Getting Beyond the Benedict Arnold of the Cyber Age: Crafting Post-Snowden American Policy and Law

This past week brought more discomfort in the United States produced by Edward Snowden’s disclosures about NSA surveillance activities:

  • The House of Representatives narrowly defeated a proposal to restrict NSA authority to collect telephone metadata in the United States, a vote that caused intra-party clashes within both the Democratic and Republican parties;
  • Legislators in Congress grilled NSA officials on the NSA’s collection of telephone metadata within the US, producing testimony that only heightened congressional concerns about the executive branch’s metadata surveillance activities and their legal justification;
  • The NSA released previously classified documents related to the now infamous Verizon Order leaked by Snowden, an effort at transparency that, apparently, did not make anything more transparent;
  • Courtesy of Snowden, The Guardian revealed another NSA program, called XKeyscore, which caused another round of national and international controversy about US surveillance policies and practices; and
  • The Russian government granted Snowden asylum for one year, allowing him to leave his limbo-laden life at the Moscow airport, a development that perhaps guarantees Snowden’s place in history (and not Bradley Manning) as the Benedict Arnold of the cyber age and made already fraying US-Russian relations worse.

To have Congress close to over-turning a key law passed after 9/11, to deepen tensions between the legislative and executive branches, to provoke the masters of secrecy to try to be more transparent, to wrong-foot the NSA again with a new disclosure, to cause rifts within both major US political parties, and to exacerbate problems between great powers is, ladies and gentlemen, one hell of a week, in more ways than one.

Each development of this past week deserves its own scrutiny, but my objective here is to try to assess what the sum of these episodes means for the US. The initial disclosures from Snowden brought forth calls for a “national conversation” about the implications of the revelations of NSA surveillance activities and the policy and legal justifications for them. This conversation has been extremely awkward because a proudly open and free society found itself debating critical issues kept secret by its government and only revealed by a law-breaker who sought succor in the sovereignty of anti-American governments. To quote one of history’s great admirers of the US, not our finest hour.

But, this past week should signal that the “national conversation” requires decisions needed to shape post-Snowden American policy and law on issues ranging from the privacy of American citizens dependent on digital communications technologies to the impact of cyber espionage on the power and reputation of the US in geopolitics. No one should underestimate the gravity of these decisions because the questions to be answered go deep into what America means at home and abroad. In its main leader of its August 3rd issue, The Economist–hardly an American nemesis–embeds the Snowden affair along with other post-9/11 policies in what it calls “liberty’s lost decade.”

Provocative, to be sure, but The Economist is trying to piece together what it all means for the US, from Mohamed Atta to Edward Snowden, and is encouraging Americans to re-evaluate where their government has been–from detention cells in Guantanamo Bay to “collecting it all” in cyberspace–and whether and how they want the future to be different. We might not like the headlines, the harsh questions, and the flippant or cynical condemnations of American behavior as hysterical hypocrisy. But, when someone like Edward Snowden can affect this country’s domestic politics and foreign affairs as wrenchingly as he repeatedly has (see, this past week), we have serious work to do in crafting policies and laws less dependent on the fear secrecy breeds and more confident in the resilience openness brings when betrayal from within and enmity from without test our interests and values.

Advertisements

Zero-Sum Game: The Global Market for Software Exploits

On July 13, 2013, Nicole Perlroth and David Sanger published a story entitled “Nations Buying as Hackers Sell Flaws in Computer Code” in the New York Times. Perlroth and Sanger wrote:

All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.

. . .

But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “Stuxnet.”

The flaws get their name from the fact that once discovered, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “zero-day exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.

The cybersecurity challenge created by the emerging global market in “zero day” exploits has been recognized before by experts (see, e.g., efforts by Christopher Soghoian of the ACLU to highlight this issue) and journalists (see, e.g., this story entitled “The Digital Arms Trade” from The Economist on March 30, 2013). But the Times article gives this problem heightened exposure and will increase political attention on it. With companies–such as Microsoft, Google, and Facebook–and countries–such as Brazil, Britain, China, India, Iran, Israel, Malaysia, North Korea, Russia, Singapore, South Africa, South Korea, and the US–willing to buy “zero day” exploits, Perlroth and Sanger report that “the market for information about computer vulnerabilities has turned into a gold rush.”

