U.S. Cloud Services Companies Are Paying Dearly for NSA Leaks

Edward Snowden’s leaks about National Security Agency surveillance practices have had a profound effect on the U.S. cloud computing industry.  Experts disagree on the long-term harm to U.S. companies, but recent projections are for $22 billion or more in lost revenue over the next three years.  The harm comes largely from backlash over the perceived complicity of U.S. technology companies with NSA operations.  That U.S. companies will suffer harm this significant as a result of U.S. government activities raises important questions about U.S. decision-making.  In particular, have economic issues, including the competitiveness of U.S. industry and the health of the Internet economy received enough attention in decisions about surveillance?  The answer appears to be no.

The key problem is the lack of an established process for economic input at the level of most day-to-day surveillance decisions.  There is such a process for high-level national security decisions.  In the Obama administration the process is set out in Presidential Policy Directive 1 (PPD-1), which provides a relatively formal mechanism for senior government officials considering national security matters.  It is not always clean – there can be informal discussions and side meetings that feed into decision making – but, on the whole, it works.  And although national security concerns predominate, if there is an issue with economic implications,  officials from the White House, Treasury Department, Commerce Department and other agencies can air their concerns and be sure the President will hear them.

But this process applies only to policy, strategy, and operational issues that make their way to the White House for decision.  This will sometimes include surveillance policy, but it does not, nor should it, include decisions on all technical or operational matters.  These decisions – many of which have great potential economic significance, such as how to implement NSA authority, what technology to employ, what targets to choose – are made at the NSA.

The challenge, then, is how to ensure consideration of economic concerns at the operational level.  Unlike the consideration of privacy issues, which is now built into NSA decision making, there is no established process for economic input.  And the NSA itself does not have deep institutional expertise on U.S. competitiveness issues.  One reason for this may be the long-standing U.S. policy that we will not engage in “economic espionage.” That is, U.S. intelligence agencies may collect economic information, but they will not share that information with U.S. companies for commercial or competitiveness purposes.  Therefore, NSA has had little incentive to develop a deep understanding of economic and competitiveness concerns.

In addition, the kind of harm to cloud industry competitiveness that we are seeing now arose only when the public became aware of the ways in which NSA interacts with technology companies.  The competitive standing of the technology industry would have been unaffected as long as NSA’s practices remained secret.  Rightly or wrongly, it seems likely, that NSA never contemplated a leak on the Snowden scale and did not weigh heavily the risk of such exposure in its surveillance decision making.

As mentioned above, it is different for privacy issues.  Privacy concerns are no more a natural subject of expertise for those in the intelligence community than economic issues.  But privacy is explicitly and consistently a part of surveillance decision making at every level.  People can (and do) disagree with the results of some of this decision making, but they cannot seriously dispute that privacy is integral to the surveillance conversation at NSA.  This did not happen naturally or quickly.  It began after the wrenching revelations of privacy abuses in the 1970s and the passage of the Foreign Intelligence Surveillance Act.  It has developed since as internal oversight at NSA has increased in sophistication, as has oversight from the Justice Department and, later, the Office of the Director of National Intelligence.  It will no doubt continue to evolve post-Snowden.

The wrenching experience of the Snowden revelations and their effect on the Internet economy and the competitiveness of a key U.S. industry should provide the same kind of spur.  NSA must now assume that some portion of its operations will leak.  The impact of those operations on the realities of the Internet and cloud economy has to be part of the internal debate when making surveillance decisions.  There are plenty of challenges to doing this.  For one thing, the U.S. technology industry is diffuse and there may be no one, inside or out of the U.S. government who can fully and coherently articulate its concerns.  But some basic issues – like the fact that appearing to be a tool of U.S. intelligence is bad for business – are fairly clear.  NSA must increase its own expertise on these matters and, perhaps, find a way to include cleared representatives from U.S. economic agencies in its day-to-day surveillance discussions.  In any event, NSA decision making will have to adjust to include greater sensitivity to these economic concerns. 

Mary DeRosa was deputy assistant and deputy counsel to the president and National Security Council Legal Advisor in the Barack Obama administration.  She is currently a senior adviser to The Chertoff Group and a distinguished professor from practice at Georgetown Law School.