Beyond the SCIF: A Conversation on Foreign Intelligence Surveillance Act (FISA) Reform

Panelists discuss Foreign Intelligence Surveillance Act (FISA) reform, including congressional reauthorization of Section 702, which is set to expire at the end of 2023, and the future of surveillance for intelligence purposes.

This discussion is part of the “Beyond the SCIF” (sensitive compartmented information facility) meeting series, an effort by House Intelligence Committee members to connect with experts and leaders in the national security field to create an open dialogue on threats facing the United States and ways committee members can counter the malign actions of our adversaries.

TURNER: Good afternoon. I want to welcome you to Beyond the SCIF this afternoon. We want to thank the Council on Foreign Relations for hosting this event.

Beyond the SCIF is a series that the Republican members of the Intelligence Committee are reaching out to think tanks and academics around the—really, across the country to pursue a discussion about some of the important topics that have come before our committee to get additional perspectives, additional information, so that we can take that and put it part of our working plan and part of our strategic plan and also to give us some confirmation of the work that we’re currently doing.

Now, when I was given the chairmanship of the Intelligence Committee I was given three charges. The first was to return the Intelligence Committee back to national security. You’d think that you wouldn’t have to do that but as you all know from the history of the Intelligence Committee that was a task that was very important, and what that means it’s not that the individual members on the Intelligence Committee weren’t working on national security but as a group, as a committee, we had left our core focus and purpose.

The second task I was given, which was essential to be able to turn us back to national security, was to return the committee to a bipartisan working group to make certain that the members could work together; our adversaries, those individuals who wished to do harm, national security issues don’t really have a partisan tilt. We wanted to get past that, working together. And I want to give Jim Himes, my ranking member, tremendous amount of credit for working with me to be able to establish that bipartisan relationship among our members and it goes all the way down. Every member I can honestly say that they’re working in a bipartisan basis on our committee.

The third is to open it up. The Intelligence Committee worked, you know, largely, in the basement of the Capitol and we weren’t a resource to either other members of Congress or really working—reaching out to those who are practitioners in national security.

So in the open up process we looked to bringing ranking members and chairmen of various other committees down to the Intelligence Committee, giving them briefings that were within their subject matter portfolio area, and then also as we’re doing today with Beyond the SCIF is opening the committee up to have a dialogue with outside groups, think tanks, industries, academics, oversight bodies, and that really has enhanced greatly the work that we’re doing.

The Beyond the SCIF today relates to 702 and FISA and the reform process that we’ve been undertaking. I want to thank Darin LaHood, who has been the chair of our working group on 702 reauthorization and reform. Not only has he worked diligently in that but his leadership is known in Congress, which has lent a tremendous amount of credibility to the overall process.

Darin graduated from John Marshall Law School with his JD and then he served nine years as state and federal prosecutor. From 2001-2006 he worked for the U.S. Department of Justice as an assistant United States Attorney in Las Vegas, Nevada, and was selected as the chief terrorism prosecutor.

LaHood also served as an assistant state’s attorney in Cook County and Taz County—Tazewell County. His background and expertise was tremendous as we took up these issues because as we had to talk to the agencies that we had oversight of he was someone who could talk on their level and with their levels of expertise and it was recognized by them.

I want to thank again the Council on Foreign Relations for hosting this event and for Darin for his leadership on 702 and for this event tonight.

Darin?

LAHOOD: Thank you, Chairman Turner.

Let me thank all of you for being here this afternoon for this important discussion on FISA and 702, and I want to also thank the Council on Foreign Relations for hosting us this afternoon. And as Chairman Turner just talked about, the Beyond the SCIF series is really an important way for us as members of the Intelligence Committee to get out and talk to folks and—on important topics like today.

When Chairman Turner took over the committee as Republican—when Republicans took over in January he really reinvigorated the committee in working in a bipartisan way and getting back to the core function of the Intelligence Committee, which is really national security focused. And so the Beyond the SCIF series is really an important initiative to give the public a view into the important work that this committee tackles.

So today Section 702 of the Foreign Intelligence Surveillance Act, as everybody knows, is set to expire at the end of the month and so this is a very timely panel that we have today and it’s particularly important that we focus on 702 today because of what’s going on in the world. Whether it’s the war raging in the Middle East, the conflict in Ukraine, what is going on in the South China Sea as it relates to China, it’s very important to have this conversation here today.

As Chairman Turner mentioned, in a previous career I was proud to serve as a federal prosecutor in the U.S. Department of Justice as the chief terrorism prosecutor and so I firsthand was able to use 702 when I worked in that office in that role and got to see the valuable aspect that 702 and that information presents to protecting the country and our citizens here.

I would also just mention I was—some of you may be aware—I was subject earlier this year of an improper FISA query by the FBI and I brought this to the attention of Chris Wray during our worldwide threats hearing. So I think I have a unique perspective when it comes to Section 702 and the debate and the reauthorization that we’re going through now.

And I can also tell you from my experience with 702 that it’s really a vital national security tool that is needed to keep America safe. But there have been far too many abuses over the last five years and before that and so we must reform it and put in revisions to better protect the civil liberties and privacy of all Americans.

And part of our role in Congress is really oversight and so when you think about the genesis of 702, which was put into place in 2008, we’ve had two reauthorizations in 2013 and 2018 and our role is to scrutinize, to fix, to reform, to revise and I think the product that the Intelligence Committee on the House side has come up with has done exactly that under Chairman Turner’s leadership there.

