Nate Fick is CEO of the cybersecurity software company Endgame, and a Marine Corps veteran of Afghanistan and Iraq. He is the author of “One Bullet Away: The Making of a Marine Officer.”
A catastrophic data breach. Russian complicity. Blundering institutions. Distrust of government. Reading Edward Jay Epstein’s gripping and devastatingly even-handed account of Edward Snowden, “How America Lost Its Secrets,” provides a Faulknerian reminder, during these days ringing with the same themes, that “the past is never dead. It’s not even past.”
Epstein’s revelations hit hard and don’t stop. Snowden could not have acted alone, since he didn’t have access to the secret compartments from which he took the most sensitive documents. Vladimir Putin personally authorized Snowden’s exfiltration from Hong Kong to Moscow. Snowden turned over to journalists only 58,000 of the 1.7 million documents he “touched,” the vast bulk of which had nothing to do with domestic surveillance but rather covered America’s overseas spy network, including its most sensitive sources and methods.
Epstein struggles to paint a factual portrait of Snowden without it feeling like an ad hominem attack: high school dropout, described by a classmate as having a high-pitched voice, liking the Magic card game, playing fantasy video games, owning two cats and using the online moniker Wolfking Awesomefox. Snowden washed out of Army training in 2004, worked briefly as a security guard at the University of Maryland and then got a job as, of all things, a CIA telecommunications support officer. Two years later, he received an unfavorable evaluation from his superior and was forced to resign. He then went to work for Dell as a National Security Agency contractor in 2009. As a system administrator, he had both the privileges to access vast amounts of data and the mandate to transfer it to backup servers — the perfect cover for a whistleblower or a spy.
On June 9, 2013, a video of Snowden was posted on the website of the Guardian. Shot in a Hong Kong hotel room, the disclosure begins with “My name is Ed Snowden,” and goes on to detail how the NSA was spying on U.S. citizens. Snowden comes across as calm, compelling and articulate. Overnight, he became a global celebrity and, to much of the world (including many Americans), the lead standard-bearer for data privacy and personal freedom in the digital age.
Most of the public debate since that summer has been over whether Snowden is a hero or a traitor, a whistleblower or a spy. Epstein’s answer is both — but more spy than whistleblower. And the case he builds, especially in light of disclosures since the U.S. election in November, is damning.
Since 9/11, the United States has changed in so many ways that it is already hard to remember the world where we could carry water bottles through airport security and where small-town police departments didn’t look like armored cavalry units. But changes like these are only the visible tip of a much bigger, and largely digital, iceberg. In some ways, Snowden’s disclosures of NSA surveillance, including a warrant issued under the Federal Intelligence Surveillance Act ordering Verizon to turn over all its billing records for 90 days to the NSA, and details of an Internet-monitoring program code-named PRISM, were beneficial. As Epstein writes, the disclosures “accomplished a salutary service in alerting both the public and government to the potential danger of a surveillance leviathan” and “revealed a bureaucratic mission creep that badly needed to be brought under closer oversight by Congress.”
What Snowden exposed, however, wasn’t a rogue operation. It was a series of programs authorized by presidents of both parties and Congress, and approved by no fewer than 15 federal judges. Epstein cites the current NSA director, Adm. Mike Rogers, and numerous others, including former NSA directors Mike McConnell, Michael Hayden and Keith Alexander, and former CIA acting director Michael Morell, laying out the crippling effects of Snowden’s revelations: “lost capability,” “impact on our ability to do our mission for the next twenty to thirty years,” “sources dried up; tactics were changed.” Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Intelligence Committee, concluded, “I think it’s an act of treason.”
The real scoundrel in Epstein’s telling is neither Snowden nor the security leviathan he checked; it’s the muscle-bound bureaucracy of the government and its contractors that allowed this breach to happen in the first place.
The 9/11 Commission concluded that one reason U.S. intelligence agencies failed to “connect the dots” before the 2001 attack was the existence of security-inspired “stove-piping” between, and within, the agencies. Much of that was stripped away in the following years, perhaps improving coordination, but with the unintended consequence of magnifying the risk of any particular breach, whether by a foreign spy or a disgruntled insider.
Whatever his ultimate motives, that Snowden maintained access to government secrets as long as he did was a colossal failure of the system. Five months after being forced out of the CIA, he was working on sensitive systems inside the NSA, first as an employee of Dell and later of Booz Allen Hamilton. Epstein reports that Snowden was able to keep his security clearance because the CIA had instituted a policy several years earlier that allowed voluntarily departing officers to maintain their clearances for two years after leaving. The grace period was intended to make it easier for them to find jobs among defense and intelligence contractors. When his CIA clearance finally expired in February 2011, Snowden applied — successfully — to renew it. Since 1996, the background investigations required to obtain a clearance had been outsourced to a private firm compensated according to the number of investigations it completed. The picture that emerges is of a self-dealing bureaucracy and a web of private contractors performing core government functions, more akin to Blackwater employees carrying guns and pulling triggers than to contract employees dishing out grits in a mess hall.
But the bigger problem is more subtle.
Epstein points out a culture clash that will be central to this era of national security policy: libertarian hackers in one corner, animated by a belief that information will be free; privacy advocates in another, convinced that privacy and security are zero-sum; and the national security establishment in a third, united by a conviction that some information is so important that it must remain secret (and that secrecy is even possible). The differences in perspective between Washington and Silicon Valley were neatly encapsulated in the recent, bruising debate over encryption technology. The wonks see the world in normative terms: We don’t want terrorists to have easy access to encrypted communications, so the government should regulate or outlaw the technology. The geeks, on the other hand, see the world in positive terms: Encryption technology is possible, and therefore people will use it, so the government better learn to live in that world.
The challenge arises where these worlds intersect — at the nexus of technology, security, privacy and civil liberties where the NSA operates. Will the government, with its salary caps and background checks, be able to compete for the best talent in fields like cybersecurity? And even if it succeeds in hiring and retaining skilled technical talent, can it coexist with a culture of secrecy? Morell makes the point that the NSA had moved in the direction of fostering a culture of openness, reflecting the talent pool from whence its young civilians came: “The idea was to spread knowledge and learn from the successes of others, but it created enormous security vulnerability.”
In this winter of rattled confidence in government, Epstein’s welcome reappraisal of the most destructive data breach in the history of U.S. intelligence brings nothing to mind so much as the Roman poet Juvenal’s timeless question: “Who will guard the guards themselves?”
By Edward Jay Epstein
Knopf. 350 pp. $27.95