Symposium on my cyber operations book

The online academic journal Questions of International Law has just published a symposium on my book Cyber Operations and the Use of Force in International Law (which is now available also in paperback). Two excellent scholars, Prof. Christian Henderson (Sussex University) and Dr. Emanuele Sommario (Scuola Superiore Sant’Anna – Pisa) discuss my analysis of the jus ad bellum and jus in bello issues arising from the use of cyber technologies. Their reviews are themselves very interesting contributions to the debate on cyber security and well worth reading.

Another excellent (and very positive!) review of my book has been written by Vincent Roobaert and has been published in the latest issue of the NATO Legal Gazette.

Advertisements

Synthetic biology & biosecurity: How scared should we be?

The link between synthetic biology and heightened biosecurity threats is often exaggerated. In a report published today (22nd May), King’s College London researchers say that in order to produce more refined assessments of the biosecurity threat, we need to understand more clearly what would be achieved by synthetic biology’s goal to ‘make biology easier to engineer’.

Synthetic Biology and Biosecurity: How scared should we be? summarises and analyses the discussions from a workshop organised by Dr Catherine Jefferson, Dr Filippa Lentzos and Dr Claire Marris, at King’s in February 2014.

Synthetic biology’s aim to make biology easier to engineer has raised concerns that it could increase the risk of misuse for biowarfare or bioterrorism. The workshop brought together synthetic biologists, social scientists, policy experts and science journalists to explore whether concerns about these risks are realistic or exaggerated in the light of current scientific realities.

It is often assumed that synthetic biology will ‘de-skill’ biology and that this means that any layperson, working outside professional scientific institutions, is or soon will be able to design and engineer living organisms at will. However, workshop participants argued that this representation is too simplistic. De-skilling does not necessarily mean that skills become irrelevant. As we see in other industries such as aeronautics, de-skilling does not necessarily mean that specialised expertise becomes irrelevant.

The report will be presented at the meeting of experts to the Biological Weapons Convention at the United Nations in Geneva this summer.

Join the discussion and tell us what you think on twitter: #synbiosec

The “Synthetic Biology and Biosecurity” workshop and report formed part of SSHM’s on-going work on the social dimensions of synthetic biology, conducted within the EPSRC funded Centre for Synthetic Biology and Innovation and the Flowers Consortium, and an ESRC funded project on the politics of bioterrorism.

[Original post by Filippa Lentzos; cross-posted from The Trench]


Global mass surveillance: We cannot say we were not warned

Yesterday I came across this report to the European Parliament (‘An appraisal of technologies of political control’). According to the report, ‘[w]ithin Europe, all email, telephone and fax communications are routinely intercepted by the United States National Security Agency, transferring all target information from the European mainland via the strategic hub of London then by Satellite to Fort Meade in Maryland via the crucial hub at Menwith Hill in the North York Moors of the UK’ (p. 19). The date? 6 January 1998. In light of the recent disclosures, it seems that the warning contained in the report fell on deaf ears.


Conference in Naples

I would like to bring to our readers’ attention this conference on nuclear disarmament and non-proliferation that is taking place at the end of this week in Naples. I will be one of the discussants in the first session. Come if you can!


Getting Beyond the Benedict Arnold of the Cyber Age: Crafting Post-Snowden American Policy and Law

This past week brought more discomfort in the United States produced by Edward Snowden’s disclosures about NSA surveillance activities:

  • The House of Representatives narrowly defeated a proposal to restrict NSA authority to collect telephone metadata in the United States, a vote that caused intra-party clashes within both the Democratic and Republican parties;
  • Legislators in Congress grilled NSA officials on the NSA’s collection of telephone metadata within the US, producing testimony that only heightened congressional concerns about the executive branch’s metadata surveillance activities and their legal justification;
  • The NSA released previously classified documents related to the now infamous Verizon Order leaked by Snowden, an effort at transparency that, apparently, did not make anything more transparent;
  • Courtesy of Snowden, The Guardian revealed another NSA program, called XKeyscore, which caused another round of national and international controversy about US surveillance policies and practices; and
  • The Russian government granted Snowden asylum for one year, allowing him to leave his limbo-laden life at the Moscow airport, a development that perhaps guarantees Snowden’s place in history (and not Bradley Manning) as the Benedict Arnold of the cyber age and made already fraying US-Russian relations worse.

To have Congress close to over-turning a key law passed after 9/11, to deepen tensions between the legislative and executive branches, to provoke the masters of secrecy to try to be more transparent, to wrong-foot the NSA again with a new disclosure, to cause rifts within both major US political parties, and to exacerbate problems between great powers is, ladies and gentlemen, one hell of a week, in more ways than one.