We have also held numerous listening sessions as a part of this product that we’ll be voting on this month and those listening sessions have included a lot of skeptics and critics but also people that have brought a lot of perspective. We’ve reached to people on the outside—some of the panelists here today—that have given us good feedback and also feedback from members, which has been important.

And we’ve also for members tried to highlight specific examples of how 702 has helped protect the United States, protect our citizenry, and also protect national security. Last week Republicans on the working committee released our executive report which lays out some of the issues with FISA and the necessary reforms needed to reauthorize that program. If you haven’t seen it I have a copy of it here. I would ask all of you to look at that.

Some of the reforms we outlined in our report include drastically cutting the number of FBI personnel who are authorized to query U.S. persons, requiring the FBI to obtain a warrant to conduct a query on an American for evidence of a crime, creating specific criminal liability for 702 leaks of a U.S. person’s communications, making FBI compensation contingent on query compliance, mandating independent audits of all FBI queries of U.S. persons, and, among others, prohibiting queries to suppress Americans’ political opinions or religious beliefs.

In addition, we believe that reauthorization of 702 presents Congress with the opportunity to reform Title I abuses and it’s important to make that distinction and we’ve tried to do that with many of our members, making the distinction between Title I of FISA which, of course, the genesis goes back to 1978, and contrasting that with 702.

For instance, when we think about reform we all think about the Title I abuses that happened during the Crossfire Hurricane incident involving Carter Page. To remedy that this report recommends a number of important recommendations.

One, we have five enhanced criminal penalties for those who violate FISA, leak FISA applications, or lie to the FISA Court. We also—giving the FISA Court—we also give the FISA Court the authority to prosecute for contempt, which currently is not available, and prohibiting using political opposition research and press reports to get a FISA order.

Lastly, we believe we must address the perception that the FISA Court is not transparent. Our report recommends court hearings be transcribed and made available to Congress. That will be done in our legislation.

We assign a court-appointed counsel—an independent lawyer—to scrutinize U.S. persons’ surveillance applications that fall into four categories: elected official, somebody running for office, someone that’s in the press, or a religious figure. We think that’s vitally important and new to this legislation. We also stopped the government from shopping for FISA Court judges.

So that’s not an exhaustive list but one that outlines dozens of our recommendations and there are many more in the report that I just referenced. But we are here under a constrained timeframe here today—an hour—and we want to leave time for audience questions. So let me quickly introduce our panelists and get to the important conversation here today.

First, on my far left, Stewart Baker. Stewart is of counsel at Steptoe & Johnston. And he previously served as general counsel at the National Security Agency, assistant secretary for policy at the Department of Homeland Security, and drafted a report on reforming the intelligence community after the Iraq war. Stewart has done extensive work on FISA, national security, CFIUS, and cybersecurity where he continues to provide commentary and co-host Steptoe’s “Cyber Law” podcast.

Next, Glenn Gerstell. Glenn is a Council on Foreign Relations member who serves as a senior advisor for the international security program at the Center for Strategic and International Studies. Glenn served as the general counsel at the National Security Agency and is the recipient of the National Intelligence Distinguished Service Medal, the Secretary of Defense Medal for exceptional civilian service and the NSA Distinguished Civilian Service Medal. Glenn has written extensively on national security and the intersections of tech, national security, and privacy.

Lastly, Karen Kornbluh. She is a distinguished fellow at the German Marshall Fund of the United States and the former U.S. ambassador at the Organization of Economic Cooperation and Development—OECD. Karen is a member and former fellow for digital policy here at the Council on Foreign Relations. Karen previously served as deputy chief of staff at the Treasury Department and director of the Office of Legislative and Intergovernmental Affairs at the FCC. She has extensive background in tech and internet policy ensuring our tech initiatives support democracies abroad.

So I’m really pleased to have an all-star panel with us today. With that, let’s jump in with questions.

I’m going to start, Glenn, with you. I mentioned it earlier the distinction between 702 and Title I with FISA. I’m wondering if you could start off with just a brief history of 702 and could explain why 702 was adopted in 2008.

GERSTELL: Sure. Thank you very much, and happy to be here and see some—many friends and familiar faces in the audience. So thank you, Congressman, for doing this and also to a CFR, of course.

So to get right to your point about what Section 702 is we also need to put it in context with the rest of FISA. But Section 702, as you said, was adopted in 2008 and provides a means for the United States spy agencies to do electronic surveillance on foreigners located overseas for purposes of foreign intelligence information using the compelled assistance of American-based electronic communications service providers—internet providers, telephone providers, et cetera. That’s the sort of capsule of what Section 702 is. It’s a foreign intelligence gathering program.

But in order to put it in context and understand why it was adopted in 2008 we sort of need to roll back the clock a little bit to the 1970s actually when the Church-Pike hearings in the Senate and House respectively uncovered a series of very significant abuses, mostly under the Nixon presidency, where the FBI and the CIA were engaged in significant aspects of domestic surveillance improperly.

So because the law was very confused at that state of time and because of these abuses Congress in 1978 created the Foreign Intelligence Surveillance Act, now forty-five years old, which set up the only secret court in the federal system—the Foreign Intelligence Surveillance Court—with judges appointed from with elsewhere within—lifetime judges appointed from elsewhere within the federal judicial system to oversee surveillance for foreign intelligence purposes that is either aimed at a United States citizen or conducted on the United States’ soil against dealing with the techniques of an—I’m sorry, using the mechanism of a U.S. service provider—a telephone company, internet provider, whatever.

