Skip to main content

tv   Politics and Public Policy Today  CSPAN  May 13, 2016 11:00am-1:01pm EDT

11:00 am
breach and when it comes to -- when it comes to the health industry, it is huge and i don't think there is any answers on how to deal with that yet. >> and when we planned this panel and we thought, maybe the american bar association has somebody looking at this. so we went to the website and we found not only do they have somebody looking at it, they have an entire new section on e-health and data and all of this. and you tell me there are what -- 1800 or 1400 -- >> 14 -- >> 1400 lawyers already in something that didn't exist -- when did you start this? >> about six or seven years ago. >> so that is -- i think that sort of tells you something about the magnitude and the growing magnitude. a couple of quick takeaways we need to get -- because we need to get through with this panel to start the other one. dan will be out here in a minute. before we wrap up, arthur and i will think of a quick takeaway. this is a bigger problem than most people realize and a bigger problem than i realize coming in, that it is massive and pervasive and that we're not
11:01 am
going to have -- none of us as individuals can protect ourselves. and -- it is not solved within the next year. arthur? >> yeah. and i think that it is also -- it is just another -- i think we've heard here that this is just going to be sort of another pressure on the health care sector, which parts of which have a lot of financial and other strains. and unfortunately this was an unforeseen consequence of i think -- unforeseen by most of the meaningful use program and the effort to get the -- the needed effort to get computers into medical offices. and so -- >> and it was such a push to get the adoption of the electronic health record that there wasn't enough -- >> i think most people didn't foresee that suddenly they were going to be -- it was going to make the health care system
11:02 am
vulnerable in a new way. >> a whole new bag of cards. >> i think there were probably some who did. but any other closing thoughts? >> i think one thing that -- one thing that bears repeating is we hear a lot about how you need the board to get involved. and you need senior leadership on this. one important thing to remember about health care and specifically hospitals in our country, is the board of even a large hospital is not necessarily the type of board that you would think would exist for an entity of that size. about 59% of the hospitals in this country are nonprofits. so you have donors. you have political influence. 23% of them are state and local entities. so, it's hard sometimes just with the dynamics of the board leadership.
11:03 am
>> interesting. >> a different industry. >> i don't want to say that hacking isn't -- and cyber crime isn't worth singularly paying attention to. it absolutely is. but i think we're -- we risk getting attracted to the shiny object when good, basic security should be the platform upon which all of this gets built and we're not even really there yet, for many entities. and we have to figure out a way to get there. >> i need to wrap up a conversation. >> a quick point. >> yeah, yeah, you have to talk as fast as me. >> don't click on links in suspicious e-mails. >> there you go. [ applause ] >> that is why my husband doesn't answer mine. it is time to wrap up the conversation. thank you for being here and sharing your insights and i'm going to welcome dan diamond from pulse who will -- he's helped us put together the forum and the next panel will take over. and then stay afterwards and
11:04 am
continue talking and drink. [ applause ] >> welcome, everyone. thank you for coming. thank you. i'm excited to join the team. my role here, in addition to writing pulse and doing the pulse check podcast is moderating the outside-in forum. and you see on your seats, the first story we published as part of the forum. i have it here if you haven't seen. polling insiders on what they are the biggest cyber security challenges an the role that government can and should play. i do want to welcome our three panelists, as i sit on this high chair. first, a man who needs no introduction, i'm going to give him one any, anice chopra, co-founder of hunch analytics and spent years providing leadership on i.t. issues in the white house and worked on the advisory board company. and nick dawson, executive director of sibley hospital innovation hub, better known as the innovation czar.
11:05 am
as long as i've known nick, which is ten years, he's the most thoughtful thinks of sharing health care information on line. and last but not least, neo myagi. he studied this issue very closely and it is timely to have you, because you just did a report thursday -- last week -- >> uh-huh. >> on cyber security and some of the biggest issues plaguing the sector. i have questions for the three of you but i wanted to start by take the temperature of the room. simple question. show of hands. is cyber security getting worse in health care? show of hands. okay. only about half of the room. is he getting better? is cyber security safer than it was? i'm going to turn you guys. aneesh, is cyber security worse than it used to be? >> so i'm going to answer this question with the typical caveat, which is yes, in the
11:06 am
following context. we were in manila folders five years ago, eight years ago. and so when you've increased the -- the spread of digital records, by definition, you've created more of an attack vector on which there could be more -- more risk. so relative to manila folders, i would say the cyber security risk is higher. on flip side, if you take a look at the preponderance of the data on where the cyber security risks have come from, the noncertified health i.t. system is where the attacks seem to be. if you kind of take the, you know, practical nature of this, data in many data bases that have been sold in the commercial sector, banking sector, healthcare sector. data bases people can log into to and have access to and people that does convince me to click on a malicious link might expose. but the systems that are
11:07 am
regulated the certified systems for some reason have been less prevalent. that doesn't mean they're perfect and safe. if you looked at the evidence the attacks have been in the uncertified section. worse but in context. >> let's come back to the certified point but move down the link. nick, cybersecurity, you're at a provider organization have thing said gotten better or worse from your perspective? >> i was all prepared to take a very contrarrian view. when i was gotten here i was given a beer. if i take that view it means i can never come back, i'm willing to adjust my point of view. >> how much alcohol have you had? we're hoping you to go full thoug throttle. >> it's a bell curve. i would echo those sentiments. we have become digital very quickly it increases attack surface. i think there's also the pragmatic reality that threats
11:08 am
have been there for networks for years and years and years. and this is a hot topic and a timely one for our industry for well-known examples. things we heard of. i don't know if that necessarily means the sky is falling per se. and then, you know, from a provider organization standpoint, we're wrestling with a reality of is this really the business we want to be in and know how to be in. do we know how to staff for it? do we know how to fight these kinds of things. we've convinced ourselves we have to be all things to all people. we have to be a food service delivery and actectural firm. this might be an area we're significantly focused on. we think it's a hot pressing topic but we might want to reexamine that. >> i think i agree with the panel. the frequency of these cyberattacks are becoming lower
11:09 am
primarily because healthcare is becoming more mature in i.t. when you're younger u you're more likely to have accidents while driving. as you get use today it you learn how to drive. that is the case of healthcare. >> just to make sure, you think we might be trending in the right direction as healthcare matures things are getting safer? >> yes. i think the recent ransom ware attacks are the best thing that could happen for healthcare security. they now let people know about the importance of cybersecurity in the medical domain. cybersecurity in health i.t. is no longer an overhead for the hospital managers. it has now become an integral part of their services. they have realized if they do not invest enough on cybersecurity and i.t. it's going to hurt their main core
11:10 am
operational businesses. so i think now that these recent ransom ware attacks have created the awareness. healthcare providers would have more business incentives to invest on a cybersecurity and insuring patient privacy like other businesses. >> what are those ransom ware attacks? we heard it. i think everybody knows the medstar attack where hackers held hostage a ten history system asking for bitcoins to release the information back. and hospital executives basically had to cancel patient visits. you are not at medstar but you're at a medstar rival. i'm curious. as an executive of a hospital watching this happen what were the meetings like in the board rooms at sibley to make sure you are not the next medstar? >> i don't know if it's a direct quote. there was probably a conversation that started with what's a bitcoin.
11:11 am
and that's not throwing stones at my own house i think that's a conversation anybody would have. my point there is the notion is really esoteric. the notion of being held ransom. there's a set of education we have to have. i heard of that in the first panel around what is this stuff, what is the real impact what's a threat versus reality. that's a case of actual reality not a threat. the first part starts with unpacking what's really happening, what's the real risk. what's the mitigation of that risk, meaning, time to figure it out ourselves to restore from backup if it's a possibility to come up with a different solution versus the cost of just paying it. sometimes that cost of paying it is cheaper than waiting to try to figure out another plan if there is another plan. i think that's part of it. for us, and what -- instead of pontificating of what happened in the board room. i was not privy to that conversation. what the innovation team starts
11:12 am
to talk about is how do we think about this in a different way. not in a -- there was a suggestion, we should start mining bitcoin like a stockpile. >> get another business for hospitals. >> architectural firm and the food service. >> we made our margin on bitcoin this year. it's thinking how do we not have a single point of failure. our team got together and said what's going on here. we said, well, it seems like the i.t. infrastructure and the emr. it's increasingly becomes the piece that does the billing, medication, delivery and the admit and discharge and everything in between, is the operating system of the hospital. how do we not have that become a single point of failure. we started talking about different types of mitigations. and that was kind of where we took it. >> i feel like that plays into what anesh was saying. what systems are more vulnerable. could you elaborate? >> i'm not suggesting one is better than the other.
