Ever hear of Presidential Policy Directive (PPD) 20? Bet not. The more you’ve never heard of something, the more worried you should be.
In mid-November, The Washington Post, the first media outlet to report on the directive, noted that it “enables the military to act more aggressively to thwart cyberattacks on the nation’s web of government and private computer networks.”
The Post’s revelation came at the same time that other stories broke pointing to deepening problems with electronic privacy rights in America. The most sensational story involved the FBI’s snooping the private e-mails of two of the nation’s leading security officers, CIA Director David Petraeus and Gen. John Allen, head of the U.S. Afghanistan war effort.
More disturbing but expected, the Supreme Court rejected the ACLU’s challenge to the National Security Agency’s (NSA) use of warrantless wiretaps. And Sen. Patrick Leahy (D-VT), chairman of the Senate Judiciary Committee, proposed the further loosening of e-mail privacy protection regulations.
These are just four examples of an increasing number of efforts among various federal entities, including the Congress and Supreme Court, to expand the power of the U.S. government to spy on American citizens. Recent initiatives by three of the lead agencies engaged in citizen surveillance — National Security Agency (NSA), Department of Homeland Security (DHS) and Defense Department’s research arm, Defense Advanced Research Projects Agency (DARPA) – outline the tightening grip of the spy state.
The ostensible rationale for the tightening of the digital security grip is to track potential foreign cyber-threats. It is, however, evident that federal agencies are increasingly surveilling the electronic lives of ordinary Americans.
These developments signal the growing erosion of personal electronic privacy. Equally troubling, little information is available as to how these agencies share among themselves the personal information they gather about ordinary citizens. Nor do Americans know how these agencies are incorporating data from 3rd party commercial entities, like websites Google or Facebook and data aggregators like Acxiom or LexisNexis, into their database profiles.
* * *
In mid-October and with little fanfare, President Obama signed PPD 20. He uses PPDs to promulgate national security decisions and, since taking office, he has issued 20 directives.
According to the Congressional Research Service, “From the earliest days of the federal government, Presidents, exercising magisterial or executive power not unlike that of a monarch, from time to time have issued directives establishing new policy, decreeing the commencement or cessation of some action, or ordaining that notice be given to some declaration.”
PPDs are state secrets. PPD 20 is believed to legalize two un-Constitutional programs. It may expand the power of the military and intelligence agencies to engage in cyber warfare against those deemed “cyber enemies” anywhere in the world. And it may permit federal agencies to monitor the networks of private companies, such as Google and Facebook.
For many, “NSA” means “Never Say Anything.” In keeping with its customary policy, the NSA refused to provide details about the directive. “Disclosure could reasonably be expected to cause exceptionally grave damage to the national security,” the NSA responded. “Because the document is currently and properly classified, it is exempt from disclosure.”
Efforts by civil liberties groups like the ACLU and the Electronic Privacy Information Center (EPIC) to have the Obama administration reveal the contents of PPD 20 have come to naught. EPIC filed a Freedom of Information Act (FOIA) request to find out what the directive covers.
According to EPIC attorney Amie Stepanovich, “we believe that the public hasn’t been able to involve themselves in the cybersecurity debate, and the reason they can’t involve themselves is because they don’t have the right amount of information.” In response, the NSA claims, “disclosure could reasonably be expected to cause exceptionally grave damage to the national security.”
Some media attention has focused on the NSA’s new Data Center being built on a 240-acre site near Camp Williams, UT, and is expected to be completed in September 2013. It is a 1 million square foot facility, of which 10 percent is dedicated to computer systems; its projected construction cost is estimated between $1 and $2 billion, the true number is top secret. In keeping with its hush-hush policy, the agency says only that the facility will “strengthen and protect the nation’s cyber-security.”
The latest NSA whistleblower, William Binney, a 32-year agency veteran who quit over the agency’s failures that resulted in the 9/11 attacks,warns: “It didn’t take butprobably a week or so after 9/11 that they [NSA] decided to start spying on the U.S. domestically, on all U.S. citizens they could get.” Going further, he insists that the new facility will be able to monitor everything: it “pretty much means all the communications in the world, for roughly a hundred years.”
Since 2005, the NSA has been engaged in the active warrantless surveillance of Americans. In 2008, faced with court challenges from civil liberties groups, the Congress extended the Foreign Intelligence Surveillance Act (FISA) with the FISA Amendments Act (FISAAA). Doing so, the Congress (i) retroactively extended the NSA’s ability to spy on a “suspected terrorist” without a warrant and (ii) expanded its scope of surveillance to Americans engaged in domestic conversations with foreign suspects. Whoever else is being tracked is a national security secret. Sadly, the Supreme Court just reaffirmed the NSA’s authority to spy on Americans.