Of course, in 1978 there was no internet so most of that in 1978 was about telephones, and the system that was developed at the time was one that was based on a decision that in order to do the surveillance to the person, the target, had to either be a foreign power—a foreign country—or an agent of a foreign power.

So the classic example of this would be to do this type of foreign intelligence surveillance, say, on an agent—a double agent working on behalf of, say, during the Cold War the Soviet Union and the surveillance could be conducted on the United States person in the United States but subject to a full probable cause warrant just if it had been in a criminal context where there would be a—the completely standard search warrant procedure based on probable cause in accordance with the Fourth Amendment.

That system worked fine until about the early 2000s when the intelligence community complained that because of changes in technology they were now being forced to use the probable cause search warrant mechanism that have been embedded in Title I to now apply to communications of, say, terrorists overseas who happened to be using an American communication infrastructure.

The internet had now come into full existence. People were using WhatsApp, email, et cetera, and in order to undertake the kind of surveillance against the foreigners located overseas who happened to be using American communications infrastructure they were now forced to go through this extensive probable cause mechanism at a time when they often didn’t have probable cause and it was very time consuming.

So Congress in 2008 adopted this new regime allowing electronic surveillance of foreigners located overseas. No American is targeted at all, ever, under Section 702. It is not a domestic surveillance program.

But it allows the United States agencies—the FBI and the CIA—to go to an American communications provider—think of something like Google or Yahoo or Microsoft or whoever, whatever name you want—and go to them with a directive issued pursuant to a legal regime established by the FISC court and say, please turn over the emails or the text messages or the other communications of, again, a foreigner.

So there’s two different sections. One, Title I does require probable cause and a specific individualized warrant against a target. The other is aimed at foreigners who do not enjoy Fourth Amendment protection and does not require that same level of protection. We can get into more details but that’s the essential difference between the two sections.

LAHOOD: Thank you for that, Glenn.

Just as a quick follow-up on that, what other capabilities do we as the U.S. government have to collect this information?

GERSTELL: So that question comes up a lot when people say, well, what if we didn’t have 702, which is essentially what you’re asking, and the answer is there’s a big gap. The reason we have Section 702 is precisely to fill a legal gap where in the absence of Section 702 there’s no mechanism for the United States government to go to communications providers located in the United States and compel them to turn over emails, phone calls, text messages, whatever communications you have.

We don’t have that because the only other mechanism to do so is in the criminal context, nothing to do with FISA, and that’s not available here. So we need some mechanism to do that in accordance with all of these established procedures and oversight that are embodied in Section 702.

So the idea that if we didn’t have 702, oh, well, the United States government could figure out a way to do this is just flatly incorrect.

LAHOOD: Thank you for that, Glenn.

Stewart, I’m going to turn next to you. Obviously, I mentioned in my opening the FBI has been criticized a lot for their role with FISA and that’s—there’s been a lot of that from Republicans, particularly conservative Republicans, and we’ve seen that in a number of FISC opinions that criticize the FBI. We’ve seen that in DOJ oversight as it relates to some of the abuses that have gone on there.

The question is: Is that criticism warranted? And then, secondly: How much of it is a problem of 702 as opposed to FISA?

BAKER: Thank you, and thank you for the Beyond the SCIF initiative because we really needed to try to bring the committee back to a bipartisan core and you’ve done that. You’ve got Republicans and Democrats who are mad at you so I think it’s perfect.

And I should say both Glenn and I as former general counsel of the National Security Agency are here mostly because we spent all our time and all our careers in the government having Congress breathing down NSA’s neck, and so we’re here when at last it’s somebody else’s turn in the barrel.

So it is the FBI, and you need to understand how this got started and why they have a problem. They do have a problem. They have a serious compliance problem but it’s useful to understand why.

When the 702 targets are chosen the FBI gets to participate in that and they get to say, hey, we have an investigation—a domestic investigation or a counterintelligence investigation and there are people abroad who are caught up in that. We suspect them, and we want to make sure that if we already have an investigation that touches on a target who has been selected for a 702 intercept that we can see what is being collected.

And they, therefore, asked to have a special database for themselves of intercepts that relate to predicated investigations they’re already carrying on. So that’s about, I don’t know, 5 (percent), 8 percent of the total intercept database but it is where all of the problems that the FBI has have come from because they wanted that database, obviously, so they could query it, and the Justice Department with some help from the FISA Court said, well, we need to set some standards for when you query it and when you don’t, and they adopted two or three rules.

It needs to be for a proper intelligence purpose, you need to be able to limit the scope of your query, and the query should be likely to produce foreign intelligence. So that was the set of rules that the Justice Department set for the FBI.

The problem with those rules, in my view at least, is they were set up in a way that almost guaranteed violations here because if you say to yourself, I’ve got this database of intercepts, unless you already know that the person you’re asking about is the person that you nominated for the intercepts it’s pretty unlikely that you will be sure this person will have conversations in the database—this U.S. person.

And, yet, from the FBI’s point of view they have big databases that they check all the time to see if there is reason to believe that this person needs to be further investigated for further crimes.

So any number of—let’s take the fingerprint database that the FBI maintains. If they encounter somebody they run those prints. That takes advantage of the database that they’ve got. They don’t usually say, am I going to get foreign intelligence from collecting the—from running these prints. They just want to know who is this person and are they tied to a prior investigation.