11:13 am
i would say the certified systems have at least embodied a lot more of the best practices into the regulatory frame work. there's actually a fairly basic understanding of how do you incrypt information and how do you insure there's a user authentication system. we've got a little bit more of these testing capabilities to make sure that the software sold to the organizations can meet a certain bar. and that bar gets better every cycle. whereas the broader systems that are available you can buy anywhere haven't gone through the level of review. as a consumer protection matter, you may not know that this particular outsourced vendor that does your billing and collections that gets the entire patient file to make sure that the co-pays are collected for the $20 that are missed that
11:14 am
entity has some cybersecurity best practices and hygiene to the standards that are seen among the certified technology pieces that are made available in the electronic health record. my perspective is we're getting better. it's an interesting point about healthcare. the whole framework for cybersecurity was we'd have a learning industry model. that is to say, there's more disclosure of breaches. which would then inform root cause analysis to say now we know where the vulnerabilities are. let's close the loop in the next round. and we have this much more transparent system. collaborative system. healthcare is actually further ahead than the rest of the industry verticals. part of the hitech act was to create a framework that required that. we're certainly saying wow a lot of attacks on healthcare. it's one of the few sectors that's required to report the breaches. so we're benefitting in many
11:15 am
ways because we're bringing to life, shining light on these holes. that leads to a loop where we get better and better over time. that's my perspective on how the systems evolve. >> i like the learning system perspective. i want to go back to a quick point and get 93nerdy about it. >> it's a good crowd to get nerdy. >> this is a marginally informed comment. i want to preface it with that. what i'm hearing is the specific attack vectors are unmatched microsoft servers. that's a well-known huge vendor. that's not a small -- >> i'm sorry, nick i probably know the least on this panel. help me understand are we talking about microsoft office, like what specifically in microsoft? >> i'll get of my depth quickly. they have a whole server platform that a lot of the infrastructure sits on. part of the application layer that runs part of the emr. data base layer.
11:16 am
increasingly those sit on a linux platform. imagine we've got xp or windows 10 on our desktop. there is an equivalent for big rack mounted servers. that has to be kept up to date. that underlying operating system is what seems to be a lot of the vulnerability. >> i want to follow up on what anesh just said. we see many more attacks in healthcare because healthcare is required to report them as opposed to other sdrindustries t are not required to report them. it was designed like this in order to let the people learn about the failures. what is happening is we only learn about the incidents and not the root causes of those incidents. you see, you know, you go to ocr, you see so many attacks happen. i haven't learned anything. i don't know if you have learned anything from the failure of medstar.
11:17 am
and i think to use the potential of that learning curve, you know, industry informing itself both ocr and also the healthcare organizations and other entities in the healthcare system which is not limited to healthcare organizations and their emr's. they are business associates and insurance companies who have many times have access to much larger volumes of patient data and are not using certified or uncertified emr's to learn from the breaches. unfortunately, it is not happening at the moment. >> one thing i was struck by in that first panel. congressman herd said the hackers are learning from each other, the russian hackers sharing tactics and tips. the victims don't have the same information sharing. how do we fix that? >> let's be -- let me be precise about this. we do have a framework under nst
11:18 am
the commerce department agency that is a switzerland for a lot of the information flow to establish the industry verticals that are sharing. one of the big problems is what are you sharing? so are you going to release personally identifiable machine to share? i got this e-mail from dan diamond. so i get the e-mail from dan, hey, dan. i'd like you to prepare for the panel today click my link. i click it now that was an infected piece of, you know, that e-mail contained adli link that installed malicious software on my computer. how do i share that e-mail with others without violating your privacy in order to learn how did that particular piece of malware get on your spoofed e-mail. so getting the privacy right has been the central debate in information sharing, which
11:19 am
congress now has moved forward on this framework for the goal is to minimize pii. while maximizing sharing and learning across many industry verticals. we're not perfect in healthcare but we have at least a model to say how do we insure these threat vectors are shared. now, we are -- in the first term for the obama administration we were at a cloud first policy in part because patching is a human failure. right? it's not microsoft's fault you didn't patch. you got to push the button and patch. you know, maybe they have some burden. but the premise is, part of the reason i was enamored with the idea of cloud is in many ways you autopatch in bulk so you get the threat vector at 3:00 p.m. on a monday afternoon. you learned a new signature. you sort of incorporate that into the feed back loop it shows
11:20 am
back to an entity in the same cloud environment. you stop it before it's presented to him to click. this learning, realtime learning is the opportunity that's coming. we're stuck in the must have servers on premise. you've got to bury the responsibility. if you're going to bury the infrastructure do it all the way. it might lead to a further acceleration to the cloud. >> i want to open this out. outside in is the hashtag. if you have questions submit them. i want to build off something you just said. hopefully this question will tee you up. we're at the balance of protecting information, but also the need to share. this was your point. how do we make sure we strike that balance in a world where we're going to benefit for sharing health data for making it easier for patients, someone on the first panel i think it was clinton said the way to protect data is put it on a server in a bathtub and not let
11:21 am
anybody see it. what is the answer moving forward to strike the right balance? >> between sharing -- >> opening it up -- >> yeah, transportability and -- so i think my answer to that is a little bit of a different tack. i would say back to what i maybe teed up at the beginning. we'll have to invest more than we've invested today. we've built an incredible infrastructure around i.t. security. we have -- in any community i know where the community hospital is the largest employer it's the most advanced i.t. shop. they tend to be an anchor for people who want careers in i.t. that's an amazing thing. we continue to build in that infrastructure. do we keep building that locally or look at cloud based services or other things. we're at the juncture where we've got to decide do we keep investing more and look for the places where we left the door open and got to board it over and put a guard in front of the
11:22 am
door or we realize we've left our back side uncovered. i think that's a question. the other way of saying, looking at it do we take the same amount of resources and put it in something different. my version is where i'm contrary. i started and went before this conversation to a bunch of patient groups and said what's your view on this. what would you want? what i hear is i want to own my own data. i want to decide who gets access to it. i have a g mail countaccount. sometimes i sign up for a website and i say to the account use google as my name and password. i'm adding a couple layers of sophistication on the comments i heard. my version of that is if we want to start sharing things, instead of trying to patch what we've got or fix what we've got what if we took the same amount of money and resources and built something different. that different would be putting the data back in the hands of the patients and letting them be
11:23 am
the ones to share it and having an authorization mechanism for doing that. >> right now it's so hard for some patients they might as well just hack the system if they want to get their records. >> they could probably get their records faster that way. >> we're not endorsing that. >> it's so easy to hack into the systems. >> your report touched on this. all the different kinds of hackers out there, some of them are malicious and some of them are the misspent youth who are doing it on a dare or fun. what are some of the commonalities around who is doing the hacking, what can we learn from the patterns of hacking behavior? >> well, i interviewed 22 victims. and out of those 22 only two or three of them were really victims of hacking attacks. the rest were just goofy people who happen to you know lose a laptop or thumb drive. i really don't think hacking
11:24 am
happens as that much in the healthcare -- it happens more than it should be. but not as much as we think it is happening. because i still cannot believe that the stories i read in different news outlets claiming that medical data is worth $500 per record. if that was true a community hospital has easily one million records. if i could hack into them and sell that data $500 per record, it is $500 million i will quick my job at brookings right now and go learn to hack. >> i'm sensing a theme in our panel. we're not endorsing this bad behavior. point taken. that it's a little overhyped. >> ransom ware makes all the sense. again, please pay attention in these ransom ware attacks they're not touching their data. it's like somebody just changing the lock of your front door and doesn't let you get in.
11:25 am
they do not touch the things in your home. they're not stealing anything. they say, hey, give us $15,000, maybe $20,000 to let us get into your home. that's it. because they hackers themselves know it's really difficult to monetize medical data. who cares about my blood test? nobody. i mean, the only thing that they are after are my social security number and home address, date of birth. my personal information part of those health records not the medical records. they use that in order to you know, create a fake identity or submit insurance claims and everything. it is very difficult to scale that up. you know, from a hackers' perspective, he may pay you $500 for one record. but he's not going to pay you $500 million for a million records. it's difficult to monetize. >> i see you're nodding along. you agree it's about the social security numbers and --
11:26 am
>> it's hard to get in the mind. this is not well-reported. let's take it in 2010. the president said i'm going to provide online access to patients in the va to access their health records via blue button. loads the blue button and a million vets access their data. not a lot of wide spread reports yet of people faking that they're a veteran in order to get another blue button file. cms follows suit. another million people have downloaded their blue button file. not a lot of evidence of peopling faking. on and on. we then expanded the concept of buttons into different colors, green button for energy, red button -- i thought it was red then we called it my data for education. consumer financial data become the irs transcript. all of a sudden, the irs transcript which does have in his point the stuff you would
11:27 am
reuse for economic gain, 23 million americans downloaded their get transcript file. 200,000 plus have been publicly reported as having been spoofed hacker like attempts. so it provides some evidence that the attack vector is for the data that has economic reuse. and not so much the clinical values. and my perspective on that is following whole in our current system. the average hospital or doctor does not know whether a machine is logging into the portal or a human. the internet economy has figured this out. there is a door for the machines and a door for the humans. you have security that's comm s commiserate with the request. the patient has to authorize it. you have to do one more step than if a human logs in.
11:28 am
the great news of where we are in healthcare is the obama administration finalized the meaningful use rules for stage three which is part of all the acronyms. we've got a view there will be a machine front door that will be secure and would allow for a more thoughtful way of registering so no one has to hack the account in order to pull their health record into something nick is describing that could help them make better decisions. a thoughtful front door they don't have to hack in to get their own data. the race is on protect the old patchers of the old servers while turning on the systems we'll need to be successful and the value based healthcare world. that's the opening up where locking down conundrum. i think the opening up is going to win and we'll spend more time doing that than this. >> we have a few minutes left. if you have a question please raise your hand. i have one question while the microphones are going back.
