commercial gain for domestic industries; and (4) must not disseminate information about non-United States persons if the information is not relevant to protecting the national security of the United States or our allies. In addition, the US Government should make clear that such surveillance: (1) must not target any non-United States person located outside of the United States based solely on that persons political views or religious convictions; and (2) must be subject to careful oversight and to the highest degree of transparency consistent with protecting the national security of the United States and our allies. Comment 13: This recommendation may give some comfort to allied leaders who may be concerned about their telephone privacy, but the net effect here is to impeded national security since political and religious views are central as well as key to our ongoing national security challenges since at least 9/11/2001. The report embeds poorly conceived limitations or cautions among concepts that do not need to be stated. The US national security regime is far too busy with national security to concern itself with corporate trade secrets, so it would be interesting to hear about actual violations in this area that would make this recommendation worthy of consideration. Corporate interests are already protected under the Freedom of Information Act exemptions, and just because the US intelligence community is aware of proprietary information does not mean that it is disseminated to those who would misuse it. This recommendation adds complexity to the National Security task that is not warranted and does not lend itself to implementation in any case, even if superficially well-meaning.

Recommendation 14 We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security, and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons. Comment 14: US citizens are protected by US laws enacted under the Constitution, they pay taxes and they are subject to military draft when needed in the interests of National Security. Other countries are in direct conflict with the US on either or both religious or political grounds, so treating their people as if they have the same rights and interests in our National Security as US citizens is not warranted even if it seems to be fair to some. Nevertheless, it should be noted that specific and compelling are terms subject to interpretation, and it logically evident that politics and religion could not in themselves point to a potential National Security concern. With a billion Muslims or Chinese Communists eager to diminish the US and its people, it is nonsense to suggest that National Security could be enhanced by other than a compelling showing, however that might be defined. Recommendation 15 We recommend that the National Security Agency should have a limited statutory emergency authority to continue to track known targets of counterterrorism surveillance when they first enter the United States, until the Foreign Intelligence Surveillance Court has time to issue an order authorizing continuing surveillance inside the United States. Comment 15: Why is this an emergency if they are known targets? What criteria would define a need to terminate surveillance when in the US? It would seem even more necessary, not less, to continue surveillance. This recommendation is not logical, although it does have underpinnings of attempting to be politically correct. Recommendation 16 We recommend that the President should create a new process requiring high-level approval of all sensitive intelligence requirements and the methods the Intelligence Community will use to meet them. This process should, among other things, identify both the uses and limits of surveillance on foreign leaders and in foreign nations. A small staff of policy and intelligence professionals should review intelligence collection for sensitive activities on an ongoing basis throughout the year and advise the National Security Council Deputies and Principals when they believe that an unscheduled review by them may be warranted. Comment 15: What is high level if not already within the qualifications and expertise of those in charge of NSA and IC resources? Such recommendations suggest that the leaders of such organizations are without ability and without good intentions, even if

appointed by the president, the Congress, and cleared by a rigorous background investigation. If the president and/or Congress have higher level or more capable people in mind, they should put them in charge rather than employ them as another management layer. It seems that this recommendation has already been implemented by the news media coverage of NSAs interception of foreign leader communications. Why would an ongoing review management layer be needed for such things rather than simply establishing EO policy on this? Recommendation 17 We recommend that: (1) senior policymakers should review not only the requirements in Tier One and Tier Two of the National Intelligence Priorities Framework, but also any other requirements that they define as sensitive; (2) senior policymakers should review the methods and targets of collection on requirements in any Tier that they deem sensitive; and (3) senior policymakers from the federal agencies with responsibility for US economic interests should participate in the review process because disclosures of classified information can have detrimental effects on US economic interests. Comment 17: What senior policymakers exist who are not already involved? Are we saying that the IC community has been disconnected somehow from policy or have not developed their own policies? If so, then this recommendation seems to seek to involve additional policymakers from outside the IC who deal with, rather than national security, economic matters. Adverse IC impacts on economic matters are balanced already by beneficial effects, unless we are saying that adversarial political leaders in other countries will interrupt or terminate trade with us. The Chinese are actively collecting all kinds of commercial and patent information as well as national security information for their own benefit, despite their economic, national debt and banking issues and relations with the US. Are we saying that such Chinese collections will stop or even slow down if we discourage IC activities that might impact economic relations? Isnt this the tail wagging the dog? Recommendation 18 We recommend that the Director of National Intelligence should establish a mechanism to monitor the collection and dissemination activities of the Intelligence Community to ensure they are consistent with the determinations of senior policymakers. To this end, the Director of National Intelligence should prepare an annual report on this issue to the National Security Advisor, to be shared with the Congressional intelligence committees. Comment 18: Under the Constitution, it is the job of Congress to make laws and up to