So the bureau’s culture is we have this data, we should use it in our investigations, and the rules they were given was don’t use this in your investigation unless you already have reason to believe that there is foreign intelligence about this person in that database.

That’s almost never the case. Ninety-eight (percent), 99 percent of the searches, so the queries that the FBI ran, produced no hits. There was no information. And so they were really—to be candid, they were run on the off chance that something surprising was going to show up that was going to turn out that Congressman LaHood was in touch with some foreign terrorist target.

That was not a highly—a high likelihood event. I’m willing to bet that they checked to see if you were the subject of a hacking attack by a foreign nation that was worried about what you were lobbying for and I hope you were.

But the FBI, understandably, would say, well, it would be a big deal if the person we’re checking on who’s a government official is already talking to foreign terrorist targets and it would be worth knowing if they’re already a target of hacking attacks because we will want to warn them.

The problem is that none of those fit neatly in the rules that the Justice Department and the FISA Court came up with, which meant they were all violations. They were all compliance problems.

I don’t think they were spying on people when they ran those checks any more than you’re spying on somebody when you run their fingerprints through the fingerprint database but they were characterized as improper surveillance and there were millions of violations where people just did a check on the off chance just to see. It would be a big deal if we found out this person was. They almost certainly aren’t but let’s check.

That’s not a proper search under the rules that exist today and consequently the bureau has spent years trying to train FBI agents not to do what comes naturally, which is I have a database—I ought to check to see whether this person is in it before I take action with respect to that person. They are very, very gradually coming around to doing that right but it took an enormous amount of effort.

I do think it led to a real misunderstanding in which the FBI was accused of domestic espionage with respect to all of the people on whom it did the kind of check with let’s just do a better safe than sorry check to see whether this person is targeted or otherwise in touch with foreign targets.

That is the received wisdom and it is a perception that we’re probably not going to overcome. We’re going to need to make sure that the FBI lives with the rules that they may not like, that probably in some cases don’t work very well. But we are—they are the rules. The bureau needs to obey them and a lot of the things that the committee is talking about doing is about saying you are going to obey these rules.

GERSTELL: Can I just add one super quick point just to put context for just ten seconds?

So there are—under this entire 702 program there’s about, roughly, 240,000 foreign targets—240,000 foreigners who last year were the subject of this electronic surveillance and of that the number that Stewart’s referring to—of that total universe of foreign targets only about 3 percent are sent over to the FBI that are the subject of all these querying discussions. That’s about 7,900 last year and the prior years, roughly, comparable numbers. So that’s—just to put that in scale and scope. That’s all.

BAKER: Yeah. And I would add there’s a lot of talk about how this is an abuse and I understand it’s a violation. The 702 database which, remember, is collecting communications not of U.S. persons but of foreigners, is—if you wanted to run a Nixonian program to embarrass your enemies is quite possibly the least useful foreign intelligence program we have because it’s collecting—if it collects something on an American it is random. You cannot do under 702—you can’t say this guy abroad I know he’s talking to this guy so—in the United States so let’s target him so we can pick up his communications with the American. That is not permitted and doesn’t happen very—well, as far as I know doesn’t happen.

And so if you’re trying to think how could this be used to—for abuse and to harm Americans or to assemble some plumbers program it’s a bad program. You’d be much better off doing what a lot of Republicans think was done in 2016 and using Title I which allows you to say this American, everything he says we want to intercept. That’s a powerful program and it needs a lot of care.

LAHOOD: Thank you for that answer, Stewart.

I would just tell you when I was improperly queried my wife’s response was that couldn’t possibly have happened—you’re not that important. (Laughter.)

So, Karen, I’m going to turn to you. As data privacy conversations increase not just domestically but internationally as well the Section 702 discussion receives attention outside of the U.S., specifically concentrating on the EU.

Could you elaborate on the international perspectives when it comes to Section 702?

KORNBLUH: Yeah. Thanks for that question.

I mean, I think it’s really important that we understand that this conversation is happening in an international tinderbox. You know, when I was ambassador in Europe I saw the mistrust that Europeans were increasingly having just over the presence of U.S. internet companies in the economy and culture and so on and then, of course, that exploded with the Snowden revelations, and what became apparent is the U.S.—the leverage that the U.S. has over the infrastructure of the digital economy.

And so now we’ve seen that the highest court in the EU has twice upended transatlantic data agreements and there has been a case brought again against the latest framework that’s been negotiated between the U.S. and the EU and a host of countries are implementing a bunch of data localization requirements because they have become aware that when their citizens’ data is carried over U.S. carriers that it is subject to the kinds of provisions that we’ve heard about.

What they don’t understand is the guardrails that we have, the procedures that we have, and often these protections are put in place ostensibly to protect privacy but really there’s a protectionist element to it. But this provides sort of a fig leaf.

So I think we just have to be really cognizant and really careful. We have this great national security asset that we do have control over so much of this infrastructure, the digital economy. We don’t want to abuse it. We don’t want to appear to abuse it as well for risk of losing it. And so it’s been—the OECD actually itself held a really important breakthrough process where they brought together intelligence community and privacy officials to actually talk to each other and establish what rule of law countries have in common in what they do.