Each development of this past week deserves its own scrutiny, but my objective here is to try to assess what the sum of these episodes means for the US. The initial disclosures from Snowden brought forth calls for a “national conversation” about the implications of the revelations of NSA surveillance activities and the policy and legal justifications for them. This conversation has been extremely awkward because a proudly open and free society found itself debating critical issues kept secret by its government and only revealed by a law-breaker who sought succor in the sovereignty of anti-American governments. To quote one of history’s great admirers of the US, not our finest hour.

But, this past week should signal that the “national conversation” requires decisions needed to shape post-Snowden American policy and law on issues ranging from the privacy of American citizens dependent on digital communications technologies to the impact of cyber espionage on the power and reputation of the US in geopolitics. No one should underestimate the gravity of these decisions because the questions to be answered go deep into what America means at home and abroad. In its main leader of its August 3rd issue, The Economist–hardly an American nemesis–embeds the Snowden affair along with other post-9/11 policies in what it calls “liberty’s lost decade.”

Provocative, to be sure, but The Economist is trying to piece together what it all means for the US, from Mohamed Atta to Edward Snowden, and is encouraging Americans to re-evaluate where their government has been–from detention cells in Guantanamo Bay to “collecting it all” in cyberspace–and whether and how they want the future to be different. We might not like the headlines, the harsh questions, and the flippant or cynical condemnations of American behavior as hysterical hypocrisy. But, when someone like Edward Snowden can affect this country’s domestic politics and foreign affairs as wrenchingly as he repeatedly has (see, this past week), we have serious work to do in crafting policies and laws less dependent on the fear secrecy breeds and more confident in the resilience openness brings when betrayal from within and enmity from without test our interests and values.


Surveillance Like a Cancer Grows? The Implications of NSA Intelligence Activities on the Non-Proliferation & Arms Control Communities

ELECTRONIC SURVEILLANCE AND THE COMMUNITIES INVOLVED IN NON-PROLIFERATION AND ARMS CONTROL

In a comment to Dan Joyner’s post on Lawyers, Guns, and Money, Yousaf Butt raised the need to link the disclosures being made about NSA surveillance to the work of people engaged on non-proliferation and arms control issues. In particular, he cited a July 6, 2013, New York Times article by Eric Lichtblau entitled “In Secret, Court Vastly Broadens Powers of N.S.A.” This article was widely read, as evidenced by The Economist basing a story on it. In the Times article, Lichtblau reported US intelligence officials obtaining “access to an e-mail attachment sent within the United States because they said they were worried that the e-mail contained a schematic drawing or a diagram possibly connected to Iran’s nuclear program.” Yousaf asked whether this example means anyone discussing nuclear proliferation could be subject to NSA surveillance. Or, more broadly, could electronic communications about WMD proliferation challenges to US national security be subject to NSA collection activities? Yousaf thought such surveillance could create a “chilling effect” that might adversely affect “free discourse” in the non-proliferation area. Dan asked me to share my thoughts on this issue, so here goes . . .

THE NUCLEAR PROLIFERATION CASE CITED IN THE TIMES ARTICLE

Section 702 of FISA

Let me start with the case reported in the Times and cited by Yousaf. Apparently, the e-mail communication that contained the attachment accessed by US intelligence officials was sent and received in the US, so, if accurately reported by the Times, this case does not involve the authority created in the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 that permits the FISA Court to authorize “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information,” including communications involving US persons (Section 702, Foreign Intelligence Surveillance Act, 50 USC sec. 1881a(a)). Even though this case does not involve this authority, the free speech concerns raised by lawyers, journalists, and human rights activists in Clapper v. Amnesty International (decided on standing grounds, 133 S.Ct. 1138 (2013)) apply to persons engaged in electronic communications with foreign nationals located overseas on issues relating to US national security.

FISA defines “foreign intelligence” to include “information that relates to . . . the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power” (50 USC sec. 1801(e)(1)). As the challenge mounted in Clapper indicates, many communities of interest are concerned about the “chilling effect” of the surveillance authority created by the FISA Amendments Act. The inclusion of WMD proliferation in the definition of foreign intelligence means the non-proliferation and arms control communities have been on notice about this US government power since 2008.

However, Snowden’s disclosures of PRISM (the NSA program operated under Section 702 of FISA) revealed how the US government uses this power. People in communities of interest not previously nervous about Section 702 of FISA might now be concerned about their communications with foreign nationals, and perhaps, as Yousaf’s comment suggests, this includes persons working on non-proliferation and arms control questions. So, as with other interested persons and organizations, the non-proliferation and arms control communities should monitor what happens next with this controversy, including law suits already filed in federal court challenging PRISM.