11:29 am
>> you do my job better than me. >> the -- i don't have a good quippy response to that. so we just heard from anesh a potential solution from government on a way forward. what is the government intervention -- maybe lack of intervention you'd like to see? understanding the government might not always be helpful when getting into this space. >> i want to be thoughtful about that. so many of the thought leaders and the people i learned from are part of their government leaders. i think from a legislative standpoint i would want to not act too quickly. because my -- i don't know, i think my numbers could be wrong here. i think very very few people in congress identify as coming from a math and science background. this is pretty heavy in the math and science front. >> congressman herd might disagree with you. >> it's a small percentage. i look at feinstein burr as a
11:30 am
bill. that's a bill to me that does not understand cryptography at all. it would effectively ban a web browser. i would not want to rush down that path and find ourselves hamstrung by something. this is just ad hoc and on the spot and build off your idea of a learning network, that we don't understand the root cause. i'm saying i think it's microsoft servers that are unpatched. i would love to see the government build a way to do that. >> lower case g convener. you like that? >> yeah. >> did you copy right that? >> nst is the lower case g in government that convenes the industry to solve and learn in varying forms. and so it was my favorite industry for collaboration because it didn't have the heavy hand of regulation nor was it free for all don't do anything. it had a thoughtful method that
11:31 am
we could orchestrate the answer. this notion of community and commonwealth. >> i think the best a government can do as convening and bringing people together and inciting them to talk with each other and work in a problem. but expecting government to help with innovation and information technology is really foolish. we have seen the results of government intervention in healthcare information technology through meaningful use programs. and we have seen it through hipaa regulation. it has been a miserable failure in both areas. so i think we should not expect government to be able or capable of, you know, solving this information technology problem. it has not been successful. 155 million americans have their records out there. they have been victims of
11:32 am
privacy breaches. and that is the lowest estimate. because ocr only reports the breaches of more than 500 people per each of those large breaches there are hundreds of small breaches that are not even recorded. i can comfortably say all of our records have been out there via -- we all have been a victim of privacy breaches. you know, if government couldn't help one of us protect our privacy, then i personally do not expect it to be able to do anything better. so let the market do its just in my last report i lay out how cyberinsurance market could potentially solve the problems we have in the patient privacy and cybersecurity and how those market based solutions could be a long lasting approach to save the -- to solve the problem
11:33 am
fundamentally. >> i noticed the first panel nodding or shaking their heads no. >> no? >> i love to defend the meaningful use program. we've done a great deal. could you imagine, just a simple question, the average doctor who was caring for a couple thousand patients could not figure out which patients whose got background or condition that might have a heart attack or hypertension which of them have elevated blood pressure levels. we as a country could save a million heart attacks. now because of the method by which we've built up the program, every certified health i.t. system is capable of running a simple query. nick and his team can say, who were the 15 patients we didn't know at risk of a healthcare. let's go call them and bring them in and counsel them. make it happen. that's just a little small thing. i make one final claim. cybersecurity insurance markets you can't build an insurance
11:34 am
market unless there's a standardized data model so they can insure against. you need the government to help build standards to figure out the root causes of the problems so they could model the insurance policies to do it. there's a yen to the yang. it's not market alone. i want to correct the record where i can. >> a provocative way to end the panel. if you disagree or agree with either of our panels you can find them in the lobby. unfortunately no more time for questions. for all those of you who joined us in the room thank you very much. those watching on the live stream thank you too. a final thank you for philips for bringing it together. make sure to join us for cocktails. police drink responsibly. do not share your medical information. thank you, everyone. [ applause ] the hill reporting a republican will co-sponsor a bill from senator ron widen blocking a justice department
11:35 am
request to expand its remote hacking powers in aid to the oregon democrat tells the hill. widen's office would not name the anticipated co-sponsor on thursday. at issue is a proposed alteration to little known criminal procedure rules approved by the supreme court last month that would allow judges to grant warrants in multiple locations even when they don't know the physical location of a device. the amendment has met with push back from tech companies which fear that change will give the fbi the authority to hack commuters with little oversight. absent any action that rule will take effect on december first. president obama will host leaders from norway, sweden, finland, den mark and iceland as part of a nordic leaders summit. he is hosting a state dinner with our coverage of the arri l arrivals at the white house starting live at 7:00 p.m. eastern. next former national
11:36 am
security and intelligence officials from the obama and george w. bush administrations talk about the strength and witness of the foreign intelligence action. the senate judiciary committee held a hearing on tuesday. i'm going to introduce the witnesses first and i'll make my opening statement. and i think senator leahy is on
11:37 am
his way. i'd like to have him make his opening statement before we receive the testimony from the witnesses. our first witness is kenneth wainstein. he's a partner at -- thank you. wickersham and taft where he serves as the chair of the firm's what collar defense and investigative group. before that he worked for 19 years at the department of justice, including serving as u.s. attorney for d.c. and the first assistant attorney general for national security. he concluded his government service in 2008. serving as homeland security advisor to george w. in that capacity he coordinated the nation's counterterrorism homeland security infrastructure protection and disaster response
11:38 am
and recovery efforts. he has an undergraduate degree from the university of virginia and law degree from berkeley. the second witness, matthew olsen. from '11 to '14 he served as director of national terrorism system. prior to that he served as general counsel for national security agency, executive director of the guantanamo task force. and spent 18 years at the department of justice including serving as assistant attorney general overseeing national security division. mr. olsen is a professor.
11:39 am
undergraduate degree from university of virginia and law degree from harvard. our next witness elizabeth goitein. she served as counsel to senator fi fi finegold on this committee. and civil division department of justice. she has a law degree from yale law school. next witness, david medine chairman of the civil liberties oversight board. before that he was an attorney fellow for security and exchange commission. special counsel at consumer finance protection bureau from '02 to '12 he practiced law at a firm here in washington. and served as associate director
11:40 am
for financial practices at the ftc. he has an undergraduate industry from hampshire college and law degree from university of chicago. rachel brand, she has served as a member of the privacy and civil liberties oversight board since 2012. has served as vice president of chief counsel for regulatory litigation at the u.s. chamber of litigation center and practiced law at two firms here in washington. she has served as assistant attorney general for legal policy at the department of justice and associate counsel in the office of white house counsel. she has her undergraduate degree from the university of minnesota and her law degree from harvard. and most importantly, she's been an intern in my office and she's from iowa. you ought to clap for that.
11:41 am
yeah. i'm going to make a statement now and then hopefully senator leahy will be here and we'll have the witnesses. i just introduced them to use up time. almost exactly six months ago our nation's oldest ally, france, suffered the deadliest attack on its soil since world war ii. in a series of coordinated suicide bombings mass shooters and hostages taken across paris. isis killed 130 people, injured 368. the president of france referred to that as an act of war. a month or so later in december the united states sustained the most deadly terrorist attack on our soil since september 11th, 2001, in san bernardino as you know. a couple inspired by isis opened fire on an office holiday party, killing 14, injuring 22 more.
11:42 am
a few months after that, isis struck again in brussels, the home of nato's headquarters. on march 22nd it launched a series of coordinated bombing at an airport and train station that killed 22 and injured 300. these attacks underscore that one of our core responsibilities of our government is to insure that those who protect us every day including the intelligence community have the tools to keep us safe. and these tools must adapt to both the changing technological landscape and the evolving security threats that we face. at the same time, the rights and liberties in our constitution are a constant and this committee are vigilant tomeric sure they endure no matter what.