Among the many cybersecurity issues the development of this market creates is the question of whether to regulate it, and, if regulation is thought prudent, how to regulate the problem effectively. In its article, The Economist noted that:

Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

The effort to turn to export-control laws as a way to regulate the sale of “zero day” exploits or, more broadly, the development and sale of purpose-built malware, suggests that strategies and “soft” or “hard” regimes used in non-proliferation and arms control might serve as a basis for thinking about what to do about the market for “digital weapons,” including:

  • National export-control laws with multinational coordination of such regimes among countries (a cyber version of something like the Wassenar Arrangement);
  • Bans or limitations on development, transfer, and use of certain weaponized code intended to have specific purposes or effects considered illegitimate (a cyber version of something like the Protocol Banning Blinding Laser Weapons); or
  • Confidence-building measures, including declaratory policy strategies, aiming for heightened transparency and trust (cyber versions of the CBMs used in the BWC or of “no first use” declaratory statements).

The attractiveness of drawing on ideas from non-proliferation and arms control experience in the realm of cyber weapons exists, as made clear by, among other things, a provision in the proposed National Defense Authorization Act for Fiscal Year 2014 for the President to “establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, and diplomatic engagement, and such other means as the President considers appropriate” (Sec. 946, Control of the Proliferation of Cyber Weapons).

Without question, reasons why cyber versions of these approaches would not work can multiply rapidly, including arguments related to the questionable effectiveness of these strategies in their traditional non-proliferation and arms control contexts. In addition, as in many areas of cybersecurity policy and law, reasoning by analogy to policies and regimes designed for other challenges breaks down rather quickly because cyber presents such a different kind of problem attached to technologies unlike what non-proliferation and arms control efforts have addressed in the past.

These various reasons are often why cybersecurity experts exhibit skepticism about “arms control” in the cyber context. Here are Paul Rosenzweig’s thoughts on this question in his blog post on the Perlroth and Sanger article on “zero day” exploits:

In the physical world, the production of weaponry is restricted by the need for an industrial base. In cyberspace, weapons are bits and bytes and produced as intellectual property. With such an ease of manufacture (comparatively) and a global market, there seems to be precious little prospect for an arms-control type approach to eliminating the trade. The market for zero-day exploits will, I think, grow exponentially in the years to come.

Rosenzweig’s prediction might well prove accurate, but policy concerns with this uncontrolled global market for “zero day” exploits and other purpose-built malware are mounting, as illustrated by the ideas being floated in the European Parliament and (perhaps ironically given significant US government participation in this market) by proposed Section 946 of the National Defense Authorization Act for Fiscal Year 2014. As the market charges on, policy anxieties and demands for action will also increase, which will make efforts to control behavior amounting to “beggar thy neighbor’s software” one of the most interesting and difficult cybersecurity challenges governments and companies face.


Surveillance Like a Cancer Grows? The Implications of NSA Intelligence Activities on the Non-Proliferation & Arms Control Communities

ELECTRONIC SURVEILLANCE AND THE COMMUNITIES INVOLVED IN NON-PROLIFERATION AND ARMS CONTROL

In a comment to Dan Joyner’s post on Lawyers, Guns, and Money, Yousaf Butt raised the need to link the disclosures being made about NSA surveillance to the work of people engaged on non-proliferation and arms control issues. In particular, he cited a July 6, 2013, New York Times article by Eric Lichtblau entitled “In Secret, Court Vastly Broadens Powers of N.S.A.” This article was widely read, as evidenced by The Economist basing a story on it. In the Times article, Lichtblau reported US intelligence officials obtaining “access to an e-mail attachment sent within the United States because they said they were worried that the e-mail contained a schematic drawing or a diagram possibly connected to Iran’s nuclear program.” Yousaf asked whether this example means anyone discussing nuclear proliferation could be subject to NSA surveillance. Or, more broadly, could electronic communications about WMD proliferation challenges to US national security be subject to NSA collection activities? Yousaf thought such surveillance could create a “chilling effect” that might adversely affect “free discourse” in the non-proliferation area. Dan asked me to share my thoughts on this issue, so here goes . . .

