The Complex

Congressmen Reveal Secret Report’s Findings to Discredit Snowden

Updated 3:50 p.m. EST

A Pentagon review has concluded that the disclosure of classified documents taken by former NSA contractor Edward Snowden could "gravely impact" America's national security and risk the lives of U.S. military personnel, and that leaks to journalists have already revealed sources and methods of intelligence operations to America's adversaries. At least, that's how two members of Congress who have read the classified report are characterizing its findings. But the lawmakers -- who are working in coordination with the Obama administration and are trying to counter the narrative that Snowden is a heroic whistleblower -- offered no specific examples to substantiate their claims.

In harsh language that all but accused Snowden of treason, the top members of the House Intelligence Committee said the report shows that Snowden downloaded "1.7 million intelligence files," which they described as "the single largest theft of secrets in the history of the United States."

"This report confirms my greatest fears -- Snowden's real acts of betrayal place America's military men and women at greater risk," House Intelligence Committee Chairman Mike Rogers said in a statement Thursday. "Snowden's actions are likely to have lethal consequences for our troops in the field."

Rogers was joined by the committee's ranking member, Dutch Ruppersberger, who said, "Snowden handed terrorists a copy of our country's playbook and now we are paying the price, which this report confirms. His actions aligned him with our enemy."

A congressional staffer who is familiar with the report's findings said that the lawmakers chose to make some of its contents public in order to counter what they see as a false impression of Snowden as a principled whistleblower who disclosed abuses of power.

"Snowden has been made out by some people to be a hero. What we need to do is really look at the effect of his leaks and see that what he's done is really harm our country and put citizens at risk. The purpose [of releasing some findings] is to clear the record and show that he's not a hero," the staffer told Foreign Policy.

The staffer said that the administration approved the information that the lawmakers disclosed in advance. Rogers and Ruppersberger, along with other lawmakers, were scheduled to meet with President Obama at the White House Thursday afternoon to discuss the findings of a review panel on NSA surveillance. The administration is expected to announce plans soon to rein in aspects of NSA's operations.

Rogers and Ruppersberger said that "much of the information stolen by Snowden is related to current U.S. military operations." Citing press reports that have focused on foreign intelligence gathering by the NSA, they said, "Snowden's disclosures have already tipped off our adversaries to the sources and methods of our defense, and hurt U.S. allies helping us with counter terrorism, cyber crime, human and narcotics trafficking, and the proliferation of weapons of mass destruction." The lawmakers cited no articles or specific documents to support that claim.

The Defense Department report was conducted by the Defense Intelligence Agency in coordination with other intelligence agencies across the government, according to two sources familiar with its findings. A spokesperson for the DIA said Lt. Gen. Michael Flynn, the agency's director, organized a task force "to assess the potential impact to the Department of Defense from the compromise of this information." But the spokesman did not say what, if any, conclusions the task force had reached about actual damage caused by documents Snowden took, regardless of whether they've been disclosed or not. 

Critics accused the lawmakers of slectively leaking information and using vague language about the real vs. potential damage from Snowden's disclosures. "No specific examples are actually given, and you will also notice in virtually every sentence includes the word 'could' -- meaning real damage hasn't actually occurred, they are just saying it potentially could happen," Trevor Timm, the co-founder and executive director of the Freedom of the Press Foundation, wrote in a blog post. "And of course, the actual report is secret, so the two Congressmen are able to say whatever they wish about it, and it can't be independently verified."

A spokesperson for the Director of National Intelligence would not comment on the findings of the classified report. But he called Snowden's leaks "unnecessarily and extremely damaging to the United States and the intelligence community's national security efforts."

"As a result of these disclosures, terrorists and their support networks, now have a better understanding of our collection methods and, make no mistake about it, they are taking countermeasures," said Shawn Turner, the DNI spokesman. "Specifically, we have seen in response to the Snowden leaks al Qaeda and affiliated groups seeking to change their tactics, looking to see what they can learn from what's in the press and seeking to change how they communicate to avoid detection and avoid our surveillance."

The question of how much information took from the NSA has been difficult to answer, and the statement from members of Congress didn't clarify the matter. Estimates in the press, quoting anonymous officials, have ranged from 50,000 documents to nearly two million.

The lawmakers didn't specify what constituted an "intelligence file," as they put it, in claiming that Snowden had disclosed 1.7 million of them. The senior NSA official leading its review of the leaks, Richard Ledgett, was asked in an interview with 60 Minutes about claims that Snowden has taken 1.7 million "documents."

"I wouldn't dispute that," Ledgett replied. Ledgett is in line to become the NSA's next deputy director, following the resignation of the previous No. 2, Chris Inglis, according to sources who are familiar with the matter.