Glenn was on a task force that we convened at GMF, a global task force on trusted data flows that said we should have a procedure, a multi-stakeholder process—the G-7 has already started something like this under their “Data Free Flow With Trust”—to really implement redress mechanisms and so on in a multi-stakeholder multi-country rule of law way so that there can be more assurance among citizens that their data is safe.

LAHOOD: Thank you for that, Karen.

I’m going to move through the next few questions here kind of quickly because we want to get to questions from the audience, but a couple things.

Glenn, I’m going to start with you. There’s a lot of misinformation when it comes to FISA and 702 that’s out there and we deal with that often in Congress. But we often hear about the unconstitutionality of 702 and this has been litigated ad nauseam over the last, you know, twelve, fourteen years.

Can you talk a little bit about that, that argument about it being unconstitutional and what courts have ruled?

GERSTELL: Sure, and I’ll try to keep it brief.

The short answer is I don’t think there’s any serious question about that, which is to say 702 is clearly constitutional. There has not been a single court that has addressed the question head on and said it’s unconstitutional either on its face or as applied.

There have been a number of court cases that have addressed this, three circuit courts in particular. The United States Supreme Court admittedly has not specifically addressed the merits of this so I suppose if you wanted to be super technical you could say, well, the Supreme Court hasn’t issued the definitive word on it.

But it had lots of opportunities, most notably in 2013 in a case called Clapper v. Amnesty International when the Supreme Court did not reach the merits of it but said that the plaintiffs didn’t have standing to raise the question.

But every court that’s looked at it has said it’s constitutional. Congress in 1978 and again in 2008 specifically constructed this mechanism very carefully balanced with rules and regulations and oversight inside the fence, so to speak, of the Fourth Amendment. It doesn’t go beyond the Fourth Amendment for sure and it’s even probably less than what the Fourth Amendment might permit.

So I don’t think there’s any question about the constitutionality of the statute. That isn’t really the subject of the debate this year in Congress. What is a question and I think we’ll get to it is whether or not the FBI can undertake the queries that it does that Stewart was referring to without having a warrant or some other court process and does that implicate the Fourth Amendment, and the short answer is it doesn’t and we can talk about that some more.

But on the face of the question of is 702 constitutional I don’t think there’s any serious legal dispute about it. It is completely constitutional.

LAHOOD: Thanks for that, Glenn.

Stewart, I want to turn to you. We referenced earlier the Carter Page Crossfire Hurricane FISA application and obviously the deficiencies there and how problematic that was when that occurred, and many members of Congress look at what we’re doing through the lens of that. That seems to dominate things.

We had a(n) inspector general report from DOJ that was very critical. That was from Mr. Horowitz. We also had the Durham report which was also very critical on that. Clearly, errors were made and a criminal conviction resulted from this surveillance.

Could you elaborate on these errors and changes made in the wake of this incident?

BAKER: Yeah. So as I said earlier, if you wanted a program to abuse, to attack, Americans with it would be Title I of FISA but, of course, you have to establish that person that you’re abusing is an agent of a foreign power.

That was the accusation against Carter Page and the inspector general showed definitively that corners were cut in every respect in serving that—serving information up to the FISA Court to make that claim and many of the—in fact, since then additional errors have been found. Lies were told in order to justify the pursuit of Carter Page and, you know, through him the entire Trump campaign.

He thought maybe this was just sloppiness that has infected all of FISA but a second review found that in fact most of the FISA stuff was done very carefully. And so it really does have an air of deliberate abuse, a determination at the top of the FBI that by God there was going to be an investigation of the Trump campaign come hell or high water and a lot of corners were cut that should not have been cut.

Similarly, Mike Flynn who, you know, I’m not sure anybody wanted—would have been happy to have him as national security adviser. But he lost that job due to a leak, the only leak that I’m aware of of FISA intercept information that was designed to show that he had lied to someone in the administration about the nature of his conversations with the Russian ambassador.

But, you know, it was clearly a hit job on him—that’s what the leak was designed to do—and a shocking abuse of the surveillance authority of the U.S. So all of those things suggest that we need to be very careful about FISA Title I and your—many of the committee’s proposals designed to say, you know, you can’t use opposition research to make your probable cause claim and you can’t do this for political reasons those things are essential now, I’m sad to say. But I think we are entering a period when we’ve got to be much more careful about partisan abuse of these capabilities.

But I think 702 is getting a bad rap when people say that’s where the problem is. The problem, if there’s a problem, is elsewhere in the intelligence community.

LAHOOD: Thank you for that, Stewart.

Karen, as I mentioned earlier our working group and the Intelligence Committee has cast a wide net in terms of reforms and proposals to fix some of the problems that have been addressed today. We’ve met with lots of outside groups. We’ve met with former members of Congress, people in the Intelligence Committee, to get some of these reform proposals and I discussed some of them earlier.

Could you give an overview on what these—some of these—what these proposals have been?

KORNBLUH: Sure. Sure. Sure.

Well, it seems that if politics makes strange bedfellows so does FISA 702. So you see—on the one hand, you see civil liberties groups, Senator Wyden, and others on a bipartisan basis in the House and the Senate and it seems, perhaps, the chairman—the House chairman of the Judiciary Committee Jim Jordan all urging warrants in the case of U.S. person queries. So that’s been out there.

The PCLOB, the Privacy and Civil Liberties Oversight Board, has also called for warrants although with a lower standard. But on the other hand the administration has said that’s a red line. Chris Wray has said that would be incredibly, incredibly risky.