11:43 am
section 702 of the fisa act, with a compelled assistance of american companies sits at the intersection of these responsibilities. in 2008, after much debate and discussion this will always pass by congress and signed by president bush. and in 2012, then, it was reauthorized by congress without any changes and with president obama's strong support. from all accounts, it's proven to be highly valuable in helping to protect the united states and our allies. moreover, the privacy and civil liberties oversight board, the foreign intelligence surveillance board and many other federal courts have found section 702 constitutional and consistent with the fourth
11:44 am
amendment. the questions and concerns persist for some about its effect on our civil liberties. most of the concerns relate to the treatment of communications collections when it turns out that a targeted foreigner is in contact with somebody inside the united states. but, of course, these are also situations where the program can be highly valuable. by letting our government know if a foreign terrorist plot might reach our shores. so this committee's oversight of this law should continue to be robust and although the fisa amendments act doesn't require congress to reauthorize it until the end of 2017, i'd like to begin the conversation about it well in advance of that reauthorization. that's why i requested the committee receive a classified briefing from the obama
11:45 am
administration on section 702 back in march of this year. it's why i am so glad to have such a distinguished panel here with us today to talk about those issues. it's why i'm sure we'll continue the public dialogue with the administration and others in the future. as i mentioned, section 702 allows for the targeting of foreigners located overseas for surveillance. the statute specifically prohibits the targeting of anyone within the united states. or any u.s. person wherever that person is located around the world. and it's also prohibited what's called reserve targeting, targeting someone outside the country for the purpose of targeting a specific person who is located inside. under the statute, the fisa court must approve targeting and
11:46 am
minimization procedures to insure that only appropriate individuals are subject to surveillance and that limit the handling and use of any communications so collected. and implementation of the statute is overseen by all three branches of government including inspectors general. it's true that human error has led to mistakes in implementing the law over the years. it's significant no internal or external review of section 702 program has ever found any instance of an intentional violation of the law. moreover section 702 has been highly important to our national security. the privacy and civil liberties oversight board found unequivocally that it quote, has helped the united states learn more about the membership,
11:47 am
leadership structure priorities tactics and plans of internal terror organizations. it has enabled the location and movements of suspects already known to the government. it is led to the discovery of previously unknown terrorist plots directed against the united states and foreign countries enabling the disrupgz of those plots. end of quote. the board came to these conclusions about the value of section 702 programs after conducting a lengthy in depth review of it. just as importantly, however, the board found that the program was constitutional and authorized by statute. in addition, the board proposed a number of recommendations to help improve the privacy and civil liberties protections of 702. according to the board's most
11:48 am
recent assessment report, just in this february, all of its recommendations have been implemented in full or in part or the relevant government agencies has taken significant steps towards an option. that's encouraging news. among others things i look forward to hearing about the status of these recommendations today as we discuss reauthorizing this important national security authority. what i think we'll do is we'll start with the first witness, mr. wainstein and senator -- when senator leahy comes we'll stop and let him give his opening statement. would you proceed, please, sir. >> thank you, chairman grassley. it's an honor to be here with you today to discuss the issues that fisa raises with my distinguished co-panelists. since the attacks of
11:49 am
september 11th, 2001. we've been able to build a framework that affords us the ability to intercept our adversary's communications. we have modernized our surveillance efforts by passing the fisa act and reauthorizing it in 2012. it is important at the outset to remind ourselves why it was necessary to modernize the foreign intelligence surveillance act in the first place. as you know, the fisa was passed in 1978. congress was persuaded that the surveillance efforts should be subject to a process of judicial review and approval. to effect wait that, congress passed fisa. and define those types of surveillance that require approval from that court. in defining which surveillances fell in that category congress differentiating by the technology in a way that effect
11:50 am
ch wait that. but to carve out from the court approval requirement those communications that were foreign based where the fourth amendmen the fourth amendment does not apply. however, with the change in communications technology in the intervening years, that carveout started to break down. the result, the government found itself having significant manpower fisa court for persons out of the united states. very category that congress specifically intended to exclude would impose fisa approval requirement in 1978. that situation became untenable for counter-surveillance efforts after 9/11. to its enduring credit congress stepped up in the spring of 2007, undertook thorough analysis and debate and ultimately passed fisa amendment act in 2008 and reauthorization
11:51 am
in 2011. on both occasions members from both parties worked in a bipartisan fashion to craft a law that was a significant step forward for both national security and civil liberties. the statute amend fisa in three important ways. first and most significantly, it authorized the fisa court to approve surveillance of categories of terror suspects and other foreign intelligence targets who were overseas without requiring the government to provide an individualized application as to each particular target. in section 702 faa prescribed new streamline process by which categories over overseas targets can be approved for surveillance pursuant to strict procedural requirements subject to review and approval by fisa court and substantial oversight regions by variety of government enities attorneys general heads of inspectors general, fisa court and intelligence and judiciary committees of congress. in addition to providing this
11:52 am
authority and prescribing substantial oversight faa also added to protection for u.s. persons in a very significant way by imposing for the very first time the requirement the government obtain individualized order from fisa court under take surveillance of a u.s. person outside the u.s. the act was a very well calibrated piece of legislation. it provided authority but did so with important eye on oversight and privacy rights of u.s. persons. since its implementation, faa authorized surveillance has been absolutely critical protecting and understanding the threats we face. that was the case when i was reviewing faa reporting as homeland security adviser in 2008 and it is still the case today as you know from your briefing the other day. importantly, besides being implemented effectively, it's also implemented responsibly findings, no known instances of misuse of that authority. so supporting reauthorization i ask congress to focus on three
11:53 am
considerations laid out in my remarks, one vital important to counter-terrorism efforts. two, extreme care with which members of congress of both parties crafted this authority when they passed faa in 2008 and reauthorized it four years later and the findings this authority has been implemented to great effect in compliance of the law and constitution. in addition to these considerations we want to focus on one other important consideration, which is the severity of the terrorist threat we face today. given that continuing threat as evidenced by recent attack, now is not the time to weaken our defenses or scale back on critical intelligence authority like fisa amendments act. to the crory now is the time to ensure intelligence community operators have the authorities they need to protect our country and time to reauthorize as it's done so much to protect our people and liberties for the last eight years. thank you for the opportunity to speak about this important issue and i look forward to your questions. >> thank you, mr. weinstein.
11:54 am
before mr. olsen goes ahead i would ask for opening remarks at this point. >> thank you, mr. chairman. i mentioned earlier, we have conflicting schedules this morning, but it is very important hearing. i think a week ago passed the act, several weeks later followed suit. that marked first major overhaul of the government surveillance authority in decades. now today we're examining fisa amendments act often referred to as, you've noted, section 702. this law expires at the end of 2017. so i'm glad we're getting an early start on this. i hope we can avoid the needless expiration of authority we saw last year and leadership would not bring up usa freedom act until after the expiration.
11:55 am
i'm also glad chairman we're holding this hearing in the open so the american people can be part of this conversation. when congress last reauthorized fisa amendments act of 2012, this type of discussion was not possible. almost everything about its implementation remained classified. since then the obama administration declassified much about the government's use of the law. so the transparency report put in place for the usa freedom act prompting our efforts. we have a lot of work to do. we're still missing a lot of facts about 702 implementation, additional reforms to protect america's privacy. we also have to restore global trust in u.s. technology industry, not a minor thing. section 702 is an important tool for national security agencies. we all acknowledge that.
11:56 am
but it's also extremely broad. while section 702 is aimed at surveillance of foreigners outside the united states, it sweeps up a sizable amount of information about innocent americans who are communicating with foreigners. so the authority to require strong oversight and transparency and safeguards to protect american people. 2008, again, 2012. i opposed fisa amendments because they lacked safeguards. despite these concerns about americans' communications being swept up, we still do not know how much of our data is collected under this authority. understand the intelligence community is now developing a methodology to estimate that figure. it's long overdue but i applaud this happening. it's all the more significant because intelligence and law enforcement agencies search this
11:57 am
data for information about americans without judicial approval. these back door searches i think raise some serious constitutional questions. i ask consent to enter in the record written testimony from several organizations raising judicial concerns including -- >> without objection they will be included. >> i'll conclude with this. i know we're going to hear about the importance of this authority to our national security, and i understand that. it's a conversation we should have. we also must ensure surveillance program is operated under section 702 respect the other part of american security, our liberties, and our constitutional values. because unless they align with that, then it's a false sense of security. i look forward to hearing from our witnesses.
11:58 am
thank you. >> thank you. now, mr. olsen, would you continue. >> yes. thank you, chairman glassily, leahy, i'm honored to be here to talk about this important issue. as the former director of the national counter-terrorism center, i can attest to the value that faa has provided to our national security. it significantly has contributed to our ability to prevent terrorist attacks inside the united states and around the world. also as the former general counsel of the national security agency and as a former official at the department of justice's national security division, i was responsible in those jobs for ensuring that the law was implemented in a way that complied with the law, the constitution, and protected the privacy and civil liberties of americans. in my brief remarks this morning, i will focus on the operational aspects of section 702 and the value this authority provided to our counter-terrorism efforts. i think to start, to appreciate the importance of section 702, it is helpful to describe
11:59 am
briefly the threats that the united states faces from terrorism. over the past several years, the range of terrorist threats we face from al qaeda-linked groups has expanded and become more diverse. by any measure so-called islamic state or isis an urgent threat to our security today, its governing territory, at the same time secured allegiance of terrorist groups across north africa and middle east. sanctuary in syria and iraq provided recruit, retrain and execute external attacks in paris and brussels. it also has theable to incite others around the world as we've seen in san bernardino. veteran al qaeda fighters have traveled to pakistan to take advantage of the per missive environment there. they are seeking to carry out attacks again the west. al shabab maintains safe haven in the area, threatens security
12:00 pm
in the area, boca haram, ally of isis continue to maintain their base in west africa. continues to support attacking the west vying with isis to be the leader of a global jihad. al qaeda wields substantial influence over affiliated groups, particularly al qaeda in the arabian peninsula. indeed on the three occasions, they have sought to bring down an airliner headed for the united states. there's every reason to believe it still has the intent and substantial capability to carry out such an attack. against this backdrop of a dynamic and lethal terrorist threat the ability of the united states to conduct surveillance under section 702 is vital to security. as director i relied on daily intelligence briefings from information collected by 702. this intelligence was instrumental to our efforts to discern intentions and capabilities of our terrorist adversaries contributing to strategic judgments and tactical
12:01 pm
insights. two declassified highlight 702. september 2009 analysts used 702 to target e-mail address used by al qaeda courier in pakistan. based on this surveillance nsa discovered a message sent to an individual in colorado urgently seeking advice on how to make explosives. further information revealed zazi had plans top bomb the subway. they stopped it before it occurred. in another occurrence surveillance 702 e-mail address used by suspected extremist in yemen. this surveillance led to discovery of a connection between that person and an unknown person in kansas city, missouri, for thattup investigation revealed this man was connected to other al qaeda associates inside the united states who were part of an earlier plot to bomb the new york stock exchange.