THE NUCLEAR PROLIFERATION CASE CITED IN THE TIMES ARTICLE

Section 702 of FISA

Let me start with the case reported in the Times and cited by Yousaf. Apparently, the e-mail communication that contained the attachment accessed by US intelligence officials was sent and received in the US, so, if accurately reported by the Times, this case does not involve the authority created in the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 that permits the FISA Court to authorize “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information,” including communications involving US persons (Section 702, Foreign Intelligence Surveillance Act, 50 USC sec. 1881a(a)). Even though this case does not involve this authority, the free speech concerns raised by lawyers, journalists, and human rights activists in Clapper v. Amnesty International (decided on standing grounds, 133 S.Ct. 1138 (2013)) apply to persons engaged in electronic communications with foreign nationals located overseas on issues relating to US national security.

FISA defines “foreign intelligence” to include “information that relates to . . . the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power” (50 USC sec. 1801(e)(1)). As the challenge mounted in Clapper indicates, many communities of interest are concerned about the “chilling effect” of the surveillance authority created by the FISA Amendments Act. The inclusion of WMD proliferation in the definition of foreign intelligence means the non-proliferation and arms control communities have been on notice about this US government power since 2008.

However, Snowden’s disclosures of PRISM (the NSA program operated under Section 702 of FISA) revealed how the US government uses this power. People in communities of interest not previously nervous about Section 702 of FISA might now be concerned about their communications with foreign nationals, and perhaps, as Yousaf’s comment suggests, this includes persons working on non-proliferation and arms control questions. So, as with other interested persons and organizations, the non-proliferation and arms control communities should monitor what happens next with this controversy, including law suits already filed in federal court challenging PRISM.

US Communications, Metadata, and Access to the Content of Communications

However, the case reported in the Times involved an e-mail and its attachment sent and received in the US, meaning that different aspects of FISA applied to this surveillance activity. The Times article is not exactly clear what happened, when it happened, what the FISA court did, and why it did what it did (at least these things are not clear to me from the article). My point is not that the Times article is wrong; my point is that it raises more questions than it answers, and trying to answer some questions proves difficult because of a lack of information. As explained below, these questions require more scrutiny of the Times article’s claim that the FISA court “vastly broadens powers of the N.S.A.” In short, we should not jump to conclusions about the Times article and its implications. In what follows, I try to sort through what the article does contain.

Collecting Internet and E-Mail Metadata

US intelligence officials probably picked up information from collecting and analyzing “metadata” on e-mail traffic that triggered a desire to see the e-mail attachment in question. Part of Snowden’s disclosures included information about the US government’s collection of e-mail and other Internet metadata within the US after 9/11 through 2011, when this aspect of NSA surveillance was apparently terminated. Initially undertaken by the Bush administration outside FISA, the collection and analysis of e-mail and other Internet metadata came within FISA court review and approval in 2004, after which the FISA court reviewed and approved orders for such surveillance periodically until 2011, when the Obama administration stopped this particular metadata surveillance effort.

Application of the “Special Needs” Exception to Collection of Internet and E-Mail Metadata under FISA

According to the Times article, the FISA court determined that such metadata surveillance did not violate the Fourth Amendment and relied, apparently, on the “special needs” exception to the Fourth Amendment’s warrant requirement. Generally, the “special needs” exception allows the government to undertake a search without a Fourth Amendment warrant to gather information unrelated to law enforcement purposes (e.g., drug tests of railway workers; passenger screening at airports). Referring to outside legal experts, the Times article commented that this application of this exception “is significant . . . because it uses a relatively narrow area of the law . . . and applies it much more broadly, in secret, to the wholesale collection of communications” for foreign intelligence purposes, including countering terrorism, WMD proliferation, espionage, and cyber attacks. This alleged expansive use of the “special needs” doctrine by the FISA court forms part of the Times article’s observation that this court is perhaps becoming “almost a parallel Supreme Court” because it regularly assesses “broad constitutional questions” and establishes judicial precedents for foreign intelligence surveillance.

Here is where the questions about the article begin to multiply. For starters, telephony and Internet metadata is not protected by the Fourth Amendment under existing jurisprudence, so, presumably, the FISA court does not need the “special needs” exception to the Fourth Amendment to review and approve collection of metadata. As Orin Kerr commented, if the FISA court “has ruled that all metadata is outside the Fourth Amendment, that’s not a surprise.”