US Communications, Metadata, and Access to the Content of Communications

However, the case reported in the Times involved an e-mail and its attachment sent and received in the US, meaning that different aspects of FISA applied to this surveillance activity. The Times article is not exactly clear what happened, when it happened, what the FISA court did, and why it did what it did (at least these things are not clear to me from the article). My point is not that the Times article is wrong; my point is that it raises more questions than it answers, and trying to answer some questions proves difficult because of a lack of information. As explained below, these questions require more scrutiny of the Times article’s claim that the FISA court “vastly broadens powers of the N.S.A.” In short, we should not jump to conclusions about the Times article and its implications. In what follows, I try to sort through what the article does contain.

Collecting Internet and E-Mail Metadata

US intelligence officials probably picked up information from collecting and analyzing “metadata” on e-mail traffic that triggered a desire to see the e-mail attachment in question. Part of Snowden’s disclosures included information about the US government’s collection of e-mail and other Internet metadata within the US after 9/11 through 2011, when this aspect of NSA surveillance was apparently terminated. Initially undertaken by the Bush administration outside FISA, the collection and analysis of e-mail and other Internet metadata came within FISA court review and approval in 2004, after which the FISA court reviewed and approved orders for such surveillance periodically until 2011, when the Obama administration stopped this particular metadata surveillance effort.

Application of the “Special Needs” Exception to Collection of Internet and E-Mail Metadata under FISA

According to the Times article, the FISA court determined that such metadata surveillance did not violate the Fourth Amendment and relied, apparently, on the “special needs” exception to the Fourth Amendment’s warrant requirement. Generally, the “special needs” exception allows the government to undertake a search without a Fourth Amendment warrant to gather information unrelated to law enforcement purposes (e.g., drug tests of railway workers; passenger screening at airports). Referring to outside legal experts, the Times article commented that this application of this exception “is significant . . . because it uses a relatively narrow area of the law . . . and applies it much more broadly, in secret, to the wholesale collection of communications” for foreign intelligence purposes, including countering terrorism, WMD proliferation, espionage, and cyber attacks. This alleged expansive use of the “special needs” doctrine by the FISA court forms part of the Times article’s observation that this court is perhaps becoming “almost a parallel Supreme Court” because it regularly assesses “broad constitutional questions” and establishes judicial precedents for foreign intelligence surveillance.

Here is where the questions about the article begin to multiply. For starters, telephony and Internet metadata is not protected by the Fourth Amendment under existing jurisprudence, so, presumably, the FISA court does not need the “special needs” exception to the Fourth Amendment to review and approve collection of metadata. As Orin Kerr commented, if the FISA court “has ruled that all metadata is outside the Fourth Amendment, that’s not a surprise.”

Next, the “special needs” exception  has long been associated with the gathering of foreign intelligence by the US government and with FISA itself. As Kris and Wilson put it, “Congress enacted FISA explicitly to serve as a special need not related to ordinary law enforcement: foreign intelligence and counter-intelligence. The courts have upheld FISA under a special-needs theory against multiple constitutional challenges” (David S. Kris and J. Douglas Wilson, National Security Investigations & Prosecutions (2007), sec. 11:12, p. 11-30). So, foreign intelligence activities subject to FISA fall under the “special need” exception for foreign intelligence gathering under existing law and jurisprudence. Again, Kerr commented that, if the FISA court has held that foreign intelligence efforts to locate terrorists fall under the “special needs” exception, then “that’s not noteworthy.” The same applies to foreign intelligence gathering for other serious national security threats, such as WMD proliferation.

These observations suggest that the FISA court is not vastly increasing the powers of the NSA or acting as a “parallel Supreme Court”  but is operating within existing jurisprudence and statutory law. So, what’s going on here? I’m not sure based on what the Times article contains. Now, people might be worried about the powers existing jurisprudence and statutory law give the NSA and the FISA court–but the Times article claims something new, different, and secret is happening that does not track case precedents and legislation.

Accessing the E-Mail Attachment Related to Nuclear Proliferation

As noted above, the Times article reported that US intelligence officials went beyond metadata collection and accessed the content of an e-mail communication in the form of an attachment the officials feared “contained a schematic drawing or diagram possibly connected to Iran’s nuclear program.” The Times article is not clear how, and under what authority, the US intelligence officials accessed the content of this e-mail communication. The article states that gaining such access “[i]n the past . . . probably would have required a court warrant because the suspicious e-mail involved American communications.”