12:02 pm
these individuals were prosecuted and pled guilty. in context of these cases, worth emphasizing the role of collection un702. in these cases government collected information of operatives inside the united states directly as a consequence of their contact with section 702 targets located overseas. this was critical to the disruption of these plots and to the arrest of al qaeda operatives here. so-called incidental collection led to initial identification of s zazi to advance their investigation. beyond united states section 702 tool for counter-terrorism allies around the world. finally in describing the value of section 702, it's important to explain why it's uniquely important. as deputy attorney general from 2006 to 2009 overseeing surveillance programs i experienced firsthand the consequences of the pre-faa
12:03 pm
approach. in some case it was simply not possible with that approach to demonstrate an agent overseas. consistent with the constitution to obtain critical intelligence about terrorist and other targets it simply cannot obtain by other means. in conclusion, i would say that the authority congress established under section 702 has played an indispensable role protecting nation from terrorist threats. i look forward to your questions. >> thank you. chairman grassley, ranking member leahy and members of the committee, thank you for this opportunity to testify on behalf of the brennan center for justice. our nation suffers real threats from international terrorism. your challenge and your responsibility is to ensure these threats are addressed not only effectively but in a way that's consistent with the constitution, the privacy interests of law abiding
12:04 pm
individuals and our nation's economic interests. section 702 in its current form does not accomplish those aims. technological advances have revolutionized communications. people are communicating at a scale that was unimaginable just a few years ago. international phone calls, which were once difficult and expensive, as i remember, are now as simple as tapping a screen. the internet offers thousands of means of international communication. globalization makes these exchanges as necessary as they are easy. as a result, the amount of information about americans that the nsa intercepts even when targeting foreigners overseas has exploded. but instead of shoring up safeguards for ordinary americans and foreigners who communicate internationally, section 207 did the opposite, eliminated the requirement of an individual court order to collect communications between
12:05 pm
foreign targets and americans. it also limited be affiliated with foreign target or group. today can target any foreigner overseas regardless of whether he poses any threat to the united states and obtain his communications with americans. while the government must certify that inquiring foreign intelligence is one of its purposes, the law defines foreign intelligence broadly enough to include conversations about current events. motherover, the government has interpreted the law to allow collection of communications, not just to and from the target but about the target. this legal sea change under lies nsa's upstream collection program whereby a huge proportion of communications flowing into and out of the united states are scanned for selectors associated with designated foreigners and picked
12:06 pm
up. using upstream collection and prism, which obtains stored e-mails from u.s. companies, the nsa collects more than 250 million internet communications a year. that undoubtedly includes millions, if not tens of millions of americans e-mails. and as we know, wholly domestic communications are included as well. to call this kind of mass collection targeted elevates form over substance. there are deep constitutional concerns with this surveillance. the fourth amendment may not apply to foreigners overseas. but when a law is designed to collect communications between foreigners and americans, the fourth amendment is very much in play. and when the fbi searches through those communications for evidence to use against americans in criminal cases, and then fails to notify the defendants how it obtained the
12:07 pm
evidence, it drives a hole the size of ft. meade through the fourth amendment. constitutional concerns aside, the mass collection of communications comes with significant risks and harm. the opm fiasco reminded us how vulnerable government databases are to foreign governments and other hackers. any massive database that contains sensitive information about americans carries with it the risk of abuse or negligent mishandling by this or some future administration. overbroad surveillance threatens our economic address by impairing the legal and practical ability of u.s. technology companies to do business with customers overseas. we're told that these risks are justified because section 702 has helped to stop terrorist plots, but the question isn't
12:08 pm
just whether section 702 is useful. we must also ask whether effective surveillance can be conducted in a manner that's less intrusive with fewer costs to our liberties. one final point, within constitutional balance set by the courts, americans should be able to decide for themselves how much surveillance is too much. but to do that we need information. five years after senator wyden first requested an estimate of the number of american communications collected under section 702, we're still waiting. congress and the public need this basic information for the democratic process to work. thank you, and i look forward to taking your questions. [ inaudible ] >> chairman grassley, ranking member leahy and members of the committee, thanks very much for the opportunity to testify on reauthorization of section 702 of the fisa amendments act. in 2014 the privacy and civil
12:09 pm
liberties oversight board, which i chair, issued an extensive report on section 702 and how it operates, in part to foster just the type of democratic debate we're having today. in short, section 702 surveillance program collects the contents of communications of nine u.s. persons outside the united states where there's a foreign intelligence value. as i mentioned earlier, it has proven to be valuable intelligence tool for the u.s. government thwarting terrorist plots and proceeding valuable information to u.s. government decisionmakers. section 702 is two components, prism and upstream. in prism the government collects contents of targets' e-mails and communications from other electronics communications providers. while the targets are non-u.s. persons, from time to time those non-u.s. persons communicate with americans. as a result the government is collecting large quantities of americans communications. these are incidental communication because the u.s. persons are not the target but not inadvertent but known in
12:10 pm
advance american communications will be collected. in contrast upstream program government gets access to telecommunications backbone over which some telephone and intern communication transit and collect content of e-mails and phone calls. by using about collection the government doesn't look in the header of to and from an e-mail but scans contents of e-mail for a targeted selector. as a result, if liza and i were communicating by e-mail and i sent her a message with e-mail address from my uncle in turkey so she has a place to stay when traveling to turkey, if it turns out my uncle's e-mail address is one of 94,000 celebritiers currently on target in 702 program, my e-mail to liza could be picked up and copied into nsa database, even though neither one of us is suspected of wrongdoing and even my uncle might not be suspected of wrongdoing may simply have valuable foreign intelligence information. if this program is to continue, it should have privacy and civil
12:11 pm
liberties particularly where u.s. persons are implicated. accordingly i recommend three legislative changes. first, many of the communications collected under 702 have nothing to do with terrorism or crime. they can include family photographs, love letters, personal financial matters, discussions of physical and mental health and political and religious exchanges. u.s. persons queries of that database are therefore capable of revealing a significant slice of an american's personal life. this particular case for americans who correspond frequently with foreigners, including relatives, friends and business associates. since no warrant was ever issued for these communications which are covered by the fourth amendment, there should be some form of protection. before querying these databases for u.s. person identifier, u.s. intelligence agencies and fbi should submit identifier queries to the fisa court for approval in exigent circumstances. most important here is there be a life tenured federal judge has a final say over whether
12:12 pm
americans personal communications are collected and reviewed. second upstream communications raise two potential concerns. one is the purely domestic american to american and the other is over collection of kungs communications. building on recommendations put forward in 702 report technology involved government should be allowed to evaluate effectiveness of screening of domestic communications and also should determine ways of separating out types of communications so we can have policy decisions when all of them should be collected. third, a large number of u.s. persons incidental communications collected under 702 as i mentioned but how many? in order to have informed democratic debate about the scope of this program, it's important that citizens and members of congress know how many americans communications are being implemented in this program. i have no reason to doubt that the government has encountered difficulties in quantifying number of u.s. persons records
12:13 pm
it incidentally collects. nevertheless i urge require all agencies collecting under 207 to develop a manageable way to gather statistics and provide them to congress on a regular basis. i hope that congress will use reauthorization process as opportunity to enhance privacy and civil liberties protection from section 702 while maintaining a program that has provided enormously valuable information to protect our country from terrorism. appreciate the opportunity to present my views to the committee. thank you. >> mr. chairman, ranking member leahy and members of the community, like mr. medine i serve as part of the privacy and civil liberties oversight board. as other witnesses have discussed some aspects of the 702 program it's been so widely misunderstood that i think a few key points are worth stressing. the first is the limits under which 702 program operates. section 702 as the p club
12:14 pm
unanimously found is a targeted collection program. it does not authorize bulk surveillance. the government may target only non-u.s. persons located outside the united states which means it can never target any u.s. person located anywhere and can never target anyone located inside the united states. and the government cannot target just any foreign person located outside the united states only persons likely to communicate about foreign topics approved by fisa court. in fact, nsa targets tiny fraction of a percentage point of internet users in the internet world. although u.s. persons cannot be targeted, some communications will be incidentally collected. if it targets u.s. person, for example, that communication will be collected. this does not mean all of that u.s. person's communications will be collected but only communications with the target. of course as chairman grassley noted if those communications
12:15 pm
reveal a terrorist threat in the united states, they would be among the most important communications collected under the program. because it has privacy implications for some u.s. persons, the statute requires the person to operate under strict rules that minimize privacy impact. 702 is unquestionably a highly effective source of foreign intelligence. mr. olsen and mr. weinstein discussed this. p club found 702 disrupt terrorist problems, previously individuals in terrorism and understand terrorist operations, priorities, strategies and tactics. the board concluded the it was authorized by congress and reasonable under amendment. it did recommend refinements to the program but did not deem them to be legally required, did not recommend changes to section 702. it's worth noting the board's five members were unanimous in the reports central conclusions. also unanimous in virtually all
12:16 pm
recommendations for how to improve privacy protections. administration implemented many recommendations and is working on the rest. one issue that divided the board concerns u.s. person queries. u.s. queries by the fbi i'd like to address that for a moment. the databases to see what the fbi already knows. these queries do not distinguish between u.s. persons and others because nationality is normally irrelevant to a criminal investigation. one of the fbi's databases contains subset under section 702 though none of the data directed upstream, so none of the about communications mr. medine references. may include this database with other databases even if the crime being investigated does not relate to national security. however, it is extremely unlikely that an fbi query in nonnational security investigation will hit on 702
12:17 pm
data. some suggested requiring fbi to get court approval before conducting query of 702 information ended investigation of nonnational security crime. the board did not recommend this approach, and i think it would be a mistake. in the interest of time, i'll mention just one of several reasons why. requiring judicial approval for fbi queries would be a step toward reerecting the wall they have worked to break down since 9/11. likely would not expect to find connection with 702 information. but if such a connection existed, it would be extremely important to know. the fbi's procedure should not limit queries in a way that would prevent the government from discovering these potential connections. limits should be placed not on queries of information but on the use of that information. the law should and does limit what should be done with 702 information if responsive to a query. this includes limits on who can view responsive information, high-level requirements before
12:18 pm
that information can be used in any criminal proceeding and notice to a defendant if communications are used against him. i believe these protections strike the right balance between getting benefit of information of important intelligence collected under 702 and protecting interest of those whose communications are collected. thank you. i look forward to your questions. >> based on your experience serving in the government, what else can you tell us in this unclassified setting about the value of 702 surveillance and how it's fwn used and how will it affect intelligence community if congress failed to reauthorize. >> chairman grassley, i'll debrief and turn it over.