Next, the “special needs” exception  has long been associated with the gathering of foreign intelligence by the US government and with FISA itself. As Kris and Wilson put it, “Congress enacted FISA explicitly to serve as a special need not related to ordinary law enforcement: foreign intelligence and counter-intelligence. The courts have upheld FISA under a special-needs theory against multiple constitutional challenges” (David S. Kris and J. Douglas Wilson, National Security Investigations & Prosecutions (2007), sec. 11:12, p. 11-30). So, foreign intelligence activities subject to FISA fall under the “special need” exception for foreign intelligence gathering under existing law and jurisprudence. Again, Kerr commented that, if the FISA court has held that foreign intelligence efforts to locate terrorists fall under the “special needs” exception, then “that’s not noteworthy.” The same applies to foreign intelligence gathering for other serious national security threats, such as WMD proliferation.

These observations suggest that the FISA court is not vastly increasing the powers of the NSA or acting as a “parallel Supreme Court”  but is operating within existing jurisprudence and statutory law. So, what’s going on here? I’m not sure based on what the Times article contains. Now, people might be worried about the powers existing jurisprudence and statutory law give the NSA and the FISA court–but the Times article claims something new, different, and secret is happening that does not track case precedents and legislation.

Accessing the E-Mail Attachment Related to Nuclear Proliferation

As noted above, the Times article reported that US intelligence officials went beyond metadata collection and accessed the content of an e-mail communication in the form of an attachment the officials feared “contained a schematic drawing or diagram possibly connected to Iran’s nuclear program.” The Times article is not clear how, and under what authority, the US intelligence officials accessed the content of this e-mail communication. The article states that gaining such access “[i]n the past . . . probably would have required a court warrant because the suspicious e-mail involved American communications.”

Well, if the US government wanted access to the e-mail attachment for foreign intelligence purposes, then FISA requirements for obtaining a FISA court order to undertake such content-based surveillance within the US apply. However, the Times article is not clear whether US intelligence officials obtained a FISA court order to access the content of the e-mail communication in question. Confusingly, the article follows up its statement about the probable need for a “court warrant” with a description of the broadening of the FISA definition of “foreign intelligence” in 2008 to include information related to WMD proliferation–information that is not helpful to understanding whether the US government obtained FISA court approval to access the e-mail attachment in question.

If the government obtained the FISA court’s specific approval for its access to the e-mail attachment, then the government complied with the relevant law–nothing new, then, legally speaking. However, if the FISA court has constructed some “special needs” exception to the FISA requirement to obtain a specific order for electronic surveillance in the US for foreign intelligence purposes, then we might have something new to ponder. But the Times article does not provide enough information to pursue this inquiry in any productive manner. We would have to be able to examine the FISA court decisions mentioned in the article, but those remain secret.

CONCLUSION

OK, so what does all of this mean for communities interested in non-proliferation and arms control that communicate through e-mail and other electronic means with people inside and outside the US? Based on what’s in the Times article, here’s my answer:

  • Since the FISA Amendments Act of 2008 added Section 702 to FISA, it has been clear that electronic communications by US persons with foreign nationals could be subject to broad, FISA court-approved surveillance to acquire foreign intelligence through targeting persons reasonably believed to be located outside the US. The Times article does not change what we have known for quite some time on this aspect of FISA.
  • The Times article’s reference to the “special needs” exception creates more questions than answers, meaning that, in such a state of affairs, it is best not to rage first and ask legal questions later. We know enough to wonder whether the article is accurately describing what’s actually happened in the FISA court. But, given recent disclosures, we also know enough to worry that we don’t know everything we need to know to assess what’s going on.
  • What exactly the FISA court has done in the rulings mentioned in the Times article remains unclear, and the rulings remain secret. For the time being, we don’t know what we don’t know concerning the legal reasoning used by the FISA court.

My intent is not to promote a “don’t worry, be happy” attitude about the implications of NSA surveillance programs disclosed in recent weeks either generally or specifically to work that you might do. Like many people, I worry about the scale of the surveillance the disclosures have revealed and about some legal justifications given for these secret programs. But I am also concerned that the incomplete information we are getting through leaks in dribs and drabs is creating and agitating fears that, like a toxic miasma, government surveillance is permeating everything, everywhere and affecting everybody without meaningful limits or oversight. To prevent actual and imagined surveillance from doing more damage to the body politic, more transparency is required politically and legally.


