National Security Agency Director Michael Rogers told Congress Thursday terrorist groups have rapidly changed their communications behavior since the Snowden leaks in 2013, and the new program replacing the agency’s bulk phone records collection will severely affect NSA’s ability to respond to imminent terrorist threats.
While briefing the Senate Intelligence Committee Thursday, Rogers told lawmakers Islamic extremist groups including ISIL and Al-Qaeda in the Arabian Peninsula have frequently referenced media reports of classified NSA surveillance programs leaked by former NSA contractor Edward Snowden in intercepted communications, and have changed their behavior at a rate he’s never seen before in the last two years.
“We know that they have achieved a level of insight as to what we do, how we do it and the capabilities we have that quite frankly, they didn’t have in the past,” Rogers said. “As a result of that, quite frankly, it has become harder — more difficult — to achieve insights as to what they are doing.”
While discussing the replacement of the bulk phone metadata program with a new framework established under the USA Freedom Act, Rogers was frank in telling lawmakers NSA’s ability to respond to terrorist threats will be significantly slowed and weakened by the new program, scheduled to take effect Nov. 29.
Under the old program, Rogers said the process of accessing data in emergency situations to prepare a tactical response — from his subordinates’ briefing, to his approval and eventually querying the database — took less than 24 hours. In non-emergency situations, when the agency sought court approval first, the average length took between two and six days.
Rogers further explained his ability to respond to urgent threats with emergency powers, which previously allowed him to access the database without seeking approval first, would be gone under the new system, forcing him to get approval from the attorney general first.
One lawmaker used the example of a plane suddenly changing direction in a 9/11-style scenario to ask if Rogers’ ability to access the database quickly would be affected.
“Something that imminent probably can’t be addressed in time to put up the defenses?” Indiana Republican Sen. Dan Coates asked.
“Not in minutes,” Rogers responded. “I doubt we could do it in minutes.”
Rogers said he couldn’t predict exactly how long it would take under the new system until it’s implemented, but confidently informed lawmakers it would take longer.
“Do you expect that ending bulk collection is going to significantly reduce your operational capability?” Oregon Democratic Sen. Ron Wyden, the committee’s leading anti-surveillance hawk, asked Rogers.
“Yes,” Rogers responded, explaining it would be more difficult to discover new leads and generate general behavioral insight without bulk collection. He further cited a National Academy of Sciences review that found no current acceptable replacement for the intelligence value pulled from bulk collection.
Wyden countered by citing the findings of a panel established by President Obama to review the bulk collection program in the wake of the Snowden leaks, which unanimously agreed the program never prevented a terrorist attack, and was ineffective in doing so.
“As you know the president’s advisory committee disagreed with you,” Wyden told Rogers. “They said … that there’s no value to bulk collection that could not be obtained through conventional means.”
Maine Republican Sen. Susan Collins asked Rogers if NSA’s bulk records database had ever been misused by agency employees. Rogers said no abuse ever occured, and that only 30 NSA employees ever had access to the database — each of whom had every keystroke logged and monitored by superiors.
“It’s very ironic the USA Freedom Act was passed under the guise of increasing privacy protections for the American people when there are 1,400 telecom companies, 160 wireless carriers … isn’t it likely that far more than 30 people will now be involved in this process?” Collins asked.
“Yes, I would expect that to be the case,” Rogers said.
On the “Going Dark” issue Rogers said more extremist groups are adopting “apps and end-to-end encryption to hide in the broader set of noise that’s out there,” but admitted, in the broader sense, that a third-party holding onto encryption keys makes data less secure.
“I don’t think you want the government deciding what the right answer is here,” Rogers said. “We’ve got to collectively get together between the private sector, government, industry, policy, the technical side, and sit down and figure out how we’re going to work our way through this.”
The NSA director and commander of U.S. Cyber Command repeated a need he expressed last week for a clear U.S. doctrine on norms and responses to cyber aggression to act as a deterrent to countries like China.
“As a sailor I can remember at the height of the Cold War, we knew exactly how far we could push each other out there,” Rogers said. “We’ve got to get to the same level of understanding in this domain, and we are not there right now.”
Rogers was reluctantly brought into the issue surrounding Hillary Clinton’s use of a private email server at the State Department when he was posed a hypothetical question about Russian Foreign Minister Sergey Lavrov doing the same thing.
“From a foreign intelligence perspective, that represents opportunity,” Rogers said, adding that he didn’t know if anyone at NSA had emailed Clinton on the private server.
As lawmakers debate funding bills with the possibility of a shutdown looming next week, Rogers assured senators a shutdown would compromise national security, and make it harder to retain employees, many of whom could seek much more lucrative careers in Silicon Valley.
“[I’ve been] watching the reaction at the workforce at NSA and U.S. Cyber Command, who are going, ‘Again?’” Rogers said. “What the workforce is reading in the media right now is not helpful.”