Is the federal Agency responsible for signal intelligence and information system Security?

There is an old joke, still funny to some of us, that the National Security Agency (NSA) is the only part of the federal government that really listens. The NSA is the nation’s main collector of signals intelligence, or SIGINT, which “involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials.”

In an increasingly digital world, SIGINT is increasingly important as a source of foreign intelligence. It also has increasingly significant implications for privacy. SIGINT therefore needs to be, and is, conducted under rules that take account of both.

When it comes to SIGINT in this country, Congress has established most of the relevant rules. The Foreign Intelligence Surveillance Act of 1978 (FISA) regulates wiretapping, bugging, and other forms of “electronic surveillance” conducted in the United States. The FISA Amendments Act of 2008 (FAA) regulates intelligence collection targeting U.S. citizens or green-card holders even when they are abroad. These laws, and the Foreign Intelligence Surveillance Court that interprets them, govern a lot of SIGINT.

But there remains a good deal of SIGINT that Congress has, quite intentionally, left unregulated by statute and not subject to the jurisdiction of the Foreign Intelligence Surveillance Court. In its report on the bill that would become FISA, for example, the House Intelligence Committee recognized that “[t]he standards and procedures for overseas surveillance may have to be different than those provided in” FISA. And the committee noted “with approval” the existence of an executive order and agency regulations to govern such surveillance.

On Jan. 13, the NSA released a document that is the descendant of those agency regulations referred to by Congress, governing SIGINT that is not subject to the FISA statute. This new document, referred to as the “SIGINT Annex,” is in the form of an annex or appendix to the manual of rules that governs intelligence collection by all elements of the Department of Defense, of which the NSA is one. Both the Defense Department manual and the SIGINT Annex were promulgated under the authority of Section 2.3 of Executive Order 12333, issued by President Reagan, which provides that “[e]lements of the Intelligence Community are authorized to collect, retain, or disseminate information concerning United States persons only in accordance with procedures” established by the head of the relevant agency with the approval of the attorney general after consultation with the director of national intelligence.

The SIGINT Annex is not easy reading, in part because it is designed for professional SIGINT operators and analysts. It is one of the main ways in which the NSA talks to itself about what is, and is not, authorized at every stage of the SIGINT life cycle. This includes collecting, processing, querying, retaining and disseminating SIGINT.

With that in mind, I undertook to explain the SIGINT Annex in a way that would be more accessible to outsiders, much as I had done a few years ago with respect to new guidelines issued by the CIA. Although I consulted with officials from the NSA and other government agencies regarding the accuracy of my paper, and I am grateful for theassistance they were permitted to provide, the views expressed are solely my own, and errors solely my responsibility. The SIGINT Annex is largely unclassified, and my paper is based exclusively on its unclassified portions; it was reviewed by the government to ensure that it does not contain classified information.

You don’t need to work at the NSA or have a security clearance to engage with the paper in its entirety, but you do need a high pain tolerance. In the long run, I hope the paper will be a useful reference guide and that it will be helpful to professionals in and out of government for whom a big investment makes sense.

For now, however, it may be that certain aspects of the paper could have a slightly wider audience. Here are some of what might, with generosity, be called highlights:

First, some readers may have concerns about the timing of the SIGINT Annex, which was finalized by the Trump administration a week before the beginning of the Biden Administration. I address these concerns in the last paragraph of the introduction to my paper:

The SIGINT Annex was released following the election of 2020, during a period of transition between two presidential administrations. This is not unprecedented: for example, the corresponding CIA guidelines that I previously reviewed were released on January 17, 2017, and the Raw SIGINT Guidelines cited above were approved on January 3, 2017 (other examples of Intelligence Community regulations are listed here). These sorts of documents are so difficult and complex that sometimes they can be finalized only with the benefit of the most rigid of forcing functions. Although the SIGINT Annex certainly may give rise to legitimate debate among informed observers concerning the appropriate balance between privacy and security, and like any set of rules and procedures it could be misused or misapplied in practice, I did not see anything in it that reflects a politicization of intelligence or other radical departure from a basic commitment to the paradigm of intelligence under law. As noted above, major changes from the Prior Annex are discussed in Part II.A.2 and throughout Part II.B.

Second, for other readers, as I write in Part II.A of the paper, “the only important question may be whether the SIGINT Annex gives the government more or less authority than it previously enjoyed.” Those seeking a simple or singular answer to this question will be disappointed. I try to explain the main reasons why such an answer is very hard to provide and may tend to reflect the predisposition of whoever is providing the answer. For one thing, while the SIGINT Annex is largely unclassified, there remain some SIGINT rules that are classified—a lot is known, but the general public does not have access to everything there is to know about SIGINT. Also, the prior version of the SIGINT Annex was last substantively revised in the 1980s—an amazing fact—and the legal and technological environments for SIGINT have evolved a lot since then. It’s hard, therefore, to define the proper baseline for comparison between the current and prior set of SIGINT rules. Finally, and maybe most importantly, the Prior Annex and the SIGINT Annex regulate a lot of activity, and the differences between them do not point in one direction. In light of all this, I try to provide a point-by-point comparison to allow readers to make their own assessments.

I have some hope that Part III, the paper’s conclusion, may be of interest to a different set of professionals: those involved in the ongoing Schrems-General Data Protection Regulation debate concerning cross-border data transfers between the U.S. and Europe. Part III summarizes some of the key protections for U.S. persons (and persons in the U.S.), and also some of the protections for non-U.S. persons located abroad. I hope it will be helpful and informative.

A few readers may be interested in the discussion of “SIGINT Tradecraft” in Part I.F of the paper. Writing this part of the paper was challenging because I knew I had to avoid classified information. As it happens, however, I got an assist from GCHQ, the British counterpart to the NSA. As SIGINT agencies go, it turns out that GCHQ is relatively forthcoming! (This is as good a place as any to plug the Lawfare podcast I did recently with two GCHQ alumni, which is available here.)

Perhaps some readers will be interested in my assessment of current issues and challenges for SIGINT, including matters of technology, the nature of foreign intelligence threats, and our extraordinary domestic politics. That’s Part I.E of the paper. I will just say that these are strange times for all of us, including the U.S. intelligence community, and leave it at that for now.

Historians may enjoy the review of U.S. SIGINT activities that begins “before NSA’s existence, in the era of telegraph wiretapping,” and goes forward from there. The SIGINT Annex makes more sense when it’s placed in historical context. And it is quite interesting, at least for me, to learn about the SIGINT struggles in and around World War II. For example, in 1940 the government resolved an interbranch SIGINT dispute by dividing coverage of Japanese diplomatic traffic so that the Army was responsible for decryption, translation and reporting on even days of the month, and the Navy was responsible on odd days. All this, and so many more historical nuggets, are available in Parts I.A to I.D of the paper.

Finally, I hope that some readers—let’s call them the “SIGINT elite”—will want to tackle Part II.B of the paper, which covers, in detail, the seven sections of the SIGINT Annex. This is around 40 single-spaced pages (22,000 words) of dense and highly technical prose. Not for the faint of heart, of course, but I hope it will be useful to some of you.

Which agency is responsible for the security of all national critical infrastructure?

Which type of security addresses the protection of all communications/media technology and content?

What is it called when an organization makes sure every employee knows what is acceptable and unacceptable behavior?

Why would an organization want to make sure it exercises due care in its usual course of operations?