Me Thinks They Doth Protest Too Much: Espionage in the Cyber Age

This past weekend brought more Snowden flakes about NSA spying. However, this time the alleged espionage targeted not American citizens, “foreign nationals reasonably believed to located outside the US,” or China but American allies–European Union (EU) officials, diplomatic facilities, and computer networks. If true (as seems likely from US government responses–see below), these leaks combine with the previous disclosures about NSA surveillance to inform people of the scale, capabilities, and audacity of US intelligence gathering activities.

European leaders expressed shock and took much umbrage, with some dredging up the dark spying days of the Cold War and others issuing threats of adverse consequences for upcoming US-EU negotiations on a transatlantic trade agreement. Responses from President Obama, the Director of National Intelligence, and Secretary of State made the same point–the US engages in espionage as all nations do in order to protect foreign policy and national security interests.

This response was simultaneously true and disingenuous. All countries spy in some form or another, and, European public displays of anger aside, the spying includes keeping an eye on allies. And that includes the intelligence agencies of European countries whose leaders were shocked–so shocked!–at the US gathering intelligence on their possible future actions. The response was disingenuous because the US has an intelligence capability that is unrivaled in the world and the political and economic power to pursue espionage without fear of serious consequences. See, for example, the US-EU transatlantic trade talks will start as scheduled despite lots of frothing Euro mouths.

However, not too long ago, it was American officials and politicians who were frothing about Chinese cyber spying against the US government and US-based companies. Snowden’s apparent disclosure of large-scale US cyber espionage against Chinese government, business, and academic targets and, now, allegations about US spying on European governments, makes the past few months of portraying Chinese cyber espionage as beyond the pale look, well, less impressive. Even the US attempt to distinguish economic espionage against companies from classical state-on-state spying gets lost in the growing perception–now directly re-enforced by the US government–that all countries engage in espionage against allies and rivals whenever and however they see fit. In this light, earnestly repeated assertions by China that it does not engage in cyber espionage against the US and other countries and that it is the innocent victim of American spying appear, strangely, rather unseemly for a rising world power.

Should the protagonists in these events stop whining about espionage and just get on with it? Or, do these revelations suggest that the Internet has turned “everybody does it” espionage into an out-of-control phenomenon that damages individual privacy, alliances, and great power politics and requires some re-thinking? Existing international law is permissive of spying, and the few international legal rules that contain limits do not constrain the practice in any effective way. As already indicated, Snowden’s leaks have derailed the US effort to portray Chinese cyber espionage as outside “norms of responsible behavior in cyberspace,” and the coordinated chorus from top US government officials to the latest leak that “all nations do it” might well have ended the willingness of other countries to consider American ideas about re-thinking international norms about espionage in light of the global importance of the Internet.


Call Me, Maybe: New US-Russia Cybersecurity Initiatives

At the G-8 meeting in Northern Ireland, the United States and Russia made efforts to improve bilateral relations, and these efforts include new initiatives on cybersecurity that mean, according to the White House, the US and Russia “now are leading the way in extending traditional transparency and confidence-building measures to reduce the mutual danger we face from cyber threats.” These initiatives involve:

1. Deeper engagement through senior-level dialogue. Through the existing US-Russia Presidential Bilateral Commission, the two countries are establishing a new working group tasked with assessing emerging threats to information and communication technologies (ICTs) and proposing joint responses to such threats.

2. ICT confidence-building measures. The US and Russia agreed to implement new confidence-building measures (CBMs) “designed to increase transparency and reduce the possibility that a misunderstood cyber incident could create instability or a crisis in our bilateral relationship.” The CBMs seek to strengthen US-Russian relations in cyberspace, expand a shared understanding of cyber threats that appear to originate in each other’s territories, and prevent escalation of cybersecurity incidents. The CBMs adopted are:

    – Links and information exchanges between the US and Russian computer emergency readiness teams (CERTs) to increase information sharing between the two countries on “technical information about malware or other malicious threats” in order to facilitate “proactive mitigation of threats.”