the Executive Branch to carry them out. At best, Congress should help set policies and limitations by passing laws, not monitoring the IC collection and dissemination activities. Such intrusive IC management by Congress via an Annual Report from DNI on being consistent with the determinations of senior policymakers b egs the question as to why senior policymakers (whoever they may be?) cannot have such feedback without the help of Congress. What would the annual report say? Would it list all the errors or weaknesses in the IC and seek solutions/fixes via new or better policies? How could they be fixed better by Congressional Committee involvement? What would make the Annual Report to Congress (and presumably the President) truthful, complete, and understood? The key agencies/interests should create their own internal review committees using high level membership from all IC and National Security entities to discover and drive issues from all sources internal and external to the IC. This approach was taken by Department of Energy in the 1980s to manage similar details and corrective actions involved with the nuclear weapons stockpile, recognizing that interagency leaders have trouble putting themselves on report to the President or to Congress. Thus, this recommendation is reasonable, but the focal point of corrective actions and policy review should not be with Congress, regardless of what shows up in an Annual Report. Recommendation 19 We recommend that decisions to engage in surveillance of foreign leaders should consider the following criteria: (1) Is there a need to engage in such surveillance in order to assess significant threats to our national security? (2) Is the other nation one with whom we share values and interests, with whom we have a cooperative relationship, and whose leaders we should accord a high degree of respect and deference? (3) Is there a reason to believe that the foreign leader may be being duplicitous in dealing with senior US officials or is attempting to hide information relevant to national security concerns from the US? (4) Are there other collection means or collection targets that could reliably reveal the needed information? (5) What would be the negative effects if the leader became aware of the US collection, or if citizens of the relevant nation became so aware? Comment 19: As long as the foreign leader means us well, they should not be too concerned about what intelligence collections we might undertake in the interests of our national security. Like our leaders, once elected or even running for office, they are in a fish bowl, anyway. More broadly, if a foreign countrys interests are similar to ours,

then intelligence collections should be mutually beneficial and not an obstacle to continued friendly relations. A mature leader would accept that and would not be concerned with just saving face but obviously some would be. There is always a need to engage in surveillance of foreign leaders or all stripes, the differences being mostly in terms of intensity and effort needed. Our friends are open with us and our enemies are not. The real questions are (1) Who are the friends and who are the enemies, and (2) How does the answer to this change over time? More importantly, why would our best move for friends not be to simply share IC information of mutual benefit? That would seem to far outweigh other considerations in this area since there is little likelihood that all the worlds intelligence agency would go along with our more sensitive approach to the feelings of our friendly country heads of state. This recommendation is simply childish and self-defeating. We already avoid expending much effort and time spying on friends, and such activities to the extent they exist are likely part of a more global and generic effort in any case. Recommendation 20 We recommend that the US Government should examine the feasibility of creating software that would allow the National Security Agency and other intelligence agencies more easily to conduct targeted information acquisition rather than bulk-data collection. Comment 20: If this recommendation were feasible and beneficial, it would already have been done. It is the data mining software that does the targeting based on the parameters of interest, which would be the same parameters that would need to be invoked if a specialized software program were possible. One need only reflect on Google search results on the Internet to see that even the best software can not anticipate the nuances of the human mind, much less predict new nuances in new national security threats such that this recommendation might make sense. It is far more effective to broaden the database to all possible issues and sources, making it clear that our adversaries have no place to hide and should assume that everything that can be monitored is being monitored. Again, it is doubtful that other countries would impose a non-data-mining regime on its intelligence collection activities even if we did so unilaterally. Thus, this recommendation would make more sense if it proposed an international conference on how to data mine without a good database to search. This recommendation is silly. Recommendation 21 We recommend that with a small number of closely allied governments, meeting specific criteria, the US Government should explore understandings or arrangements regarding intelligence collection guidelines and practices with respect to each others citizens (including, if and where appropriate, intentions, strictures, or limitations with respect to collections). The criteria should include:

(1) shared national security objectives; (2) a close, open, honest, and cooperative relationship between senior-level policy officials; and (3) a relationship between intelligence services characterized both by the sharing of intelligence information and analytic thinking and by operational cooperation against critical targets of joint national security concern. Discussions of such understandings or arrangements should be done between relevant intelligence communities, with senior policy-level oversight. Comment 21: We already have international cooperation on national security related programs, notably in the form of NATO and treaties with other countries as needed. This recommendation focuses on the citizens of the different but friendly countries. Agreeing not to collect information on the citizens of friendly countries would rather obviously be difficult since non-citizens are mixed in with them. Indeed, such a policy would create safe havens for hostile agents and make matters worse rather than better. This, like many recommendations in this report, is academically attractive but foolish when considered in terms of practicality and effect in the real world. Recommendation 22 We recommend that: (1) the Director of the National Security Agency should be a Senate-confirmed position; (2) civilians should be eligible to hold that position; and (3) the President should give serious consideration to making the next Director of the National Security Agency a civilian. Comment 22: There is precedent for civilian control of advanced technologies, as is evident in the Atomic Energy Act. In its additional wisdom, the Congress in the case of the AES also by law prevented the president from making decisions on the classification of information associated with nuclear technology, although the president does retain control over all other classified information (National Security Information, as described in the 12 or so EOs signed by different presidents over the past 70 years). Putting a civilian presidential appointee in charge of the NSA would make the NSA even more subject to political whim than a military appointee. It is difficult to find a civilian who has devoted his career to national security, but the military forces are all full of such people, people who understand the importance of intelligence and can manage it within the clinical (vice political) needs of the country. If a civilian is nominated, he or she would have to have significant military experience and be relatively immune to political influences as compared with national security influences. If one were looking for someone most qualified to head the NSA, it would be more appropriate to look first for

a Medal of Honor recipient who also happens to have experience as a military flag officer. Flag officers, especially retired flag officers, are readily available and not particularly competent to be the head of a high-technology national security entity. If Congress is to approve such appointments, especially for non-military civilians, it should also be a life-long job unless Congress decides to replace the incumbent. That would itself be very politically driven, but it would be better than changing out such people based on presidential political programs for election cronies or supporters. It is bad enough that most agencies have to be led by political appointees with no practical experience and full of doctoral level academic ideals that are often inconsistent with the real world. Overall, this recommendation would fix something that really is not broken. Recommendation 23 We recommend that the National Security Agency should be clearly designated as a foreign intelligence organization; missions other than foreign intelligence collection should generally be reassigned elsewhere. Comment 23: This recommendation reflects a serious lack of understanding as to what the NSA is all about and its expertise. We already have the spy agencies recommended here. Moving other missions and tasks to other agencies would defocus the world class expertise and extensive experience that NSA employees bring to all their missions. The fact that the NSA through advanced technology now resides in the middle of the IC data collection capability is a result of this expertise and capability. It is not evident why such a recommendation as this would be worth doing unless it is felt the NSA is not doing a good job achieving its mission in this area. The CIA might need to have closer ties to the NSA, but that can be worked out (if it has not been worked out yet) between the two agencies. This recommendation is simply nonsense. Recommendation 24 We recommend that the head of the military unit, US Cyber Command, and the Director of the National Security Agency should not be a single official. Comment 24: This recommendation thus suggests that two people should be in charge of doing pretty much the same national security job, spreading the responsibility and thus making no one responsible other than the president (and the congressional intelligence committees, perhaps). This recommendation does make sense if we are to accept the notion of making the head of the NSA a civilian per recommendation 22, but that notion seems even less useful in view of this recommendation, which is also academically sweet but not realistic in terms of what is most effective. Recommendation 25 We recommend that the Information Assurance Directoratea large component of the National Security Agency that is not engaged in activities related to foreign