Well, if the US government wanted access to the e-mail attachment for foreign intelligence purposes, then FISA requirements for obtaining a FISA court order to undertake such content-based surveillance within the US apply. However, the Times article is not clear whether US intelligence officials obtained a FISA court order to access the content of the e-mail communication in question. Confusingly, the article follows up its statement about the probable need for a “court warrant” with a description of the broadening of the FISA definition of “foreign intelligence” in 2008 to include information related to WMD proliferation–information that is not helpful to understanding whether the US government obtained FISA court approval to access the e-mail attachment in question.

If the government obtained the FISA court’s specific approval for its access to the e-mail attachment, then the government complied with the relevant law–nothing new, then, legally speaking. However, if the FISA court has constructed some “special needs” exception to the FISA requirement to obtain a specific order for electronic surveillance in the US for foreign intelligence purposes, then we might have something new to ponder. But the Times article does not provide enough information to pursue this inquiry in any productive manner. We would have to be able to examine the FISA court decisions mentioned in the article, but those remain secret.

CONCLUSION

OK, so what does all of this mean for communities interested in non-proliferation and arms control that communicate through e-mail and other electronic means with people inside and outside the US? Based on what’s in the Times article, here’s my answer:

  • Since the FISA Amendments Act of 2008 added Section 702 to FISA, it has been clear that electronic communications by US persons with foreign nationals could be subject to broad, FISA court-approved surveillance to acquire foreign intelligence through targeting persons reasonably believed to be located outside the US. The Times article does not change what we have known for quite some time on this aspect of FISA.
  • The Times article’s reference to the “special needs” exception creates more questions than answers, meaning that, in such a state of affairs, it is best not to rage first and ask legal questions later. We know enough to wonder whether the article is accurately describing what’s actually happened in the FISA court. But, given recent disclosures, we also know enough to worry that we don’t know everything we need to know to assess what’s going on.
  • What exactly the FISA court has done in the rulings mentioned in the Times article remains unclear, and the rulings remain secret. For the time being, we don’t know what we don’t know concerning the legal reasoning used by the FISA court.

My intent is not to promote a “don’t worry, be happy” attitude about the implications of NSA surveillance programs disclosed in recent weeks either generally or specifically to work that you might do. Like many people, I worry about the scale of the surveillance the disclosures have revealed and about some legal justifications given for these secret programs. But I am also concerned that the incomplete information we are getting through leaks in dribs and drabs is creating and agitating fears that, like a toxic miasma, government surveillance is permeating everything, everywhere and affecting everybody without meaningful limits or oversight. To prevent actual and imagined surveillance from doing more damage to the body politic, more transparency is required politically and legally.


More of the Same: The Ministerial Declaration of the International Conference on Nuclear Security

The International Atomic Energy Agency convened the International Conference on Nuclear Security in Vienna from July 1-5, 2013. Noting that “the risk that nuclear or other radioactive material could be used in malicious acts remains high and is regarded as a serious threat to international peace and security,” the IAEA held the Conference “to review the international community’s experience and achievements to date in strengthening nuclear security, to enhance understanding of current approaches to nuclear security worldwide and identify trends, and to provide a global forum for ministers, policymakers and senior officials to formulate views on the future directions and priorities for nuclear security.”

The Ministerial Declaration from the Conference was negotiated before it began and was disseminated on the first day of the Conference. The Ministerial Declaration indicates that IAEA member states are not willing, at present, to move beyond the existing approach of primarily focusing on national-level responsibilities and efforts to improve the security of nuclear material to prevent nuclear or radiological terrorism and other malicious acts. The Ministerial Declaration invited states to become parties to the Convention on the Physical Protection of Nuclear Material (1980) and its 2005 Amendment and to the International Convention on the Suppression of Acts of Nuclear Terrorism (201). But, arguments for developing more and better international rules to enhance nuclear security globally did not find fertile ground in this IAEA effort. As Global Newswire reported on this point:

As expected, the joint document . . . did not embrace the creation of any formal new rules that would bind participating countries. At the top of a list of 24 principles that signatories support is “that the responsibility for nuclear security within a state rests entirely with that state.” Nuclear watchdogs expressed disappointment over the scope of the document . . . . “I would say that this declaration does not give a lot of hope that IAEA ministerial meetings are the way to move forward the nuclear security agenda–it’s pretty boilerplate,” said Miles Pomper, a senior research associate with the James Martin Center for Nonproliferation Studies.