And as you noted the House report on this issue of U.S. person queries, at least in your report, talks about warrant only for evidence of crime searches—you know, that are only that and then today Senator Warner and fourteen co-sponsors in the Senate—bipartisan—dropped a bill that also zeroes in on the domestic crime provision and just says, you know, you can’t do that, which is the same proposal that the President’s Intelligence Advisory Board had taken.

The other issues—just to go over a few of the big ones—limiting scope of batch queries. A whole bunch of oversight procedures and penalties are being proposed. There’s some difference about how much we want to codify the FBI’s own reforms from 2021—audits, penalties, increasing penalties.

Both the House and Senate proposals would increase the role of amici reps at the FISC, and then the Warner bill has an interesting—this just dropped today—has an interesting provision to have a commission on further reform, which I think is a way of sort of tabling some of this discussion for a later day.

LAHOOD: Perfect. Thank you for that, Karen.

We’re going to next turn to questions. Before I do that, Glenn, I do want to just have you comment on—we’ve talked a lot about U.S. person queries and can you explain why the intelligence community would need to conduct a U.S. person query to begin with?

And then we’ll get to questions.

GERSTELL: Sure. Again, very quickly, most of these questions are about the FBI, not so much the NSA and the CIA, which over the course of last year had just a few thousand situations in which they used a U.S. person’s name to look inside the database—typing in a name to search for a U.S. name.

In the case of the NSA where Stewart and I were general counsel, in order for an NSA person to do that, an analyst to do that, they needed the approval of the general counsel and they had to have a reason—foreign intelligence reason for doing it. Extremely rare.

In the case of the FBI with a dual mission of foreign—both a foreign intelligence-counterintelligence mission as well as a law enforcement mission the FBI has reason to do this. In what circumstances? Lots of them.

I saw them when I was there for five years and worked hand in hand with the FBI. They would have a question about someone was—an American was seen in the company of a, let’s just say, a known Chinese recruiter working for the ministry of state security in Shanghai trying to recruit a defense contractor here in the United States and that person was seen leaving a restaurant.

They don’t have probable cause about it but they might have a tip—a corroborated tip—some reason to believe there’s foreign intelligence information. So they plug in the name of that person to see whether in fact he or she has been in direct communication with a foreign target under 702.

Ransomware. Lots of times when as the FBI gets into a cyber—is invited into a cybersecurity event the company will say here’s a list of information that we believe the hackers were able to obtain or perhaps they’ll—and the FBI in the course of its investigation comes across some information where the hackers have already attacked one hospital in a city, they’ve got a list of the other four hospitals and they want to run—from the FBI’s point of view, want to run the names of the other hospitals to see if there’s a contact there with the ransomware gang located in Eastern Europe or whatever—I’m just making up hypothetical examples—but lots of reasons why from a point of view of national security, cybersecurity, the FBI wants to very quickly determine whether someone about whom there’s some question is in direct contact with a 702 foreign target subject to all these rules and regulations.

But it is of very significant value to the law enforcement and cybersecurity community in particular and, of course, the Foreign Intelligence Committee. So there’s no—I don’t think there’s much question about the value of it. The question is can this be done in a way that’s consistent with our values and rules and compliance problems and that’s the issue. But the value, I think, is quite easily established.

LAHOOD: Thank you for that, Glenn.

We’ll now turn it to the—turn to the audience so Council on Foreign Relations members or others that have questions. I think they have mics for questions from the audience. I guess we’ll start over here.

And if you’ll just announce who you’re with and—your name and who you’re with it’d be great.

Q: Sure. Thank you. It was a great discussion. Very illuminating. Thank you.

I’m Alan Raul from Sidley Austin and I have two questions if time permits. If it doesn’t answer only one of them.

The first is that my understanding is that the FISC—the Foreign Intelligence Surveillance Court’s opinion most recently on 702 it was declassified sometime, I think, in maybe the summer or August. It was issued in April. I think it was Judge Boasberg addressed some of the FBI problems and indicated—one of you mentioned, perhaps Karen, the reforms that the FBI has already instituted.

Apparently, the FISC was satisfied with those reforms. I don’t know that that’s particularly well understood. Those FISC opinions are, one, rather tedious sometimes and they’re all blacked out so they’re not a pleasure to read. Are those reforms robust and, you know, should that be more highly publicized?

And the second question is President Biden issued a signals intelligence executive order. It was issued to provide certain standards and guardrails on signals intelligence. It was issued primarily to satisfy the Europeans, as Karen mentioned, for the new data privacy framework but it also applies to, you know, not with—not simply in the context of data transfers with Europe.

In the support of the reauthorization of 702 this executive order has not been, you know, propounded by witnesses testifying before Congress, et cetera. Is there a role for codifying or incorporating that executive order as part of the reform and reauthorization process?

So pick your question or answer whichever you please.

LAHOOD: Just on your first question and I’ll turn to the panel here, I did read the opinion you referenced that talked about the—critical of the FBI but the reforms put in place.

I think what we’ve done in our reform package have put criminal penalties in place outside of what’s internally done by the FBI. So the FBI has rules internally but some would argue nobody has been held accountable within the FBI for mistakes that were made under Crossfire Hurricane.

Now, you’ll hear something different, I think, from the FBI. They internally do this. But I think from an outside looking in nobody has been held accountable. Nothing has been done. By creating criminal penalties now that action or those actions would rise to a criminal prosecution. Of course, DOJ would have to make that determination and you would be criminally prosecuted outside of the department.