intelligenceshould become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense. Comment 25: This recommendation ignores the mission of the IA Directorate to support other government agencies in the cyber war and, indeed, to keep up with modern technology and its rapid pace. Such support requires a depth of knowledge and focus that is not consistent with relatively rapid changes in military leadership, the military service environment, and the slowly evolving military hardware equipment/procurement world, which is typically 5 to 10 years behind technologies used in the civilian world. Having a cutting edge technical entity in the NSA, where things are more flexible and timely, already provides the military with forward looking opportunities to produce more effective and more secure military systems, a fact that is broadly evident in todays military. This recommendation has no merit and would diminish national security if enacted. Recommendation 26 We recommend the creation of a privacy and civil liberties policy official located both in the National Security Staff and the Office of Management and Budget. Comment 26: OK. It is not clear whether this would be a dual hat person, but it should not matter. All senior government officials are responsible for supporting and defending the Constitution, from which privacy and other civil liberties spring in the first place. The implication here, however, is that such a person would have budget authority over the various national security entities, which seems to suggest a political appointee would be driving the NSAs resources. That would be counterproductive and likely remove flexibility at a point in history where flexibility is increasingly important. Recommendation 27 We recommend that: (1) The charter of the Privacy and Civil Liberties Oversight Board should be modified to create a new and strengthened agency, the Civil Liberties and Privacy Protection Board, that can oversee Intelligence Community activities for foreign intelligence purposes, rather than only for counterterrorism purposes; (2) The Civil Liberties and Privacy Protection Board should be an authorized recipient for whistle-blower complaints related to privacy and civil liberties concerns from employees in the Intelligence Community; (3) An Office of Technology Assessment should be created within the Civil Liberties and Privacy Protection Board to assess Intelligence Community technology initiatives and support privacy-enhancing technologies; and (4) Some compliance functions, similar to outside auditor functions in corporations,

should be shifted from the National Security Agency and perhaps other intelligence agencies to the Civil Liberties and Privacy Protection Board. Comment 27: The intelligence community is probably the least likely area to require such oversight, as compared with most other agencies staffed by a range of people in charge of missions impacting civil liberties and privacy more directly, such as law enforcement agencies and the IRS. It would also be nice to have another advocate for whistle blowers, an area where the government fails more than it succeeds. Thus, any recommendation that invokes a mission of protecting/encouraging whistle blowers seems to be that much more appropriate, at least from an academic perspective. In practical terms, rather than a reactive oversight board, it would be more effective to create a National Security Policy School that would instill the highest ideals of constitutional rights and privacy, an approach that would ensure that all government officials undertake the hard right instead of the easy wrong. We already have schools that do this, in the form of Military Academies, but attendance at those institutions is limited. In the modern world, however, this could be an online school to certify all government employees on ethics and the Constitution, with biennial refresher training. Some of this is ongoing but with peripheral foci in terms of this recommendation. All such aspiration should really already be embedded in the mindset of all government leaders and should not have to be assessed by a special board, given that all citizens have access to their congressmen and Congress has access to all agencies and departments. Recommendation 28 We recommend that: (1) Congress should create the position of Public Interest Advocate to represent privacy and civil liberties interests before the Foreign Intelligence Surveillance Court; (2) the Foreign Intelligence Surveillance Court should have greater technological expertise available to the judges; (3) the transparency of the Foreign Intelligence Surveillance Courts decisions should be increased, including by instituting declassification reviews that comply with existing standards; and (4) Congress should change the process by which judges are appointed to the Foreign Intelligence Surveillance Court, with the appointment power divided among the Supreme Court Justices. Comment 28: If this recommendation is needed, the judges should be let go since they are supposed to be looking after such interests without prodding. It would be appropriate for the judges to have themselves more technical competence, but they are free to require such expertise to be made available. The processes are, however,