National Security

Techies Boycott Big Security Conference Over NSA Spying

The annual RSA conference in San Francisco, founded by the computer security company of the same name, is a marquee event for the security industry and has long been a forum for some of the most vocal opponents of government surveillance to discuss ways to keep personal data safe from prying eyes. But this year, talk of betrayal is in the air. At least eight prominent attendees are pulling out of the conference, which begins next month, and are canceling planned talks and presentations to protest RSA's alleged covert collaboration with the National Security Agency.

At issue is a $10 million deal that RSA reportedly struck with the spy agency to include a deliberately flawed algorithm in one of its security products, which effectively gave the agency a backdoor to spy on RSA's customers.

The alleged deal, which was reported last year by Reuters, shocked many security experts and technologists, who have long seen RSA as a pioneering defender of privacy-enhancing technologies like encryption and a historic adversary of the NSA. The company's products are used by people, companies, and governments around the world to shield their communications and data.

The agency's efforts to weaken an encryption algorithm that RSA eventually adopted in 2006 were confirmed in documents disclosed by Edward Snowden. His leaks have revealed a multifaceted campaign by the NSA to foil encryption and steal unencrypted information from Google and Yahoo. But the Reuters report is the first specific allegation of a company being paid to secretly insert weaknesses into its products in order to help the NSA spy.

"It's astounding," Jeffrey Carr, the CEO of Taia Global, said of RSA's alleged decision to use the NSA's flawed algorithm. "Even if RSA comes forward and says, 'Here's the contract, we had no idea there was a backdoor,' it's still bad judgment. It's maybe not as bad as saying, 'Yes, we took a bribe,' but it's still bad judgment."

Carr had planned to speak on a panel at the conference but pulled out as part of a growing boycott that, as of Wednesday, included two security engineers from Google, which itself has been a high-profile target of NSA's intelligence-gathering apparatus. So far, the protesters are a mix of technologists and activists. No conference sponsors have pulled out, and only one company has said none of its employees will speak.

Mikko Hypponen, a prominent security researcher, was the first conference attendee to pull out, a decision he announced two weeks ago in an open letter to RSA executives criticizing their alleged cooperation with the spy agency.

"I don't want to portray myself as a leader of a boycott," Hypponen wrote on Wednesday in an update to his letter. "I did what I felt I had to do. Others are making their own decisions." Hypponen, the chief research officer for F-Secure, a security company based in Finland that has offices in the United States and around the world, said that no one from his company would speak at the conference.

What's especially galling to the conference boycotters is that RSA's founders were some of the original stalwarts against NSA's efforts to foil encryption. In the 1990s, they helped lead a charge against an NSA project, known as the Clipper Chip, to stop the proliferation of commercial encryption, which the agency feared would allow terrorists and criminals to communicate using codes that it couldn't break.

Ironically, the RSA conference started in response to concerns by privacy advocates and technologists that the government would try to dictate encryption standards, thus giving agencies like the NSA the privileged access for which they allegedly paid the company years later. (RSA was acquired by EMC Corp. in 2006.)

In a statement last year, RSA denied that it entered into a "secret contract" with the spy agency. But it hasn't explicitly said that there is no backdoor in the product that it ultimately sold after consultation with the NSA. "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the statement said. But RSA also distanced itself from the spy agency, saying that back when it decided to use the flawed algorithm, "the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

Even that assertion may strike some security experts as a stretch, considering that the NSA has never made a secret of its attempts to break codes. (That is, after all, the business it's in.) But the NSA also helps make codes, and has encouraged the adoption of ostensibly strong encryption standards. The flaw in RSA's algorithm was quickly discovered and written about by security researchers at Microsoft and elsewhere at the time. But there was no proof it had been put there by the NSA. Not until the documents released by Snowden showed that the NSA had poisoned the algorithm did RSA encourage people to stop using it.

"Until RSA explains what happened, the available evidence we have points to a betrayal of trust," Carr said.

The RSA conference organizers didn't respond to a request for comment.

Joining the protest with Carr, Hypponen, and two Google engineers, Chris Palmer and Adam Langley, are Christopher Soghoian, the principal technologist for the American Civil Liberties Union; Marcia Hofmann*, a privacy and security expert and attorney formerly with the Electronic Frontier Foundation; Alex Fowler, who leads global privacy and public policy issues for Mozilla; and Josh Thomas, the "chief breaker" at security research firm Atredis Partners.

*Correction (Jan. 9, 2014): An earlier version of this post misspelled Marcia Hofmann's surname.

Gabriel Bouys/AFP/Getty