12:19 pm
i was homeland security adviser in 2008 when fisa amendments act was passed. at that point if you recall surveillance committee was collecting intelligence and surveillance through protect america, stopgap legislation that proceeded the fisa amendments act. you can see at that point the richness of the information coming into the reporting that got all the way up to the white house. you could tell it was really major step forward. as i mentioned in my remarks earlier, that's critical. it's a critical remedy for the problem that arose with changing technology over 1978 and when fisa amendments act passed in 2008. if we were to go back to that point, the same situation where we have way too many surveillances that are critical to carry out and not enough manpower. >> mr. olsen. >> i essentially agree with mr.
12:20 pm
wainstein, i was in the office before it was passed. we were at that time having a very hard time keeping up with the number of terrorist targets we were trying to track who were not u.s. persons located overseas. we were seeking individualized warrants. the system with us overwhelmed with trying to get individualized warrants for individuals not entitled to that level of fourth amendment protection. the fisa act changed that consistent with the constitution, to go back to that especially in the current threat environment would, i'm confident, overwhelm executive branch and judicial resources. i also will say in terps of the value today, my last post came from faa or 702 collection. the p club cited 30 cases in their report based on their
12:21 pm
classified review, their ability to see classified communication, 30 specific cases in which section 702 was the initial catalyst that identified previously unknown terrorist operatives or plots. that's 30 cases that it was able to cite that was otherwise unknown. >> miss brand, about some people's suggestion that we get judicial approval or warrant before requiring database, you mentioned one reason you thought this wasn't a good idea. are there other reasons you can describe for us that in your view make such requirements problematic? >> thank you, mr. chairman, yes. i'll mention two. one is that i'm not sure it would further protect privacy to do that. two, i'm not sure it would be workable. with respect to privacy, query
12:22 pm
is an unobtrusive tool. less intrusive to look at information already that than going out to collect more. before a query can be conducted the government will have to assemble a package for fisa court, which will presumably require them to go out and get information ncht a more intrusive means to justify less intrusive means. that seems backward to me. in terms of workability, as i said before fbi does not distinguish between u.s. queries and others because irrelevant. if they are doing bank fraud investigation and they want to see what the fbi knows about somebody they are not going to identify whether they are a u.s. person or not because there's no reason to ask that question. approval for u.s. person queries without judicial approval for all queries. because the fisa court process is so cumbersome and time consuming that would result in no queries which would prevent 702 and other investigations
12:23 pm
which i think would be a mistake. >> follow up from mr. wainstein and mr. olsen. based on your experience in law environment what would the effect be of subjecting these to judicial approval. >> i agree with miss brand. that would slow down the process of of searching through information lawfully collected. attorney in the security tuition, fbi or nsa would have to compile applications to the court. in cases the court can move quickly, in cases it hassen proven it can move quickly but more cumbersome process where i'm confident agility and speed is critical. without really any gain from privacy perspective and against
12:24 pm
a record that doesn't have any indication of abuse in term of the current approach of allowing these agencies to conduct investigations without prior approval. >> go ahead. >> thank you, mr. chairman. just to add to that, keep independent mind that kind of requirement is not in place for information collected, incidentally collected information under title 3, criminal wiretap statute. it a bit ironic that you'd impose that requirement in the national security context where often you're trying to prevent something from happening like a terrorist attack, where speed is of the essence and not required in criminal context where speed is of less importance. >> senator leahy and then senator from texas, i'm going to step out for just a minute but you two go ahead. >> thank you. i think everybody agrees we want
12:25 pm
to keep the country safe. i do appreciate numbers being tossed around here i also worry what's behind the numbers. we heard on a different issue from nsa about 52 attacks their wiretaps stopped and numbers always given until they testify in public and 52 became a dozen, which became five, which became part of one after the fact in following up on an fbi investigation. i'm not suggesting these are exactly the same here. i always worry about numbers that we're assured that americans privacy was protected because of the tough security measures nsa had. they weren't good enough from
12:26 pm
stopping a 28-year-old from stealing all the information and bringing it from china to russia but otherwise they were very protective of american rights. part of this worries me. i want us to be secure. we can be very secure if we put a tail on every single american and search every single american's computer and phone. none of us are suggesting that. i worry if we do parts of that. let me ask, why do you agree with the review group congress onshould require a court order based on probable cause. >> thank you. i think to understand what's so disturbing about back door searches, you have to look at what comes before them. in order to fit its way into the foreign intelligence exception as it's called to the fourth amendment, and in order to avoid get a warrant or getting an
12:27 pm
individual fisa order, the government has to certify to the fisa court not only that it's targeting a foreigner, not an american, not only that it has a foreign intelligence purpose, but also that it's not doing any reverse targeting, which means it has no intent to target any particular known americans. then having made that certification, as soon as the data is obtained, all three agencies can sort through the data looking for the communications of the very particular known americans in which the government just disclaimed any interest. and the fbi doesn't even need a foreign intelligence purpose to do it. the fbi can search for evidence in criminal cases that have no national security or foreign intelligence component whatsoever. so this is a bait and switch that undermines the spirit, if not the letter, of the reverse targeting prohibition. more important it undermines the purpose of that prohibition, which is to ensure that section
12:28 pm
702 doesn't become an end run around the fourth amendment's requirement and around fisa court's -- fisa's individual order requirement when an american is a target. i would note one more thing, which is that the president's review group on intelligence communications technologies, which included a former deputy director and acting director of the cia, former chief counter-terrorism adviser to president george w. bush recommended a warrant to search americans communications. they were not trying to rebuild the wall. they were trying to protect americans from warrantless surveillance. that's what closing the back door is about. >> the -- some have argued we shouldn't worry because section 702 programs are these
12:29 pm
minimization procedures limit use of retention information. i would ask both of you and professor medine, do you believe the current minimization procedures ensure the data about innocent americans is deleted, is that enough? >> senator leahy, they don't. minimization procedures call for the deletion of innocent americans information upon discovery to determine whether it has any foreign intelligence value. what the board's report found is that, in fact, information is never deleted. it sits in the databases for five years or sometimes longer. and so the minimization doesn't really address privacy concerns of incidentally collected communications, again, where there's been no warrant at all in the process. when the government shifts it's attention from non-u.s. person to americans communications there should be court approval in that exchange. as mentioned earlier in title 3, there has been a warrant before
12:30 pm
the information was collected. in the united states we simply can't read people's e-mails and listen to their phone calls without court approval and the same should be true when government shifts attention to americans under this program. >> do you agree with that? >> i do agree. there's this idea if the government collected lawfully should be able to use it for any purpose. whatever truth that should have in other context is clearly not the case with section 702 because congress has required minimization. minimization is the opposite of you can use it for any purpose you want. constitutionally it's not the case either of the reasonableness inquiry includes an assessment of whether the safeguards on americans set are sufficient. >> thank you. senator cornyn. >> thank you all for being here. i'm actually encouraged that everybody on the panel, including the people sitting up here agree that targeting foreign intelligence sources
12:31 pm
using 702 has been not only demonstrated as constitutional but also as effective. so the question to me is do we want to somehow limit our selves in terms of access to foreign intelligence in a way that could make us less safe. that's an important conversation to have. but i'm pretty clear on where i come down. so the concern is, of course, with what's happening in syria and with the growth of islamic state or daesh, whatever you want to call them. with the meltdown in libya, where you're seeing a pathway of foreign fighters now making their way into europe where, of course, they don't need a passport to travel among various member states of the european union. many of those countries have visa waiver programs with the united states, whether people can gain access to the united states or whether they can just, as in the case of san bernardino
12:32 pm
radicalize people in place. although obviously the two individuals involved there had traveled to the middle east as well. so i think it's really important that we understand what the process is. obviously a lot of oversight by the fisa court, which many of my colleagues say is very important to them by the director of national intelligence, odni. the department of justice. there's a lot of oversight here and a lot of effort to try to minimize the impact on american citizens. although the fact of the matter is, as i understand it under 702, the only american citizens hole be impacted by this process without a court order will be those who are communicating with a known terrorist target overseas. now, that's not exactly an innocuous purpose, it seems to
12:33 pm
me. so mr. olsen, i wonder just briefly talk a little bit more about what efforts have been built into this program to minimize the breadth of the sweep of this program in a way that might otherwise pick up american citizen communications in a way that really frankly the intelligence community could care less about. >> thank you, senator. as you mentioned, one of the hall marks of legislation is that all three branches of government play a central role in ensuring the law is implemented in a way that protects privacy and civil liberties. executive agencies that implement the law, or on the front lines of oversight and compliance, fisa court plays a robust role having been federal role. having been federal prosecutor for years, i can tell you the court is not rubber stamp, aggressive in oversight of cases. this sometime and intelligence committee plays a significant role. all three branches of the government are involved in