adequately redundant such that judges can learn on the job over time about the technologies involved. It seems logical to allow declassification in accordance with current practices, practices that currently require declassification after 25 years from the date of the document, unless exempted (under EO 13526, currently) due to the source of the information or some other specific exemption. This may not be what is intended by the report writers, who seem to have an academic perspective that would require a much earlier declassification schedule. If the current judges are not competent, they should be replaced, but that has not been shown. Establishing an extra-Constitutional appointment process for such judges might require an amendment to the Constitution, so it might be better if Congress simply took action to fire the current ones through impeachment of them or by impeaching the appropriate appointing official. If a judge needs oversight to implement the law through dedicated law enforcement personnel having the highest possible security clearances, we have all failed. Recommendation 29 We recommend that, regarding encryption, the US Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage. Comment 29: Better encryption technologies are foundational in terms of NSAs missions. This recommendation seems to imply that something is amiss and needs to be corrected rather than reaffirmed. Certainly, NSA is the arm of the US Government that does such things. Apparently there is an issue with undermining or defeating commercial encryption efforts, so the recommendation is that the NSA make it so difficult to break encryption schemes that it is literally impossible, as compared with just being very hard to do. Making such encryption available commercially (if not already out there) would make it more difficult to collect information on potential adversaries, a circumstance that would work to some degree against NSAs success in other areas . It would be nice to simply come up with a way to stop spam emails more reliably, such that no one would bother to send out spam anymore, so that seems like something the NSA could undertake as well in support of commercial software. Overall, multi-token schemes already protect information adequately, but adequately is defined differently by different companies since costs are involved. In that regard, the marketplace will take care of itself over time, and the NSA has probably done as much as it can to put encryption ideas out there for all to use as desired. The other important mission for NSA is cyber warfare, a much more sophisticated OPSEC/COMSEC arena for national security investments.

Recommendation 30 We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the US Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called Zero Day attacks because developers have had zero days to address and patch the vulnerability. US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments. Comment 30: There is nothing wrong with most of this recommendation, since it is a common problem for commercial software and is being addressed aggressively already in the course of normal software life cycles. Beta versions seek to work out some of the bugs and vulnerabilities, but there is always a risk that a vulnerability can be found. It is not clear why this recommendation requires high priority intelligence collection to pursue the use of software vulnerabilities. It should be a matter of what is in the national security interest as to how vulnerabilities should be used against a potential adversary, so senior, interagency review involving all appropriate departments is once again an academic mindset unconnected to the real world, a mindset that seems to go toward reducing national security effectiveness more often than increasing it. Interagency cooperation on most things takes far too much time even if it somehow turned out to add value to the task. This recommendation is of no merit. Recommendation 31 We recommend that the United States should support international norms or international agreements for specific measures that will increase confidence in the security of online communications. Among those measures to be considered are: (1) Governments should not use surveillance to steal industry secrets to advantage their domestic industry; (2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems; (3) Governments should promote transparency about the number and type of law enforcement and other requests made to communications providers; (4) Absent a specific and compelling reason, governments should avoid localization requirements that (a) mandate location of servers and other information technology facilities or (b) prevent trans-border data flows. Comment 31: It only takes one government not to go along with this recommendation

to make it ineffective. Just like passengers should not have weapons on airplanes, it only takes one passenger to bring grief to the rest. Since we usually view ourselves as the good guys, we likely would sign up readily for such international improvements, but a practical view of this is far less optimistic than the recommendation, although all of it is based on should and cannot be contradicted in terms of desirability. Recommendation 32 We recommend that there be an Assistant Secretary of State to lead diplomacy of international information technology issues. Comment 32: The Department of State usually has to be supported technically by other agencies, so apparently the intent here is to have the NSA work with DOS on this. Finding a career diplomat versed in IT issues as well as national security is the first task. There are many new cyber-experienced military personnel who could make that a second career. Recommendation 33 We recommend that as part of its diplomatic agenda on international information technology issues, the United States should advocate for, and explain its rationale for, a model of Internet governance that is inclusive of all appropriate stakeholders, not just governments. Comment 33: Everyone is a stakeholder, down to the most energetic hacker. Wishing that everyone will play nice in the sandbox has no particular merit, but it cannot hurt to seek out those who can be converted. Again, the approach would need to be based on international expectations that all countries would seek to educate it citizens in this regard and severely punish anyone who did not conform. It is already in the best interest of governments and commercial entities to support proper Internet governance, so explaining our rationale for that seems like an empty gesture to the good guys and laughable to those who seek bad things for us. Again, it would not hurt, but such academic exercises are easily ignored/defeated in the real world. Recommendation 34 We recommend that the US Government should streamline the process for lawful international requests to obtain electronic communications through the Mutual Legal Assistance Treaty process. Comment 34: Streamlining any process seems like a valid goal. What does that have to do with the NSA? Recommendation 35 We recommend that for big data and data-mining programs directed at

