Oliver Stone’s new film, Snowden, reignites the national debate around the potentially competing interests of protecting America from terrorism and protecting our civil liberties. Stone uses two National Security Agency (NSA) initiatives to ask how much power the U.S. government should have under the Foreign Intelligence Surveillance Act (FISA) to conduct electronic surveillance, emergency eavesdropping, and physical searches without a warrant.
- Verizon—the NSA ordered Verizon (and other telecoms) to hand over the telephone records of millions of US customers, calling within the U.S. and overseas. The records, which include the phone numbers of both parties, cell site location, trunk identifiers, call time and duration, etc., are considered “metadata” or transactional information, rather than communications data, and therefore don’t require a warrant.
- PRISM—the NSA surveillance program used to collect the private communications of people using Internet services like Microsoft, Yahoo, Google, Facebook, Skype, AOL, Apple, YouTube, PalTalk, etc. by accessing their information directly from these companies’ servers—under the authority of FISA section 702. Although these companies deny giving the government direct server access for bulk data collection, they do admit to providing individual user information in response to specific FISA requests.
To demonstrate how the NSA runs this “dragnet on the whole word,” the movie highlights XKEYSCORE, the web interface to the program behind PRISM. It looks like Google in that you type in keyword selectors to search on topics like ‘every threat made about the President since February 3rd,’ and the search results return relevant information from internet users’ public and private emails, social posts, chats, etc.—thanks to the power of hundreds of servers working 24/7 around the globe.
Ironically, XKEYSCORE is built on a Linux open stack that may have design deficiencies, leaving it vulnerable to insider attack. For example, XKEYSCORE relies on system logs to track analysts’ search queries when they log into the web browser. However, systems administrators can directly query MySQL databases housing stored data, thereby bypassing systems log so their search queries can’t be tracked.
Another potential vulnerability is that systems admins use the same shared account— under the name oper—to log into XKEYSCORE servers to configure them. If a rogue admin does something malicious, it hard to trace back to him/her since the login account is shared.
No doubt these security risks have been addressed since Snowden’s whistleblowing. But, since other bugs in the code or less-than-perfect security protocols may still exist, the risk of an insider working on behalf of another country, or outside group, could still incapacitate XKEYSCORE, or put it in the wrong hands.
One of the most significant points made in the film is that war no longer happens only on the ground; it is fought in cyberspace. The real threats to the U.S. economy and political system come from hackers in countries like China, Russia and the Middle East.
Chinese hackers, for instance, have syphoned billions of dollars from U.S. companies using tactics like accessing CEOs’ email accounts to trick corporate finance departments into wiring money to banks in Hong Kong and the mainland. Russian hackers have also tried to inject malware into Hillary Clinton’s infamous private email server by sending fraudulent emails asking her to pay traffic tickets by clicking on a link, which would download a malware file, allowing them remote access to her server.
We can debate whether Snowden is a hero, as some civil libertarians contend, or a traitor as some such as Presidential Candidate Donald Trump once asserted. The larger issue is that we must be prepared to deal with the cyber threats facing our nation, both internal and external, in a way that protects American interests without steamrolling over the Bill of Rights.