12:34 pm
overseeing this authority. with respect in particular to u.s. person information and the minimization procedures as p club found those procedures were consistent with fourth amendment and consistent with the statute. in fact, that's the exact opinion judge hogan recently reached last fall in a case that was declassified recently, an 80-page opinion by judge hogan finding the judge's recent certification was constitutional and complied with the law and in particular that the use of fbi queries of 702, the issue that we've been discussing, was also consistent with the law and with the constitution. >> under the fourth amendment, the issue is whether the search is reasonable. right? >> yes. >> not an outright -- i think some people are suggesting there's some outright prohibition here. unthe protected -- protective mechanisms you say built into the statute court upheld access to communication by an american citizen with somebody we know is
12:35 pm
a target for foreign intelligence purposes. let me just -- i know mr. medine didn't mean this seriously, but he mentioned sweeping up love letters. my staff tells me that there's a significant case recently, the zazi case where terms like wedding cake and marriage were used as code words that the terrorist used to plot attacks against the united states. i don't know. mr. olsen, is that something you can talk to us about? >> certainly the zazi case was one of the key cases the government has referred to over the last several years as an example of the value. >> in other words, in our zeal to protect love letters, we don't want to protect terrorists who use code words that might otherwise escape scrutiny by the intelligence community. >> that's absolutely right. a very brief example. >> please. >> hypothetical. two foreign terrorist targets in syria communicating with each other. targets of 702. say they -- this is
12:36 pm
hypothetical -- they share a passport photo of an american. that would be viewed by -- potentially viewed by nsa in collection under 702. that passport photo could be innocent, right, could be just two people sharing a photo of somebody they know. but it certainly would be of significant interest to the fbi and nsa to not only collect that information incidentally about that u.s. person but to be able to search 702 quickly to say who is this person, do we have other information in our 702 databases and other databases. i think that's exactly from my perspective coming from national counter-terrorism center what we would want to do quickly. >> without probable cause, may not be probable cause to do that, certainly within the statute as judge hogan found. >> we talked about the wall between law enforcement and intelligence and obviously probable cause is critical under fourth amendment. you're talking about prosecution under the fourth amendment where
12:37 pm
american citizens rights and bill of rights has to be protected by a court order requiring showing of probable cause. terrorist don't have any protection of the fourth amendment, nor is probable cause required to get that information. that's the point we need to continue to hammer home because i think people are a little confused about that. >> thank you. >> senator feinstein. >> thank you very much, mr. chairman. thank you for holding this hearing. it does give us a little bit of an advance on the hearings that will be held certainly next year. so i very much -- i want to commend those who serve on the p club board, thank you for your service. matt olsen, it's good to see you again. thank you so much for your service. it's very much appreciated. as a long-term member of the intelligence committee, about 15 years now, we see the value of this program frequently. the problem is that the government has been reluctant to
12:38 pm
declassify sufficient numbers of cases so the public gets an understanding of the value of the program. and the zazi case has been used in the 215 situation, it's used intensively in the 702 situation. for anyone that is listening, it is really important to declassify more of these to show the value of this program. those of us who meet two afternoons a week and go over intelligence and hold hearings and read the intelligence see the value of the program. but i think the general public does not. i see it as practical, as prudent as maintaining constitutional guarantees. i've just been reading the director of national intelligence's unclassified report on the ability to query section 702 using u.s. person
12:39 pm
identifiers as an essential national security tool. and i would just like to read a couple things and then ask that you all comment on them. and he's talking about using a u.s. person identifier and saying that it would impede, and in some cases preclude, the intelligence community's ability to protect the nation against international terrorism and other threats. and then he discusses that such a requirement is not required by the fourth amendment, that it would be impractical, and that it's rare that the intelligence community begins an investigation already developed -- having already developed probable cause. i think that's been said by one of our witnesses. i would like to ask mr. medine and others to comment on the
12:40 pm
text of your recommendation, there are 22 of them. you say many have already been accepted by the government. but the one i'm curious about is on page 16, recommendation 2, updating the fbi's minimization procedures to accurately reflect the bureau's querying of 702 data for nonforeign intelligence matters and place additional limits on the fbi's use of section 702 data in such matters. would you comment on that, please. >> thank you, senator feinstein. one of the thing that our board discovered in our 702 investigation was what brand located, fbi routinely looks into 702 databases. not just investigations but assessments when the fbi has absolutely no suspicion of wrongdoing but they are just sort of entitled to poke around and see if something is going on. they nonetheless access query
12:41 pm
702 database. but fbi's minimization procedures weren't transparent about that progress. >> are you saying that the p club believes there should be a fisa board approval prior to queryi querying? >> the p club majority did not support fisa approval but judge patricia wall and i dissented. >> would you please put -- i think this is going to come up. would you please put for this body both sides of the question. >> sure. on the side of having a query, as i mentioned earlier, under the fourth amendment, the government is now accessing americans personal communication. i did want to clarify one point earlier. this program does not only target terrorists.
12:42 pm
i think it would be a different situation if it was terrorist, anyone with foreign intelligence value. it could be a completely innocent businessman or anyone else out of the country who has that information. we have an american talking to someone who is potentially innocent of any wrongdoing and yet capturing that american's communication. it could be a love letter. it could be a business transaction, but all those are being captured. when we shift our attention to that communication, will there be court approval. >> thank you, senator. it's important to keep in mind when talking about 702 data, have you to keep in mind the scope of the issue. the fbi doesn't get any upstream data, two aspects of 702, prism, upstream. upstream is more concerning from a privacy standpoint because there could be about collection and so forth. the fbi does not get any of that data.
12:43 pm
they get a subset of 702 data. when questions are raised about queries of 702 data, not 702 data in national security investigation because everyone seems to agree in a national security investigation you ought to be able to query 702 data but querying that data in other investigations. when we were doing our 702 report in discussing this with the fbi, they weren't able to give us any example of that ever having happened. so it is at the very least extremely unlikely. in fact, when judge hogan wrote his opinion, he referred to this possibility as remote if not entirely theoretical. extremely unlikely 702 is ever going to come back in an investigation. as i said in my opening statement, if there is a connection there, you want it to be discoverable. that was the other side of the story. >> thank you. >> now senator tillis. >> thank you, mr. chair. i was glad to hear senator feinstein talk about the value of this program. she has insights many of us not
12:44 pm
on intelligence would not have. so i think it is very important for the american people to understand why this is a very useful tool and important tool. i would guess that back to the point about declassification, i would guess that some of the apprehension around declassifying some of the other cases could relate to other bad actors, reverse engineering, how they can avoid detection if they know what patterns were used to identify and thwart the other event. i can see it's not just merely because they want to keep it private, there are probably legitimate future risks that could result in understanding how this data was triangulated and used before an existing attack. is that correct, mr. olsen? >> i think that's generally exactly right, the ability to understand how the government collects this type of information is something the government does not want in the public record. >> miss brand, i wanted to go back to the last question senator feinstein asked. in your opening comments you
12:45 pm
talked about the irony of requiring a court order before you get access to 207 data actually requiring more information to be captured before you can move forward with the query. can you talk more about that? i think it speaks to the elongation of the process of the investigation. while the fisa courts may be able to move reasonably quickly after the information is gathered, there's time associated with gathering that information. can you talk a little about that? >> sure, then i'll hand it off to mr. olsen and wainstein who have more practical experience with the investigation process than i do. in general, less intrusive means to more intrusive means. at the beginning of the investigation you may just have a tip. you want to figure out whether to pursue that tip or not do anything. so you'll start by doing a query of databases to see if you know what's worth pursuing. as it proceeds you may develop enough information to satisfy
12:46 pm
probable cause for search warrant or wiretap or so forth. at the very initial stages of the investigation, you typically don't have much information, that's why do you a query. to then require the government to compile more information in order to start with less intrusive means, that just doesn't make sense to me. mr. wainstein and olsen may have more insights into that. >> mr. wainstein. >> i want to address the speed issue. that's something people need to focus on. mr. olsen and i have been through a number of threat investigations where there's an indication of a threat. maybe somebody here in the u.s. at that point, you want the intelligence community operators to get access immediately to every area that there might be relevant information. while the fisa court does act quickly, the process of having to put together that information not only being more intrusive in relation to u.s. person privacy, it just takes time. that time can be absolutely critical in an investigation. we've seen that over and over.