communications, the US Government should develop Privacy and Civil Liberties Impact Assessments to ensure that such efforts are statistically reliable, cost-effective, and protective of privacy and civil liberties. Comment 35: This recommendation does not make any sense since to make something like this statistically reliable one would have to generate a lot of statistics (do a lot of realistic data mining) contrary to the apparent goal of the recommendation. To determine cost effectiveness, usage would also be required but would also have to be exposed to subjective interpretation. If we find one critical nuclear weapon nonproliferation (or usage) opportunity, it would outweigh a thousand dirty bomb opportunities. Data mining is in itself protective of privacy and civil liberties since hits only occur where there is logical evidence of a potential concern. It is in assessing the potential concerns that one might trespass on incidental information of a private nature or impacting civil liberties. That being said, many thousands of government employees already protect incidental information as well as large collections of private information without the benefit of being screened to get a top secret clearance. While this recommendation is full of admirable thoughts, it has no net value in the real world. Recommendation 36 We recommend that for future developments in communications technology, the US should create program-by-program reviews informed by expert technologists, to assess and respond to emerging privacy and civil liberties issues, through the Civil Liberties and Privacy Protection Board or other agencies. Comment 36: The US indeed promotes a lot of research in advancing technologies of all kinds, so it bears some responsibility for making such assessments where this is possible. Unfortunately, it is mostly the developers themselves who are able to assess new technologies, so they would have to be tasked to explain what they did to ensure these goals are met. The best approach here of course would be to ask the NSA to do this since they seem to have the best vantage point and skills for this. Recommendation 37 We recommend that the US Government should move toward a system in which background investigations relating to the vetting of personnel for security clearance are performed solely by US Government employees or by a non-profit, private sector corporation. Comment 37: The purpose here seems to be to ensure no one gets a security clearance unless they can be certified to have minimal issues of potential concern to national security. Just like no encryption process is perfect, no clearance background investigation process is perfect. Thus, it makes more sense to deal with potential clearance errors with at least a 2-person rule like is done for the nuclear weapon stockpile. Even with a perfect clearance process, people can be security risks, so it is up

to other people to minimize that risk. Government employees and non-profit organizations have the contrary issue of not being motivated or incentivized to do a good job with clearances any more than with any other task assigned to them. This kind of recommendation occurs frequently enough that it is hard to get enthusiastic about reorganizing who does the process even if there is evidence that it is not done well. At best, one might have two separate private companies independently vet each person so that the competitive climate would work for us rather than the profit environment working against us. This recommendation would waste resources as well as effectiveness, even if it seems like a good idea on its surface. It is simply too simple minded to make much difference. Recommendation 38 We recommend that the vetting of personnel for access to classified information should be ongoing, rather than periodic. A standard of Personnel Continuous Monitoring should be adopted, incorporating data from Insider Threat programs and from commercially available sources, to note such things as changes in credit ratings or any arrests or court proceedings. Comment 38: This is already being done, of course, in terms of continuous monitoring of personnel by other personnel and by insider threat programs/efforts. Individuals are tasked to report themselves on their court proceedings and financial issues. It is possible to set up an automatic credit report for all cleared persons and automatic screening of individuals for court proceedings, eliminating or supplementing the self reporting expectation. Also, most agencies train routinely on a range of behavior issues and security matters, especially those agencies having national security responsibilities and security cleared people. Thus, this recommendation has some merit if it can be funded and if it is cost effective. For example, would it replace the periodic reviews or be in addition to periodic reviews? As written, it would likely cost less but would abdicate coverage of a lot of areas that cannot be automated. That is, the neighbors would know that there is a problem with drugs but not the government. Recommendation 39 We recommend that security clearances should be more highly differentiated, including the creation of administrative access clearances that allow for support and information technology personnel to have the access they need without granting them unnecessary access to substantive policy or intelligence material. Comment 39: That would be easy to implement if everyone simply encrypted their files and information, even on cleared networks, making it necessary to know the encryption key or password before being able to open a file. It is already supposed to be managed on a need to know basis, but that is unrealistic in the case of those inv olved with maintaining/repairing/operating high tech communications and computer systems. The systems could be designed/set up to automatically encrypt on a need to know basis. In

