Random Thoughts on the Recent NSA Scandal

Last week, the news broke that the National Security Agency (NSA) had been secretly collecting phone records of Verizon customers in the U.S.  Since the story broke the commentary from pundits, politicians, and the Great American Public alike has bordered on cacophonous.  

My thoughts on the scandal are wide ranging and somewhat disjointed, but they might bear some consideration. Here goes...

1. We had to go overseas to find out what's happening at home.  It's somewhat disturbing to me that we needed to rely on a newspaper published in the UK to get information about actions occurring on our home soil.  Only after the story broke in The Guardian did US new media outlets grab the story and start speading it like wildfire.
2. Someone is leaking like a sieve.  The original newspaper article allegedly* contained excerpts from a classified PowerPoint presentation as well as the original court order from the Foreign Intelligence Surveillance (FISA) Court. The documents in questions bear several classification markings including the term NOFORN -- which means "not releasable to foreign nationals."  (*Personal note:  I used the term "allegedly" to describe the documents as I personally make it a point not to review classified information released inappropriately into the wild.  As a former holder of high government clearances I consider it a violation of my oath and commitment to protect such information.  You are welcome to check out the documents yourselves and form your own opinions.)
3. Why are we so surprised?  Title II of the USA PATRIOT Act broadly amends the FISA act and gives tremendous latitude to the FISA Court in pursuit of combatting terrorism.  In the furor of FUD (fear, uncertainty, and doubt) that followed the 9/11 tragedy, we as a nation made the willing determination that sacrificing some of our freedoms to a governmental entity in the name of security was the appropriate thing to do;  now that we find out our government is actually utilizing the authority which we surrendered to them, we cloak ourselves in outrage and suspicion?   Admittedly, part of my incredulity here comes from some of the folks who are expressing their outrage to me. I remember having conversations about this topic in the early 2000's and the dangers of governmental excess in this space.  Many people said to me back then that they saw nothing wrong with the government having such broad sweeping powers as "only criminals and terrorists and people with something to hide" should be concerned.  Now those same individuals are the ones emailing me and calling me to express their outrage and ask for my advice re: if they should cancel their Verizon accounts.
4. What are we going to do about it?  Righteous indignation, Facebook campaigns, Internet memes and (yes) blog posts feel good and give us a chance to express our concerns in a public forum...but if we are truly concerned about this situation we need to take more postive, impactful actions such as:
• Supporting privacy advocacy groups
• Writing your local congressperson to express your concern -- and asking them for their positions on such issues.
• Voting for candidates that agree with your position on this issue
• Educating yourselves on proposed laws and acts which may further limit your rights to privacy online and over the airwaves.  While stalled in the Senate, earlier this year the House of Representatives resurrected and passed the Cyber Intelligence Sharing and Protection Act (CISPA).  Most Americans remain unaware of CISPA, the broadness of its reach, or its continued one-sided approach to information sharing and protection.  The fact that CISPA passed one of the chambers of Congress yet the nation remains indignant at the current NSA scandal is yet another reflection of the importance of becoming (and remaining) an informed citizenry re: these issues.   

I don't want people reading this blog to be left with the impression that I am anti-government or anti anything.  I love my country, and am extremely proud my service to it and its people.  That being said, I also believe that security professionals must understand and respect the need for appropriate balance and controls to prevent excesses and abuse which would tarnish that which makes us the Greatest Nation in the world. President Obama was correct when he stated that security and privacy are concepts that require the sacrifice of each in order to respect the other. Mayhap it is time, though, to relook at that balance and ensure that we haven't allowed FUD to (continue to?) skew where we draw certain lines.