,
10 tweets,
3 min read
Read on Twitter
I've had a few people mention to me the "lack" of oversight on NSA and the #EternalBlue losses that are now being used by adversaries to hack Baltimore, etc.
I have some thoughts on the public outcry on this point & the challenges of oversight.
I have some thoughts on the public outcry on this point & the challenges of oversight.
NSA and its activities are overseen by the House and Senate Intelligence committees, that do their work in behind closed doors, in SCIFs, because most of the subject matter is classified at very high levels (TS/SCI). This means deliberations are not public.
The lack of public oversight means that outside observers like @KimZetter, the ACLU, CDT, or even now, myself, have little insight into the conversations that happen between the NSA & HPSCI and SSCI. We don't know if the NSA gets raked over the coals, or pats on the back.
Even when members like @RonWyden or @RepAdamSchiff, who raise serious questions and are known to be thorough and skeptical overseers, the public sees little signs of it because of the classification. That means both the hearings and the legislation isn't visible.
The problem with the secrecy is that one of the essential functions of oversight, to show that the nation's representatives are asking on the public's behalf, doesn't actually create that confidence in the public's mind.
The other problem with the secrecy, is that the legislators are the only ones who can challenge the NSA's arguments that a) the tools are too important to disclose, b) they've done enough to mitigate risk, or c) the status quo is fine.
When I've been on the inside, you can think you're asking all the tough questions and standing in as proxy for the American people's concerns, but then when the program actually comes to a public debate, you find your sense of alarm wasn't high enough. See, e.g. 702.
Between TSP/702/215 and Eternal Blue, I have started to question the wisdom of holding the conversations around risk on these tools at such high classification levels that they aren't debated more broadly, especially in the private sector, where the impacts are greatest.
The other thing that's clear is that these tools are not being sent through the Vulnerabilities Equities Process, as they are supposed to, to have a broader conversation about risk. techdirt.com/articles/20160…
So, the bottom line is that Congress, despite what it may think is aggressive oversight behind closed doors, needs to have a broader conversation about where the lines are in disclosure, tool development, and hacking. Because there are more voices who need to come to the table.