    – Exchange of cybersecurity notifications that will permit communications and “formal inquiries about cybersecurity incidents of national concern.” Such information exchanges and inquiries will flow through the existing Nuclear Risk Reduction Center, established in 1987 between the US and the former USSR, in order to facilitate reduction of “misperception and escalation from ICT security incidents.”

    – Direct cyber hotline between the White House and the Kremlin to provide a secure means to “manage a crisis situation arising from an ICT security incident.” The direct cyber hotline will be integrated into the existing Direct Secure Communication System the two countries maintain.

The White House also indicated that, in order to “create predictability and understanding in the political military environment, both the U.S. and Russian militaries have shared unclassified ICT strategies and other relevant studies with one another. These kinds of exchanges are important to ensuring that as we develop defense policy in this dynamic domain, we do so with a full understanding of one another’s perspectives.”

These steps by the US and Russia are important for cybersecurity because the two countries are applying approaches used in arms control contexts (e.g., CBMs and “hotline” communications) to cybersecurity challenges. This strategy dovetails with needs emphasized in cybersecurity policy–the need for better “situational awareness” and transparency through increased information exchange and for stronger, more effective cooperation among key countries through functional collaboration at the technical level and political interactions among high-level officials.

Although based on long-standing arms control strategies, their application to cybersecurity will develop its own features given the differences between addressing cyber threats and, say, preventing nuclear war. In arms control contexts, CBMs have, at best, a mixed record, so we should not expect “iCBMs” to be a panacea for cybersecurity problems experienced nationally or internationally. The US-Russian initiatives do not restrain, for example, cyber espionage or development of more powerful military cyber capabilities or resolve disagreements the US and Russia have over broader cyberspace issues, such as Internet governance and “Internet freedom.” But the US-Russia initiatives provide a test case for understanding whether legacy strategies from arms control, such as CBMs and hotlines, can contribute to stabilizing geo-cyber politics.


“Peace with Justice”: Nuclear Weapons and Cyber Surveillance

In his June 19 remarks at the Brandenburg Gate in Berlin, President Obama stressed the theme of achieving “peace with justice” in addressing challenges the United States and its allies face–and two of the challenges he highlighted are of interest to the readers of Arms Control Law–nuclear weapons and cyber surveillance against terrorism.

Nuclear Weapons

Press reports have often focused on the President’s proposal to reduce the numbers of US and Russian nuclear warheads by one-third from the levels set in the New Start Treaty. But the President’s remarks went beyond this proposal to lay out an even more ambitious agenda of nuclear diplomacy for his second term.

After declaring that “so long as nuclear weapons exist, we are not truly safe[,]” the President said:

Peace with justice means pursuing the security of a world without nuclear weapons — no matter how distant that dream may be. And so, as President, I’ve strengthened our efforts to stop the spread of nuclear weapons, and reduced the number and role of America’s nuclear weapons. Because of the New START Treaty, we’re on track to cut American and Russian deployed nuclear warheads to their lowest levels since the 1950s.

But we have more work to do. So today, I’m announcing additional steps forward. After a comprehensive review, I’ve determined that we can ensure the security of America and our allies, and maintain a strong and credible strategic deterrent, while reducing our deployed strategic nuclear weapons by up to one-third. And I intend to seek negotiated cuts with Russia to move beyond Cold War nuclear postures.

At the same time, we’ll work with our NATO allies to seek bold reductions in U.S. and Russian tactical weapons in Europe. And we can forge a new international framework for peaceful nuclear power, and reject the nuclear weaponization that North Korea and Iran may be seeking.

America will host a summit in 2016 to continue our efforts to secure nuclear materials around the world, and we will work to build support in the United States to ratify the Comprehensive Nuclear Test Ban Treaty, and call on all nations to begin negotiations on a treaty that ends the production of fissile materials for nuclear weapons. These are steps we can take to create a world of peace with justice.

Predictably, this agenda has sparked questions, skepticism, and opposition. But, with the speech, the President made clear that he wants his presidential legacy linked with global progress toward a world without nuclear weapons.

