Sen Richard Burr (R-NC), the new chair of the Senate Select Intelligence Committee, has announced that he plans to hold a public committee hearing this afternoon. This is welcome news. Burr, who took the committee’s helm in January, had previously said that he intended to whittle down the already slim number of open hearings.
Burr has invited Nicholas Rasmussen, the director of the National Counterterrorism Center (NCTC), to address the committee. The NCTC typically only testifies once a year in open hearings before the Senate Intelligence Committee, when presenting the annual threat assessment, which offers an overview of potential threats to the United States and overseas. In light of the expansion of the NCTC’s authority, and the coming cyber threat center, Burr and his colleagues should take the opportunity this afternoon to ask Rasmussen some essential questions about the operations of the NCTC itself.
The NCTC was established as a result of a recommendation in the 9/11 Commission Report. The Commission had proposed the creation of a new center to combat the shoddy information-sharing that had undermined the government’s law enforcement and intelligence capabilities in the months leading up to the September 11 attacks. The Center, which is part of the Office of the Director of National Intelligence (ODNI), is the central repository for all terrorism-related information. It gets data from all 17 agencies that make up the United States Intelligence Community (IC), including the National Security Agency, CIA, FBI, Department of Homeland Security, and ODNI.
Four years after the NCTC was founded, the Attorney General and the Director of National Intelligence issued guidelines governing how the Center could access other agencies’ databanks to try to tease out information that could be related to terror threats. The guidelines authorized the NCTC to copy entire datasets from other federal agencies, but the Center had to exclude or remove all non-terrorism information about Americans. Any non-terrorism information that slipped through had to be deleted within six months, and the data couldn’t be shared or used in the meantime.
In 2012, however, the NCTC’s authority was significantly expanded. New guidelines enabled the Center to keep all of the information in any “bulk” database it acquires, including non-terrorism information about Americans. It can “retain and continually access” that information for up to five years — ten times longer than the previous limit. And the NCTC can use the information to monitor Americans’ First Amendment-protected activities as long as that’s not the sole reason for using the data.
Interestingly, just as the IC is reportedly criticizing the NCTC’s redundant, middle management role, the White House has decided to institute a second information-sharing center focusing on cybersecurity, the Cyber Threat Intelligence Integration Center.
The key questions
What important successes has the NCTC had? Can it point to plots that it has helped thwart or investigations it has significantly aided? The NCTC came under sharp criticism for failing to uncover two major incidents in 2009: the shootings by Nidal Hasan at the Fort Hood Army Base, and a Nigerian national’s Christmas Day attempt to light a bomb in his underwear on a flight to Detroit, Michigan. Both the White House and the Senate Intelligence Committee pointed fingers at the NCTC, noting that it had failed to connect the dots and that its analysts had failed to search the available databases for relevant information. Has the NCTC instituted any changes (other than the revised guidelines) since the underwear bomber incident?
How has the NCTC used its expanded authority to access and keep non-terrorism–related information about Americans? How many databases — if any — has it acquired, and how often has it accessed the information inside? The NCTC can also make queries into agencies’ databases, instead of obtaining the databases themselves. How often has it used this less intrusive authority, and what factors guide its decision to use one type of access over another?
Can the NCTC representatives cite circumstances in which its new five-year retention authority has allowed it to access or use critical information that would have been otherwise unavailable? Would that information have been accessible in other agency databases and available for querying? Databases of information about Americans are tempting targets for malefactors both within the government and outside it, including hackers and foreign governments. Do the benefits of retaining this information for a longer period outweigh the risks?
How does the NCTC answer criticism from within the IC that it is too big and unwieldy? Because the intelligence budget is classified, there is little public information about how many personnel work at the NCTC or how much funding it receives, so it is hard to assess this claim. But IC agencies have a tendency to grow larger and larger with little oversight; how does the NCTC keep its scope scaled?
And finally, a question for the committee itself: what kind of oversight will it exercise over the new cybersecurity threat center to ensure that it contributes to online security, uses taxpayers’ money effectively, and stays out of Americans’ data — and will the NCTC be a model or a cautionary tale for that goal?
I laud Burr’s commitment to hold regular open hearings to educate the public, and his Congressional colleagues who don’t serve on the intelligence committee, about the workings of the intelligence agencies. I hope that he will take significant time to find out whether the NCTC is truly serving the purpose for which it was established.