addition, the 2-person rule for downloading files should be employed for any electronic download access points. Administrative/technology personnel are likely not to understand or appreciate the weight of the material to which they have access in terms of national security implications, so there is some value in having administrative versus content access to classified electronic files and to unclassified controlled information as well. Recommendation 40 We recommend that the US Government should institute a demonstration project in which personnel with security clearances would be given an Access Score, based upon the sensitivity of the information to which they have access and the number and sensitivity of Special Access Programs and Compartmented Material clearances they have. Such an Access Score should be periodically updated. Comment 40: How would this be used? Many people with clearances have a need to have broad access. This seems to be something that should go on a resume, but people either have SCI access or they dont. There are already different security clearance levels. Department of Energy uses Sigma codes for people and information access regarding nuclear weapons, so that might serve as somewhat of a model for this somewhat vague recommendation. Recommendation 41 We recommend that the need-to-share or need-to-know models should be replaced with a Work-Related Access model, which would ensure that all personnel whose role requires access to specific information have such access, without making the data more generally available to cleared personnel who are merely interested. Comment 41: This recommendation is seeking to split hairs on access, but such things are already in place by virtue of the limited access given to the files of other employees/workers. Assuming this was desirable, it would be time consuming at difficult to get this right. This is one reason why the US stopped trying to account for secret documents and now generally registers top secret or foreign government information. It is simply too hard administratively, although somewhat attractive idealistically. Recommendation 42 We recommend that the Government networks carrying Secret and higher classification information should use the best available cyber security hardware, software, and procedural protections against both external and internal threats. The National Security Advisor and the Director of the Office of Management and Budget should annually report to the President on the implementation of this standard. All networks carrying classified data, including those in contractor corporations, should be subject to a

Network Continuous Monitoring Program, similar to the EINSTEIN 3 and TUTELAGE programs, to record network traffic for real time and subsequent review to detect anomalous activity, malicious actions, and data breaches. Comment 42: There is no issue with data mining any such database that might be created. It would be consistent with previous practices in place before secret documents became so prevalent. Each agency would have to report on this after an internal look, but it would be best to let NSA run that program and make any needed reports based on their inspections of agency hardware and software. The likely issue here would be funding such upgrades even if they are desired and timely. Recommendation 43 We recommend that the Presidents prior directions to improve the security of classified networks, Executive Order 13587, should be fully implemented as soon as possible. Comment 43: This executive order requires a lot of things to happen, things that are easier said than done, but it is a worthy attempt at getting on top of the insider threat and classified networks. Again, one should seek elegant solutions that are realistic and effective rather than simply describing everything we can think of that might help. If there is an agency that has fully implemented the EO, they should also share their secrets for success. Again, the NSA would have to provide expertise to assess whether an agency is in compliance. Recommendation 44 We recommend that the National Security Council Principals Committee should annually meet to review the state of security of US Government networks carrying classified information, programs to improve such security, and evolving threats to such networks. An interagency Red Team should report annually to the Principals with an independent, second opinion on the state of security of the classified information networks. Comment 44: This also appears to be something that only the NSA could do effectively, so it ought to be tried. Network standards throughout the government would generally be appropriate, but that depends on operational pace for some as well as the evolving threat that may or may not apply to all networks. Recommendation 45 We recommend that all US agencies and departments with classified information should expand their use of software, hardware, and procedures that limit access to documents and data to those specifically authorized to have access to them. The US Government should fund the development of, procure, and widely use on classified networks improved Information Rights Management software to control the dissemination of

classified data in a way that provides greater restrictions on access and use, as well as an audit trail of such use. Comment 45: By all means, if the technology exists and can be implemented among the diverse agencies of government, it should be done. Keeping track of that from a document perspective could be difficult, but that with a combination of personnel need to know profiles might work. This would actually most efficiently be implemented simply by supervisors approving access to individuals who have a need to know either on a document basis or project basis. This generally has to be done informally already. As for most of these recommendations, while desirable on their face, implementation in diverse real world situations can be impossible or at least not cost effective. Recommendation 46 We recommend the use of cost-benefit analysis and risk- management approaches, both prospective and retrospective, to orient judgments about personnel security and network security measures. Comment 46: This recommendation is full of gratuitous jargon that is entirely useless.