Could an Independent NSA Inspector General Have Prevented 3 Years of Violations?
Last week, two former Senate Intelligence Committee members proposed a fix for the NSA no one has yet floated: making NSA’s Inspector General independent. Doing so, they argue, would give the IG more leeway to direct her investigations of the NSA and provide Congress needed insight into NSA’s real activities.
But one important option has yet to be proposed: creating an independent inspector general’s office at the NSA, comparable to the office that was created within the CIA in 1989.
Not only was the inspector general’s office viewed differently after the law was passed, but the office itself was different. It decided which of the CIA’s activities would be investigated, inspected or audited without waiting for direction or approval from agency management. Employees of the IG’s office no longer had to worry about the potential effect on their careers if their findings and conclusions were critical of the agency. They may not have always gotten everything right, but they were freer to call things as they saw them and did so, at times to the chagrin of CIA management.
Having an independent inspector general at the CIA produced other advantages for the oversight process: It gave the congressional intelligence committees a more reliable partner — an office that lawmakers could call upon to conduct investigations beyond their own capabilities — and they learned of problems they otherwise might not have come across.
The same dynamic is not possible at the NSA today because the agency’s inspector general is appointed by and works for the NSA director. For all practical purposes, he is a member of the director’s staff and does not report directly to the intelligence committees.
I’m particularly interested in this recommendation given a few data points from the transition period between the illegal phone dragnet to the Section 215 dragnet in 2006.
As the documents submitted in 2009 make clear, the dragnet remained largely if not entirely unchanged from what it was before 2006. The initial “bug” that “arose” in 2009 was really just a “feature” — an alert system on suspect phone identifiers — of the illegal program that never got shut down or properly disclosed to the FISA Court. Many of the subsequent “bugs” (such as access to the queried data for FBI and CIA) also seem to be “features” no one turned off to keep the program legal.
And the Inspector General (from 2002 to 2006, NSA defender Joel Brenner served in that role) knew about the features of the illegal program because he was belatedly read into the illegal program in 2002 and actually provided 3 suggestions to improve oversight of it (see pages 45-46). Among other things, Brenner instituted and attended monthly due diligence meetings.
As Keith Alexander’s February 2009 declaration to Reggie Walton reveals, as the program was transferring to FISC authorization in 2006, someone in the IG office suggested NSA tell the FISA Court how the alert system worked, but NSA chose not to follow that suggestion.
Agency records indicate that, in April 2006, when the Business Records Order was being proposed, NSA’s Office of Inspector General (“OIG”) suggested to SID personnel that the alert process be spelled out in any prospective Order for clarity but this suggestion was not adopted.
More interesting still is the role of a 2006 study submitted to the FISA Court (starting at 85). This appears to be one of the only things Malcolm Howard required when he originally approved the program:
The Inspector General and the General Counsel shall submit a report to the Director of NSA 45 days after the initiation of the activity assessing the adequacy of the management controls for the processing and dissemination of U.S. person information.
Ideally, that review would have been similar to the End-to-End review NSA finally produced in 2009 (and curiously not completed by the IG). Both reviews started by laying out the requirements of the FISC order. Whereas the 2006 found roughly 14 requirements, the 2009 one found 93 (the order had gotten more complex and Walton had imposed new requirements).
The team reviewed 93 requirements extracted from the March 2009 BR FISA Court Order, Application and Declaration; dataflow diagrams; and system documentation (to include systems engineering and security plans) to ensure a complete understanding of how the requirements were being met prior to 2 March 2009, how well they are currently being met, and what changes may be needed to ensure compliance.
But based on an interpretation of Howard’s original order, the IG did not conduct testing and some other reviews in 2006 that might have identified the problems disclosed in 2009.
We did not conduct a full range of compliance and/or substantive testing that would allow us to draw conclusions on the efficacy of management controls. Our assessment was limited to the overall adequacy of management controls, as directed by the Order.
And while the IG again made some suggestions to improve oversight of the program (including auditing whether the numbers queried, rather than alerted, had actually been approved), because of “internal correspondence,” OIG operated on a mistaken assumption that all the alert identifiers had been approved.
Later in 2006 when OIG conducted a study regarding the adequacy of the management controls NSA adopted for handling BR FISA material, OIG focused on queries of the archived data since the SIGINT Directorate had indicated to OIG through internal correspondence that the telephone identifiers on the alert list were RAS approved. OIG’s interest in the alert list came from OIG’ s understanding that the alert list was used to cue automatic queries of the specific analytic database where the BR FISA material was stored by the Agency. At least one employee of the SIGINT Directorate thought that OIG had been briefed about how the alert process worked.
But that explanation (again, from Keith Alexander) is totally nonsensical. Even if the alerts were RAS-approved, that still shouldn’t led anyone to just ignore them in a review mandated by the court. (Note, Brenner appears to have left NSA between the time the report was first submitted to Keith Alexander on July 10, 2006 and the time it was more widely distributed on September 5, 2006.)
There’s no reason to believe Brenner is at fault here. On the contrary, it appears his office tried to fully disclose what was going on with the alert system, but the suggestion was not accepted — the kind of decision an independent IG could have acted on on his own. Rather, Alexander’s nonsensical declaration includes strong hints that had the IG been given free rein back in 2006, NSA might have discovered, disclosed, and remedied three years of violations.
If NSA had had an independent NSA IG at that transition period and since, it seems more likely that the violations might have been mitigated at the inception of the PATRIOT-authorized incarnation of the program. If so, then it seems like a great reason to embrace this suggestion.