Where exactly is Edward Snowden? Where are the documents he downloaded from the NSA’s computers? How many copies of the data has he made? Who else has he given them to? What will those people do with the information? We don’t have answers to any of these questions, and we might never get them. But what we’ve learned over the last few days should be extremely worrying.
First, in an interview with the South China Morning Post, Snowden admitted that he sought a job with the government contractor Booz Allen Hamilton specifically so that he could gather documents about the NSA. Now it’s also clear that before he flew the coop to Hong Kong and then Moscow, he made numerous copies of the documents he downloaded, and handed them out to many people around the world. According to journalist Glenn Greenwald, the data are encrypted, but Snowden has arranged for the people who have the files to get full access to them “if anything happens” to him.
Two weeks ago I asked why we should trust the NSA with our data if it couldn’t keep it secure from a single rogue employee. But now the question is more urgent, because it’s become clear that Snowden didn’t just “go rogue.” Instead, his actions look like a precise, long-planned, perfectly choreographed infiltration of the U.S. government. Snowden spent months figuring out which agency to hit, how to get access, which documents to download, which journalists to leak to, which organizations to join up with, and where and how to escape. Everything he’s done—right down to tricking the world into thinking he’d be on a flight to Havana—seems like the work of a canny agent, not a mere disgruntled IT guy.
This is very bad news. From what we can tell, the NSA has no good defense against such a well-planned incursion. It may be able to erect security measures to prevent another similar hit by an employee, but because the data it collects are so valuable, it will always remain vulnerable to an organized attack. That answers the question I raised a couple of weeks ago: Why should we trust an agency that can’t secure its own data with our personal info? We shouldn’t.
The only saving grace in this story is that Snowden claims to have had the noblest of aims. He wanted to expose the globe-spanning scope and hand-of-God reach of United States surveillance infrastructure in an effort to provoke democratic discussion. There’s no reason to distrust him; everything we know about Snowden, especially his voluminous Web postings, shows that he really believes in what he’s doing.
Still, there’s a name for what Snowden did. It’s called hacking. In the jargon, Snowden is a “white hat”—a kind of ethical attacker who exposes security holes in an effort to improve the overall security of the system. But Snowden just as easily could have been a black hat—a hacker bent on wreaking havoc, a guy who cracked open the NSA in order to get dirt on powerful individuals or to sell U.S. secrets to foreign governments. From what we know so far, it wasn’t very difficult for Snowden to get a job in the NSA. After getting his foot in the door as a security guard for the CIA, he followed the rules and moved up the chain, garnering ever-greater clearances as he traveled from job to job. He didn’t even have to be very discreet; he could make his views known online even while working for the CIA and NSA. He hatched the sort of operation any determined, patient enemy could have set up. Iran, China, the Syrian Electronic Army, or al-Qaida, which spent years planning 9/11, could have sponsored someone like Snowden. Indeed, they may have already.