In the coming weeks, Congress and the civilian defense leadership will have to ask a lot of questions about the National Security Agency's surveillance programs, and how to reconcile them with privacy concerns. But they will also have to ask a more basic set of questions: Why on earth wasn't the NSA prepared for this? Why didn't the intelligence agency's leadership have a plan to deal with the global outcry that would follow the leak of classified Internet surveillance programs?
Contingency planning is a critical part of every military operation, and is even more important for secret or covert activities. The Central Intelligence Agency and Special Forces Command examined every possible thing that could go wrong on the raid to kill Osama bin Laden, for example, and had clear plans to deal with any ensuing fallout. Although it has an intelligence mandate, the NSA is a Defense Department organization, and the director of NSA is a 4-star general. As such, it is troubling that the NSA appears to have no plan in place for how to respond once its spying program was made public and plastered on the front pages around the world. Instead, the best defense General Alexander could offer a room full of security professionals at the Black Hat convention, almost two months after the leak, was an explanation of FISA courts and the successful prosecution of a San Diego cab driver who sent money to a Somali militia.
The NSA leadership had ample warning signs that leaks were possible, and that public reaction in the U.S. and around the world would be overwhelmingly negative. In 2003, Congress shut down Admiral Poindexter's 'Total Information Awareness' program after concerns that building massive databases of electronic transactions generated too many privacy concerns to justify the anti-terror benefits. After Bradley Manning turned over classified State Department and Defense Department data to Wikileaks, the entire security establishment should have been on notice that sensitive programs could be disclosed.
The warning signs about fallout from the NSA Internet surveillance were even clearer: Senators Ron Wyden and Mark Udall publicly raised concerns about the program as far back as 2011, and directly communicated their worries to General Alexander in 2012. Yet leaders in the signals intelligence community appear to have paid little attention to how disclosure of these programs might impact anything other than U.S. intelligence efforts.
The disclosures have caused quite a bit of trouble. Our relationships with our allies have been tested, as global anger following the initial reports demanded a political response. Other priorities of the administration have been put at risk, from critical trade bills about digital goods, to American leadership in securing an open Internet free of government control and interference.
But perhaps the greatest fallout may come from the NSA's failure to safeguard the trust and reputation of American technology companies.
A 2009 Inspector General report details how NSA leadership understood concerns of private companies about legal liability, but what about the broader reputational risk?
When initial reports of the PRISM program asserted that there were backdoors and direct data access in some of the most important tech companies in the world, the firms' awkward denials were justifiably met with skepticism. They couldn't fully deny the charges without disclosing certain classified details, and the only affirmative statements they could make had to be cleared with the government first, which ultimately led to all of the companies issuing statements that included curiously similar phrasing, further fueling paranoia. By the time the record was corrected, over a week later, the damage had been done. Even if the surveillance programs are legally constrained and ostensibly target only a small number of suspects, the companies are perceived as being complicit in a massive, American government dragnet.