Cyber Surveillance and Terrorism

In a less noted section of the speech, the President included the challenge of “balancing the pursuit of security with the protection of privacy” within the “peace with justice” agenda. Here the President was referring to the international controversies caused by the disclosure of secret US surveillance programs, including PRISM, which targets Internet communications of foreign nationals. The President’s host, German Chancellor Angela Merkel, has been one of the leading European politicians to raise concerns about PRISM. The President said:

Our current programs are bound by the rule of law, and they’re focused on threats to our security — not the communications of ordinary persons. They help confront real dangers, and they keep people safe here in the United States and here in Europe. But we must accept the challenge that all of us in democratic governments face: to listen to the voices who disagree with us; to have an open debate about how we use our powers and how we must constrain them; and to always remember that government exists to serve the power of the individual, and not the other way around. That’s what makes us who we are, and that’s what makes us different from those on the other side of the wall.

Unlike pushing nuclear diplomacy forward, President Obama, no doubt, did not plan to talk about this issue in this speech but was forced to do so by the fallout from the disclosures. Here, the President defends what he believes is “peace with justice” in terms of the balance his administration struck between preventing terrorism and protecting civil liberties. This balance, and the process through which it is achieved, he distinguished “from those on the other side of the wall”–a phrase that resonates with memories of physical walls of the past and worries about virtual walls of the present. Whether Americans agree with the President about what should happen on our side of the wall remains to be seen, an outcome that will also affect how history remembers this President.


Has Code Become Law? The Liberty Implications of NSA Technological Capability

The furor sparked by disclosure of secret U.S. government surveillance programs reminded me of the famous argument about the relationship of liberty and cyberspace—Harvard Professor Lawrence Lessig’s assertion that, in cyberspace, “code is law.” By this, Lessig meant that the software code that makes the Internet and related technologies run empowers and restricts behavior and, thus, regulates activities in cyberspace. Lessig warned that the regulatory effects of code could displace constitutional traditions and threaten political liberty unless deliberative democracy controls the power that software code creates.

The United States is now debating the legality of power the U.S. government claims it possesses in cyberspace—a power that includes collecting daily the records of phone calls made by millions of Americans. Defenders of the surveillance programs argue that this power, and its secret exercise, is necessary to prevent terrorist attacks. However, arguments that covert government activities are vital for national security are not new; they are as old as politics and, in the United States, a traditional source of skepticism in a Republic self-governed by a free people. The argument from necessity has been fountainhead of abuses in the past, but it has never before been the justification for the mass collection of information on the daily communications of millions of Americans not suspected of any wrongdoing, let alone involvement with terrorism. So what explains why we hear this justification now?

What is new is the technological capability of the U.S. government to collect, mine, and use that information in the name of national security. Technological innovation permits the private sector (think Facebook and Google) and the government—and the NSA in particular—to develop data storage and data-mining capabilities that permit the acquisition and analysis of almost unimaginable amounts and kinds of digital information. The fundamental enabler of this unprecedented capability is software code. Here, code is power.

Prior to development of this code-based capability, it was not feasible to collect and analyze records on the daily communications of millions of Americans in a timely or useful manner—making arguments for the national security necessity of doing so pointless. But, now, the U.S. government can undertake mass surveillance and, apparently, produce actionable intelligence from Americans’ local phone calls that thwarts terrorist attacks. Here, code creates a vital national security interest where none existed before.

In the American tradition, the Constitution and the Bill of Rights provide the sword and the shield against government attempts to exercise power against Americans for national security reasons, and opponents of the secret surveillance of Americans’ telephone calls have turned again to this arsenal. However, we have to ask whether the technological capability to undertake surveillance on a scale never before possible has changed interpretations of the law the government used, namely Section 215 of the PATRIOT Act. Many have re-read Section 215 in light of recent disclosures and have been unsettled to learn it justifies the daily collection of data about the communications of law-abiding Americans because the U.S. government is investigating international terrorism.

Are we now interpreting laws, including constitutional principles, differently because we can, with software-enabled technologies, do things that were impossible before and that our history suggests we should resist, especially when coupled with the argument of national security need? If so, is software code defining the law and the scope of liberty?

Just as Americans have often been wary of arguments that the exercise of expansive, secret government power is justified by national security necessity, the unfolding debate in the United States should also interrogate arguments that the government must exercise such power because, now, it can.