Late last week, an incredibly dishonest piece was published in The New Republic by Jack Goldsmith arguing not just that we "need" an "invasive NSA,"
but further, that we'll all come to love and appreciate the NSA snooping on all of our electronic communications (including snooping through the "contents" rather than just metadata). Why? Because of that old bogeyman "hackers"! We'll dig through the blatant cluelessness of the piece in a moment, but just to set the context, it's important to note that Goldsmith, back when he was a lawyer in the George W. Bush White House, wrote the memo that gave legal cover
for Bush's warrantless wiretapping efforts. The legal argument was ridiculous: it was, more or less, "if the President does it, it's okay, because he's like powerful and stuff."
We conclude that in the circumstances of the current armed conflict with al Qaeda, the restrictions set out in FISA, as applied to targeted efforts to intercept the communications of the enemy in order to prevent further armed attacks on the United States, would be an unconstitutional infringement on the constitutionally assigned powers of the President. The President has inherent constitutional authority as Commander in Chief and sole organ for the nation in foreign affairs to conduct warrantless surveillance of enemy forces for intelligence purposes to detect and disrupt armed attacks on the United States. Congress does not have the power to restrict the President’s exercise of that authority.
Got that? It's not the 4th Amendment he was worried about infringing on, but rather the "assigned powers of the President," which he argued included ignoring the 4th Amendment's requirement for a warrant
before wiretapping. Anyway, so that gives you some sense of the kind of person writing this defense of an intrusive NSA. He believes that if the President is doing it for a good reason (as, apparently, decided by the President), then it's perfectly legal, because separation of powers is another concept that can be ignored.
Okay, back to his present... screed. The key argument here seems to be to puff up cybersecurity FUD as much as possible to argue that it won't be long until we're all begging
the NSA to spy on us to stop hackers from defacing websites. His big "example" of this is the recent hacking of the NY Times' website by the Syrian Electronic Army. That story got a bit of attention for about two days, and then fell off the map -- which is precisely why Goldsmith is wrong. For all the FUD NSA supporters and big defense contractors keep claiming over cybersecurity, they seem to be unable to get past the fact that when someone hacks a website and defaces it, while it may be a nuisance
, no one dies
. Yes, they like to talk up how many cybersecurity attacks there are going on these days, but they won't discuss the fact that in all of them exactly zero
people have died.
The story of the NY Times hacking disappeared almost as quickly as it happened, because the consequences weren't particularly large or important. Yet, Goldsmith is arguing, effectively, that the NSA needs access to all networks in order to prevent the SEA from hacking the NYT again.
The U.S. government can fully monitor air, space, and sea for potential attacks from abroad. But it has limited access to the channels of cyber-attack and cyber-theft, because they are owned by private telecommunication firms, and because Congress strictly limits government access to private communications. “I can’t defend the country until I’m into all the networks,” General Alexander reportedly told senior government officials a few months ago.
For Alexander, being in the network means having government computers scan the content and metadata of Internet communications in the United States and store some of these communications for extended periods. Such access, he thinks, will give the government a fighting chance to find the needle of known malware in the haystack of communications so that it can block or degrade the attack or exploitation. It will also allow it to discern patterns of malicious activity in the swarm of communications, even when it doesn’t possess the malware’s signature. And it will better enable the government to trace back an attack’s trajectory so that it can discover the identity and geographical origin of the threat.
This makes two big assumptions -- one of which is false and the other of which is misleading. The first is that the NSA could or would actually successfully stop such a hack. This is false. Just like the NSA was unable to actually predict the Boston Marathon bombings, the idea that it could somehow catch a simple phishing trick is laughable. Goldsmith goes on at length about "malware" -- which he seems to grant mystical powers to -- but ignores that the reason the NYT's website got hacked was because of social engineering (via someone phishing
an employee at a domain registrar), not malware. The NSA isn't going to catch that.
Secondly, there's the assumption that the NSA will actually "block or degrade the attack or exploitation." This appears to ignore pretty much everything that's come out about the NSA's activities lately, including its regular buying of exploits, placing backdoors
in products and security standards, and its general focus on using such things offensively
rather than defensively.
Goldsmith just keeps repeating these silly claims with ever grander claims over and over in the piece, as if he repeats it enough, perhaps someone will believe it. Frankly, Goldsmith comes off as an authoritarian-loving lawyer who is almost entirely technologically illiterate. He seems over-awed by the technology and thus insists that (1) the NSA needs to spy on everything to "protect" us and (2) that the government somehow will actually be the best party to protect insecure systems (totally ignoring the fact that the same government actively weakened
those same technologies). For example, he goes back to the claim that some computer vandalism will make people open their arms to a spying NSA:
The first is that the cybersecurity threat is more pervasive and severe than the terrorism threat and is somewhat easier to see. If the Times’ website goes down a few more times and for longer periods, and if the next penetration of its computer systems causes large intellectual property losses or a compromise in its reporting, even the editorial page would rethink the proper balance of privacy and security. The point generalizes: As cyber-theft and cyber-attacks continue to spread (and they will), and especially when they result in a catastrophic disaster (like a banking compromise that destroys market confidence, or a successful attack on an electrical grid), the public will demand government action to remedy the problem and will adjust its tolerance for intrusive government measures.
Except, again, there's little indication that any such attack would shatter people's trust in the market. This seems to presuppose an incredibly stupid populace, not one that can process basic information like "this website was hacked, and it may be inconvenient, but we'll get over it." Ditto the bogeyman of "hacking the electric grid." The NSA has talked up this "electric grid" threat for years
and it's bogus. Actual experts have (literally) called such claims "a bunch of hooey."
And even if hackers could take down an electric grid for some period of time, we have at least some sense of what will happen, thanks to the Northeast blackout of 2003
, which took down a massive section of power in the northeast and midwest. And this was soon after 9/11, so people were especially sensitive to threats of terrorism... and they didn't freak out or destroy society. They waited for things to get sorted out, and people moved on with life. No biggie.
So the whole claim that "the cybersecurity threat is more pervasive and severe than the terrorism threat" is ridiculous.
Goldsmith may want to support his beloved surveillance state, which he personally helped expand a decade ago, but fear mongering is no way to make a compelling argument -- especially when it appears so clueless about the basics of technology and the threats out there.