As almost every chief compliance officer would attest, technology is both a risk and a benefit. But beneath the surface of that maxim lies an even greater truth: Changes in technology often carry the most risk.
The National Security Agency is increasingly leveraging technology throughout its compliance program, which allows us to augment — not wholly replace — human safeguards. We use technology to maintain the continuity of our external authorizations, from signed paperwork down to the bits and bytes. We also use technology to record and review our activities, making sure that we follow the laws and policies that guide NSA’s operations. Sometimes, where appropriate, we even embed legal and policy guidance directly into our IT architecture.
Implementing overlapping safeguards is almost always a good thing in this arena. And technology is a huge multiplier in the agency’s compliance program, for quality control and for the good of the nation.
Before I discuss how changes in technology can affect compliance, I’m compelled to explain, generally, how NSA’s operational activities are governed. If the process were a sewing needle, it would have to be threaded at least four times before the first stitch — and this process would often repeat itself.
Like all government agencies, NSA’s activities are governed by external authorizations. Often, the first step in obtaining such authorizations is for NSA to describe proposals to its overseers. Not surprisingly, this requires us to explain the relevant technology as well as its anticipated interaction with the global technology environment. We must also discuss how the proposed activities would advance national security without sacrificing privacy protections.
Next, external entities — such as the Justice Department, the Office of the Director of National Intelligence and the Foreign Intelligence Surveillance Court — review and, as appropriate, approve proposed activities and the procedures that NSA must follow.
After that, the agency’s compliance program works to keep employees, operations and technology aligned with these procedures, through change and over time.
Finally, NSA has internal and external oversight mechanisms that evaluate its compliance with the specific procedures in the context of the initial descriptions that led to them. This oversight — some of which is constant, some periodic — includes everything from in-person reviews to written reports.
For NSA, being “compliant” means threading the needle through all four stages. At any of these points, changes in technology certainly may compound risk. It’s no secret that technology can rapidly transform or shift, and NSA constantly interacts with all three branches of the federal government at various stages of the process described above.
Our initial descriptions must be accurate. The prescribed specific procedures must incorporate those descriptions, whether explicitly or implicitly. Our implementation must be consistent. And when we are evaluated, we must verify that it all worked according to plan — through any changes and over time.
The authorities, laws and policies we operate under are a sacred trust between the nation and NSA. We treat compliance with the same respect. We’re charged with delivering national security, but not at any price.
A compliance program that is well designed and implemented can adapt to today’s technology. To be sure, there are numerous best practices and tools in the compliance toolkit that make it possible.
In the national security context, with the four-stage process described above, there is an even greater responsibility to operate with rigor, accuracy and precision: It’s not just technology itself but the interplay between the process and constantly changing technology that keeps compliance personnel — and everyone else at NSA — ever vigilant.