I think if you read the Durham report also they seem to think the rules they had in place need to be enforced. We’re taking those on the outside and making sure they’re properly enforced as part of our initiative and what we’re doing there. I open it up for others to comment.

GERSTELL: Just a quick comment to add to yours.

The opinion that you’re referring to was issued by the then presiding judge of the FISC last April in connection with the annual certification review, and you’re right. The opinion said, and this was from the same judge, Judge Contreras, who a year before had blasted the FBI and said, you’re just making horrible compliance errors one and again; this is really seriously jeopardizing the program, even calling into question the constitutional basis for it because that’s a fact that—in evaluating the totality of circumstances for the constitutionality you look at the level of abuses and protections and the judge was alarmed a year before.

But this new opinion in April of ’23 the presiding judge said there’s very significant improvement inside of the dramatic drop in queries, the new reforms that Director Wray had introduced in late ’21 which took effect during ’22.

So there’s no question that things have improved from the point of view of the FISC’s oversight of the FBI. The debate now is whether that’s sufficient and whether it needs to be locked into place and that’s, of course, what Congress is considering.

KORNBLUH: And one thing that they did say is that these problems were so widespread and persistent that maybe something had to be done to lock them in and they’re still—even when you take the FBI’s own estimates of how many problems they still have it’s still thousands of, you know, noncompliance situations.

So there’s reason for some reform. But totally taking your point, there’s reason for great optimism that these enormous problems can be fixed and some of the fixes are so intuitive and simple that it’s amazing that they hadn’t been done sooner, for instance, forcing somebody to—an FBI official to opt in to choosing to query the database instead of it just automatically being made available to them, or not having a filled out template for their rationale but having to come up with a case-specific reason. So there’s reason for optimism.

LAHOOD: Somebody want to take the signals question? I don’t know. Does—

GERSTELL: Well, the—you’re right. The president has proposed an executive order several months ago earlier this year which would establish—and superseded other prior presidential directives and established a basis for when the United States can engage in electronic surveillance for foreign intelligence purposes.

I think the Intelligence Committee felt very comfortable with that executive order. It did not greatly change things but codified what had been the current practice and put some further limits and restrictions on it.

I, for one, would not object to seeing that executive order—the principles of the executive order codified in a statute. They, of course, could be changed by a future president, and I think it makes sense to codify those principles which I think, as I said, both the intelligence community and the privacy advocates all feel comfortable with.

Some people didn’t feel it went far enough but at least as far as it went I think it made a lot of sense and I would—as I said, I believe that Congress is highly likely to adopt some form of that.

BAKER: And I’m going to say I’m more cautious about that. One of the things that this bill does is it focuses on using 702 to find sources of supply of fentanyl, which is just a staggering problem for the country, and, yeah, when you go back and read the executive order fentanyl doesn’t show up. If you were to—

GERSTELL: But it’s not precluded.

BAKER: Transnational crime like export control violations is highlighted. So it’s the sort of thing where if Congress adopted it and we had a problem that was not quite as close to what was already in the bill as fentanyl is to the transnational crime we would be sitting around for years trying to see whether Congress wanted to expand that authority or not.

I’m just not sure that we want our intelligence programs to wait that long and depend that much on the political winds.

LAHOOD: Next question. Yeah, over here.

Q: Good afternoon. Scott Cooper with the Atlantic Council.

I’m quite pessimistic that we’ll get a renewal. I’m not always a glass half empty person. But I wonder if you could talk about the consequences and implications if we don’t get some kind of 702 renewal by December 31.

BAKER: Let me try that because it is a disaster. Something like 50 (percent), 60 percent of the President’s Daily Brief has intelligence in it that comes from 702 or part of the material that was used to produce it the 702.

You are cutting him off from half of the intelligence that the president thinks is important to see and there is no good substitute for that program. In theory you could probably use more of Title I. But for reasons I’ve already talked about at length more Title I is not a triumph for civil liberties and it is an enormous bureaucratic paperwork burden.

And the reason 702 has turned out to be so valuable is its flexibility, the ability to say I saw something an hour ago—let’s change our targeting and to start gathering intelligence in real time on a new target overseas. You can never do that if you had to go through Title I or if you had to follow even the warrant procedures that are being proposed by some of the critics of the program.

I actually don’t hear anybody on the Hill saying that we should get rid of the program. That doesn’t mean it won’t happen if they can blame somebody else for it dying. But I don’t think there’s going to be somebody who’s going to be bragging about having killed it.

GERSTELL: I would agree with what Stewart said and just add very quickly that I think a year ago had you asked me the question I would have said, gee, I think there’s some sentiment on Capitol Hill to possibly just let the program lapse and not renew it at all. There doesn’t seem to be much upside in voting for this program.

But I think that’s completely changed. I think the administration and your committee in particular has done a—have done a great job in educating members of Congress about the value of the program. So I think if the program were allowed to simply lapse as the President’s Intelligence Advisory Board characterize it as the greatest intelligence failure of our time and that’s from a group that doesn’t normally exaggerate, I think that’s a fair statement.

As Stewart said, Title I is not going to solve the problem. Executive Order 12333, which governs overseas collection, isn’t going to solve the gap. In many cases we will not have probable cause to get a Title I warrant and the area where it’s going to make a huge difference is cybersecurity.

