(The intelligence community has always maintained that its personnel have used such tools, which have names like Optic Nerve, Gilgamesh, and Xkeyscore, in accordance with U.S. law. After a New York federal appeals court ruled the practice of storing bulk metadata on Americans to be illegal, the government ended the practice.)
“We literally worked to identify the data that he touched, the data that he exposed in the media,” Evanina said. Then his team worked to figure out both the overall national-security impact, as well as the effect on individual agencies, such as the National Geospatial Intelligence Agency, the CIA, and FBI.
“Those agencies will dig down deep and figure out what those equities are for themselves,” he said.
While the headlines around the disclosure have faded, the details of the programs still make their way into trade and academic journals, says Evanina. The public doesn’t notice, but “foreign adversaries care,” he says.
Every time a new detail, or simply a new analysis of an old detail, hits the web, Evanina and his group have to calculate how it will affect current and future operations. They also analyze who will gain the most from the new revelation.
“For instance,” he says, “imagine there’s an article in Der Spiegel on how the NSA can tell if you have a white phone or a blue phone?” It’s Evanina’s job to figure out, “Who would really want to know that? If everybody knows we can tell white and blue phones, the damage is minimal. If no one knows that we have both white and blue telephones, then who benefits the most? The Russians or the Chinese?”
The NCSC does that with the help of a task force whose members, drawn from various intelligence agencies, get together either in person or over the phone on a nearly weekly basis to figure out exactly how much insider information is still outside and what it means. It reports to Congress and to the director of national intelligence every six months.
* * *
Evanina is also responsible for preventing, or at least mitigating the damage from, new insider leaks. The intelligence community has begun spying on itself more effectively, setting up methods to monitor “patterns of life”—not just of people, but data as well. He says the intelligence community has done “a great job of putting sirens and bells on the movement of data,” applying the same level of scrutiny to a systems administrator as a major operative.
Some of this was conceived years before Snowden made off with the files. Executive Order 13587, issued in 2011, ordered the intelligence community to develop ways to continuously evaluate everyone who holds a Top Secret clearance. The goal is to automatically scan for things like arrests, foreign travel, even worrisome social-media content (that’s public-facing, not hidden behind privacy settings), and other potential red flags in real time, as opposed to every five years, as standard background checks do. But continuous evaluation is also supposed to scan for signals such as how often a worker might come in on the weekends, if he or she is attempting to access new data sources, unusual printer use—anything that could indicate a change to pattern of life.