12:47 pm
>> would you mind if i speak to the privacy as a representative of civil liberties here. i would hope take note privacy community is unanimously behind a warrant. the our considered opinion that this is far more protective of privacy to require a warrant than to allow queries of data. >> are you aware of any examples to this point where it would be likely the warrant would be denied? i'm trying to find the violation. here is the reason i'm concerned with this. we are in an environment where the number of-of- and severity of threats according to leading people in the intelligence community are at an all-time high. and so time is not only -- it's not only the investment in time but also the investment in resources. we need to be able to identify and cast as wide a net as possible. i'm trying to figure out, i understand your concern, and i'm sympathetic to it.
12:48 pm
the question is, have we seen this necessarily produce a systemic risk that's actually resulted in legitimate violations of someone's fourth amendment rights? >> i mean, i think the violation of the fourth amendment right. i know mr. olsen said there was no evidence of abuse of back door searches, back door searches are the abuse. it's a warrantless search of americans communications that were gathered based on a representation that the government was not targeting americans. >> this is a search of data the government is already in possession of. >> a search of the data required by law and fourth amendment to minimize use and access to personal information. >> mr. medine, i had a question for you in my remaining time. in your opening comments, did i understand you to say that it didn't recommend any legislative action but there were additional changes that should be -- i was trying to reconcile that. is that correct?
12:49 pm
would that suggest that the acts, as they current stand are sufficient, implementation needs to be modified or adjusted? >> it is correct board recommended administrative changes. as i mentioned early the government is very responsive to those and has implemented or in the process of implementing those. one of the other members did dissent and recommend the requirement of a court approval. also the classification front, one of the things the board experienced in preparing its report is that we found some facts about the 702 program we thought could be made public without harming national security. we had a positive dialogue with the intelligence community as a result of which there are 100 facts in our report that had been previously qualified that the intelligence committee felt could be declassified and allow for a greater debate about the program. >> thank you. >> mr. chairman, may i just know which report that is? is that the recommendation's
12:50 pm
assessment report you're speaking of. >> senator, 702 report, almost 200 page report on the 702 program. again, we were able to have greater transparency about the program. >> i think it could be valuable i think senator franken is next. >> i'm ranking so i'm going to stay here for the remainder of the hearing, so i would yield to anybody else. >> thank you, chairman. first let me welcome ken wainstein back to the committee. he and i were on adverse sides of a considerable number of issues during the bush administration, but he was always an entirely honest and honorable broker on his side, and i think we worked well together, and it's nice to see you back before the committee. you mentioned the comparison between incidental collection under fourth amendment searches
12:51 pm
and under the 702 program. and of course if you go back to the earliest days of the warrant requirement when somebody had a search warrant and was able to go into somebody's desk and search their papers with that warrant, their papers were not just their papers. their papers were notes that they'd made about their letters out and also their letters in, and so there was incidental collection of people who were not the subject of the search warrant from the earliest days of the republic. when we got into wiretap, it became a little more complicated, but once again, you can't listen into the conversations of a mobster without listening in to the other side of that conversation. so wiretaps over and over again engaged in incidental communication.
12:52 pm
or incidental collection. so there's really nothing new about incidental collection of the people who are not the subject of the investigation and question. it strikes me what is new is the creation of a database to preserve the incidental collection and the question of minimization. minimization i don't think really applied in the search warrant days other than there was obliged to be return of the product. i guess that was the minimization of its era. in the wiretap era, fbi agents listening in on a mobster's conversation, once it turned out it was their mom or they were placing an order at the butcher's, you were required to switch off and not listen then check back in to see if the conversation had changed to something inculpatory, but you'd be switching on and off. could you just elaborate a little bit more on how modern fourth amendment search
12:53 pm
techniques and storage of that data takes place in the domestic context under the fourth amendment search requirements and compare the minimization and the database collection to what we see with the 702 program? >> thank you, senator. thank you for those kind remarks, and i share those sentiments completely. it was a pleasure to work with you over the years. your question is as usual a very good one. let me break it down into two different questions. first in terms of the database. you're right that under 702 there's the need, especially in the national security context, to pool data that might be relevant for the very reason we discussed earlier, that when you have a threat, you have an indicator of a threat, you want to be able to access all that information at once, not go to different databases or every different agent who collected
12:54 pm
from one particular target. so, yes, it is pooled in a way that often title iii take is not pooled, where you have title iii wiretapping in one criminal case in this district collected by the fbi in one place, maybe not pooled with title iii conversations elsewhere. but as a legal matter, they're indistinguishable in the following way. and in terms of title iii, you're right, there is minimization. it's minimization, though, if i'm the target, the government's duly authorized to collect on me, and i'm talking to the pizza delivery guy, the agent is supposed to turn it off and then turn back in some interval of time later to see then talking to, you know, my terrorist confederate or my, you know, drug dealing confederate.
12:55 pm
whether that person is involved in the criminal activity or not. that person's privacy has not been reviewed by a judge the judge that issued the warrant that authorized the collection against me. that's the same thing that's happening in 702. the other person, the counterparty in the conversation has the same limited rights to resist the government's ability to listen to that conversation as the counterparty that pizza guy in my situation. >> i guess to use the word, the doctrinal question we face is once that's has been legitimately collected and the government puts it in a database and enables itself to go and search it at will in a large pooled database, should that be seen as a secondary event that suggests the requirement for some gatekeeper before they have full access? my time's expired i can't continue the conversation further. thank you, chairman if the hearing.
12:56 pm
>> senator klobuchar. >> thank you very much. and thank you to senator franken for his good work in this area and for allowing me to go before him. that was nice. thank you for all you have done and i've had experience with this before, for eight years i managed a prosecutor's office with about 400 people, and have been personally in the room for some of these wiretaps. they weren't federal wiretaps, they were local ones. as many of you noted in your testimony, it's critical our laws reflect the balance between national security interests and privacy civil liberties. that's one of the reasons i co-sponsored have voted for the bipartisan usa freedom act. i wanted to ask you about the bill itself as we look at the reauthorization ahead and what we should be doing when we consider any changes to the law. as section 702 is currently constituted do you believe it strikes the appropriate balance between the protection of
12:57 pm
national security and civil liberties? what changes would you like to see? we can go down the line here. mr. wainstein. >> thank you, senator. yes, i do think it strikes the right balance. i believe it does that by providing ample oversight, which is meaningful oversight by all three branches. also i think you see that balance being paid out in terms of the internal procedures which are reviewed by the fisa court and also by the intelligence judiciary committees and resulted in the finding of the civil liberties oversight board with the finding there have been no incidents of intentional misuse of authority. which i think is meaningful. >> i also believe it should be reauthorized. i was part of the effort and executive branch in 2008. behind the passage of the law and can attest to the way in which it was calibrated at the
12:58 pm
time to make compromises on both sides to achieve an appropriate balance. but it's also not been static. it's the implementation of the law has been dynamic and has changed over the years and in particular, the what i think really is a land mark report by the privacy and civil liberties oversight board which did an intensive and thorough investigation found the law was not only valuable but constitutional and legal. made recommendations which has been implemented. >> is it one of the concerns that was raised that there was too much data to analyze? and that could be -- do you think there's merit to that? >> i did read that part. with respect i don't think there's merit. i can tell you that more data of this type, 702 data, is better than less. the government has the ability to with that data search it. we talked about it, search, process it and find -- has a better chance of finding the needles that we're looking for
12:59 pm
when we're trying to stop a terrorist attack. that can be a concern in other contexts i understand more data might obfuscate the needle. in the 702 context, i don't think that's a persuasive argument. >> thank you, mr. goitein. >> so i believe that section 702 goes much further than it needs to go in order to accomplish the aims i think we all want to see accomplished. and i would point out that some of the cases -- in fact all of the cases that have been made public relating to section 702 successes are cases in which the surveillance, the section 702 surveillance was of a known or suspected terrorist or someone known to have ties to terrorism. while these are evidence of, you know, section 702 working they do not support the idea that section -- >> what would you -- i don't want to -- i want to -- >> i'm sorry. you're short on time. our position is the only way to secure the constitutional
1:00 pm
validity of section 702 is to have an individual order when the government collects communications between a foreign target and an american there are many other steps that could be taken to improve section 702 that includes closing the back door search loophole, includes narrowing the definition of foreign intelligence, narrowing the pool of people who can be targeted so it's not just knaefrb foreigner overseas and insuring that notice is given any time that 702 evidence is used in court or evidence derived from section 702 is used in legal proceedings. >> do you want to add anything? >> i recommend three legislative changes one is require the government to estimate the number of americans communications that are intercepted under 702. second is tighten up the upstream about collection process. and, third is to require court approval for queries of americans' information. under 702. and following up


info Stream Only

Uploaded by TV Archive on