Cybersecurity is—the United States today, the ability to recover—just think it’s already been declassified—the ability to recover the ransom paid in the Colonial Pipelines ransomware—do you remember that incident? All came from 702, and you’re not going to be able to do that kind of thing again.

So there is a transition provision that says for about ninety days, subject to lots of questions, technical questions, the existing statute and existing orders can be allowed to run off. But that’s not a solution. No one wants to play that game with national security.

LAHOOD: I would just add vast areas of our intelligence gathering goes dark and there’s a huge void there. I would also—our allies rely on this program extensively and I don’t think there’s any coincidence that we haven’t had another 9/11 in the last twenty years because of 702. Now, that didn’t go into effect until 2008 but there’s a direct correlation there.

Next question. Yes, sir. Get a—

Q: Thank you. Guillermo Christensen, a partner at K&L Gates and a former CIA fellow at the Council.

Picking up on the revisions to 702 but also what Karen was mentioning about the European concern, there is now a process in place, the Commerce Department negotiating with the EU—with the Commission—to basically provide Europeans with some level of due process almost in the U.S.

I wonder if you could speak about that because it’s a fascinating legal construct but also still open to debate whether the Europeans will think it’s sufficient to allow for data transfers to happen.

BAKER: Well, they signed the deal, but yes, go ahead.

KORNBLUH: Yeah. No, they signed the deal so but I think the political feeling in Europe as well as elsewhere is, you know, as I was saying and as you know very, very suspicious of the U.S. programs, not a clear understanding of the guardrails that we have, not a clear understanding that you just alluded to, that our allies use a lot of this data.

And so the European Court of Justice has repeatedly upended these agreements. But maybe the EO and the changes and the signals intelligence, you know, make the difference this time. We’ll see.

But I do think it would make a difference if we came to some kind of multi-country agreement.

BAKER: It is striking how completely separate those two debates have been. They’re just not talking about the same concerns and they’re on separate negotiating tracks as well.

LAHOOD: Yes, right there.

Q: Hi. Greg Nojeim, Center for Democracy and Technology.

So there were 204,000 U.S. person queries last year and of those 204,000 only sixteen were evidence of crime-only queries. Your bill as described in the report would subject those sixteen out of 204,000 to a warrant requirement and the Senate bill would prohibit them altogether.

Sixteen out of 204,000 isn’t a very good chunk of U.S. person queries to subject to a warrant requirement. It isn’t a good check. So what would you do to subject to additional control those 204,000 queries if not the warrant?

LAHOOD: Well, I think what we’ve put in place with the overall aspect of the reforms is—I think is sufficient to have proper oversight there. I think the added layers of transparency and oversight by the Congress and the intelligence community and I think the abuses that have gone on have raised the level of awareness on that.

So, I mean, I think we are culturally changing things internally to do that, which I think will have an effect. There’s no guarantee. I mean, I think you make a valid point but I think there’s no guarantee.

But I think just what’s been created over the last five years and what we’ve put in place I think will have a real effect. But I’m going to open it up for these guys to comment on that.

BAKER: Very briefly, the idea of having the FISA Court sit in judgment about whether this is a good query or not is not going to be a useful guard against abuse. This is the same FISA Court that approved the Carter Page intercepts four times as the entire bottom fell out of the case.

They’re not in a position to do a lot of second guessing about whether this is a good query or not and so I think it’s much more effective to take the kinds of bureaucratic and focused controls that the committee is talking about where you know as an FBI agent when you sign on to the query that it better work out or you’re going to have some questions to be answering for the next six months.

That’s much more effective than saying here, court, tell me whether you think this query is O.K.

LAHOOD: Two other points on that.

You know, I think the category that I mentioned where independent counsel is going to be appointed by the FISC so if it falls into one of those four categories, which clearly the Crossfire Hurricane would have, in retrospect if a lawyer would have been appointed there, which will under our legislation, it would have never got—it wouldn’t have gone any farther because there would have been scrutiny of everything that was put forth there and that lawyer would scrutinize that.

So, anyway, I think that’s important to note here that those four categories are where a lot of these problematic cases fall into and I think that oversight and that provision, I think, can be very effective.

Yeah, in front here. Maybe have time for one more here.

Q: Thank you very much. Fascinating and important conversation. Massimo Calabresi from Time magazine.

We’ve addressed this, it seems to me, very much in the context of goodwill, good faith, by all the actors. We have a presidential candidate who has declared his intention to use all of the powers of government at his disposal if he becomes president for retributive means up to and including all of the things that have been done against him, given that Stewart said the attitude at the FBI was by God we’re going to have a political investigation of the Trump campaign.

What happens in the context of a second presidency of Donald Trump absent your reforms?

LAHOOD: Well, I think we are going to have the reforms. I think there’s been too much work put into this and I think we’ll have a reauthorization in some form to what we put forth there. I would also just state President Trump signed the last FISA reauthorization. So five years ago that was signed and put in place.

Again, our role as part of the Intelligence Committee and Oversight is to fix what’s been a problem over the last five years. We’ve done that. I think we’re going to get it done this year and that will be in place for the next five years.

By the way, the Senate bill calls for a twelve-year extension. Ours is for a five-year extension in the House bill.

Well, I think that concludes our questions. Please join me in thanking our panel for their wonderful testimony here today. (Applause.)

Thank you, and thank all of you for being here today. Enjoyed it.

(END)