To what degree should the work of intelligence agencies be open to public scrutiny? Adam Henschke takes a look at the lessons from FBI Director James Comey and the ‘WannaCry’ ransomware virus.
US Intelligence agencies have been at the centre of two recent events with international significance. First, US President Donald Trump fired FBI Director James Comey, claiming that part of the reason was Comey’s public ‘grandstanding and showboating’. A few days afterwards, Comey’s firing was overshadowed as the ransomware cyber-attack ‘WannaCry’ unfolded around the world. While unconnected, they both point to a deeper issue facing intelligence agencies – how to decide between publicity and secrecy?
Comey’s embrace of the media set him apart from previous FBI Directors. So marked was the departure that it lead the US Deputy Attorney General to say that “the Director ignored another longstanding principle: we do not hold press conferences to release derogatory information about the subject of a declined criminal investigation… The Director laid out his version of the facts for the news media as if it were a closing argument, but without a trial. It is a textbook example of what federal prosecutors and agents are taught not to do.”
Perhaps Comey’s willingness to discuss what the FBI was doing and why was motivated by the push for intelligence agencies to be more open, and more willing to actually explain to the public what they are doing and why. On this view, Comey is an outlier, an FBI head who acted differently from all previous FBI heads. However, rather than showboating and grandstanding, he was evidence of an evolution in the ways that intelligence agencies actively publicise their actions and reasoning.
Contrast this with the criticisms of the CIA and the NSA following the impacts of the WannaCry ransomware. Brad Smith, Microsoft’s Chief Legal Officer, publicly criticised these agencies’ secrecy around software vulnerabilities. It seems that the NSA and others knew of the vulnerability with Microsoft’s software but they did not tell Microsoft. This was in order to keep the vulnerability should they seek to exploit it themselves.
This exposes a tension between national security and cybersecurity – if a vulnerability is discovered by intelligence agencies, should the agencies tell companies like Microsoft such that the risks to cybersecurity are reduced, or should they keep their knowledge secret such that they can use these vulnerabilities in pursuit of their national security agenda?
Underneath this tension lie questions of how intelligence agencies should engage with the public. On the one hand, Comey as FBI director is criticised for being publicly open, while on the other hand the CIA and NSA are criticised for their secrecy.
Australia is no stranger to the complexities and controversies around intelligence and publicity. The Australian Federal Police (AFP) recently went public revealing that a journalist’s metadata had been accessed by AFP officers without the necessary warrants. This event caused public anger, but to the AFP’s credit, they actively made the transgressions public.
Should intelligence be overly public, or is it best left to the shadows? At his testimony to the Senate Judiciary Committee before he was fired, Comey described his decision around discussing candidate Hillary Clinton’s emails as facing two options: speak or conceal.
“‘Speak’ would be really bad,” he said. “There’s an election in 11 days. Lordy, that would be really bad. Concealing, in my view, would be catastrophic. Not just to the FBI but well beyond.”
There is no easy answer to this – as we can see with Comey, going public with intelligence practice and decision-making is fraught with complexity and courts controversy. Going public, even on non-operational matters, can easily become part of existing political and social conflicts. The sacking of Comey and criticism of the AFP are examples of this. However, keeping things secret and closed off, out of the public view is clearly problematic. Criticism of the NSA following Edward Snowden’s revelations and the lack of openness about cybersecurity weaknesses display this in no uncertain terms.
Snowden has taught us that keeping things secret is no longer an easy option for intelligence agencies. The WannaCry ransomware shows the costs of keeping secrets. If nothing else, we are starting to appreciate the political and economic costs of opening intelligence agencies to public scrutiny.