PPD 20 seems to be pushing the surveillance envelope a couple of steps further. It might provide legal cover for the NSA, CIA and the military to actively engage in cyber attacks against those deemed to be a cyber threat. Potential targets include individuals, organizations and countries. The apparently joint U.S.-Israel 2010 stuxnet virus attack on an Iranian nuclear processing facility is an example of the type of an action likely covered by the directive.
According to the Post article, “The new directive is the most extensive White House effort to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism.”
Notions like “offensive” and “defensive,” like “enemy” and “ally,” “terrorist” and “citizen,” are oh so 20th century. The 21st century spy state is engaged in (to use a popular concept) a “360-degree” conflict. No one is above suspicion, of being a potential threat. Whether an Army general sending personal e-mails or an ordinary citizen making a phone call, everyone is being watched.
Americans are being asked to surrender personal electronic privacy so that the spy state can prevent potential foreign cyber-threats. It’s hard to evaluate this trade-off. No one really knows the seriousness of the “threat.” Is it al-Qaeda or Chinese hackers or Anonymous?
Sadly, most of the operations of the various federal agencies involved in surveillance are done in secret, with little accountability and no transparency. In the weird world of Washington, DC, false consciousness, generals who lose wars get promoted and fools who failed to see 9/11 coming are given Medals of Freedom.
Nevertheless, occasional revelations of the true functionality of the spy state break through the fog of government-media orchestrated censorship. From a “security” perspective, the U.S. seems in bad shape; it’s a nation run by self-serving paranoid incompetents.
Domestically, the centerpieces of the nation’s counterterrorism effort are DHS “fusion centers.” In the wake of 9/11, these centers were set up as joint-agency regional intelligence sharing facilities. The U. S. Senate Permanent Subcommittee on Investigations recently released a 100-page study that found that the DHS spent an estimated $1.4 billion to run 72 fusion centers. It found these centers to be a mess, producing “useless” information while collecting vast amounts of information about innocent Americans.
Senator Tom Coburn (R-OK), the Subcommittee’s ranking member and the person who initiated the investigation, warned: “It’s troubling that the very ‘fusion’ centers that were designed to share information in a post-9/11 world have become part of the problem. Instead of strengthening our counterterrorism efforts, they have too often wasted money and stepped on Americans’ civil liberties.”
The DHS’ Transportation Security Administration (TSA), the agency that gives an airport traveler the security safety shakedown, seems equally troubled. It recently signed a purchase order for “insider threat software,” spyware that monitors its employees’ computer activities.
The TSA’s original RFP, which was subsequently modified, read: “Focused operations is in need of a tool to help detect an insider threat. The focus is to monitor at the host level. … In order to detect an insider threat, technology is required to monitor and obtain visibility into users’ actions.”
The TSA doesn’t trust is own employees, federal agents! The original RFP sought a system that captured every keystroke and chat session, that monitored e-mails and attachments, that logged website visits and file transfers, that tracked the movement of documents and recorded all photos, video clips and screenshots one accesses. The RFP insisted,“The end user must not have the ability to detect this technology” or be able “to kill the process.”
Where the NSA and DHS are focused on what they identify as immediate threats, the DoD’s DARPA sees long term. It’s funding brought the world the Internet, very large-scale integrated circuits (VLSI) and stealth airplanes, among other discoveries.
DARPA is promoting a system dubbed “Insight” that provides for globally integrated “intelligence, surveillance, and reconnaissance” (ISR). Ostensibly for the military, it has great, long-term potential monitoring the civilian population. DARPA recently released an RFP for the project’s second phase; it seeks “to enhance analysts’ ability to more effectively and efficiently process information, the Insight program is developing an adaptable, integrated human-machine Exploitation and Resource Management (E&RM) System.” It committed $80 million to finance the project.
The E&RM System points to the future spying. It seeks to integrate “information across multiple sources, including imaging sensors and non-imaging sensors.” More telling, it seeks the detection and identification of threats through the use of behavioral discovery and prediction algorithms. Big Brother really is watching!
The U.S. and the world has changed since 9/11 and its time to rethink the threat rationale. Americans are paying an ever-increasing price, both in dollars and the loss of personal privacy, to maintain the spy state. It is the 21st century version of President Eisenhower’s “military-industrial complex,” but globalized, financialized and digitized. The spy state is an all-digital operation that integrates domestic and international military, intelligence and corporate systems.
A growing number of federal agencies, working independently, together and in parallel, are tightening the web of the 21st century spy state. These agencies are also working with private corporations and state/local law enforcement entities. Say hello to the new Big Brother.