Source The Justice Department
I’ve been in this job, leading the National Security Division, for just over a year. But I’ve worked in national security for much of my career.
People often ask: What keeps you up at night? And usually that’s a hard question for me to answer — we face such a wide range of threats from nation-state adversaries, terrorists, and malicious cyber actors. And those threats are constantly evolving — it’s difficult to point to just one.
But right now, I can answer that question without hesitation. What keeps me up at night is thinking about what will happen if we fail to renew Section 702 of FISA. This law will expire on December 31st of this year if Congress doesn’t act to reauthorize it. If 702 expires or is watered down, the United States will lose critical insights we need to protect the country.
Section 702 is the law that enables the U.S. government to obtain uniquely valuable intelligence by targeting non-Americans overseas, who are using U.S.-based communications services. Its value cannot be overstated. Without 702, we will lose indispensable intelligence for our decision makers and warfighters, as well as those of our allies. And we have no fallback authority that could come close to making up for that loss.
That is why this morning the Attorney General and the Director of National Intelligence sent a letter urging Congress to swiftly reauthorize 702, emphasizing that there is simply no way to replicate 702’s speed, reliability, and insight.
Section 702 enables the United States government to gain intelligence about our most pressing threats. Today, we are relentlessly focused on serious threats, such as:
- The Chinese government’s efforts to spy on us and steal our technology;
- Iran’s sanctions evasions;
- North Korea’s nuclear program; and
- Russia’s invasion of Ukraine.
Let me stress the point about the threat we face from China, in particular. At this moment, when China is ramping up its aggressive efforts to spy on Americans, it would be a grievous mistake to blind ourselves to that threat by allowing this critical authority to expire.
The bottom line is that Section 702 gives us the intelligence necessary to stay one step ahead of our adversaries. We cannot afford to allow it to lapse. And it is too important to the interests of the U.S. and our allies — and to our basic safety — to wait for the 11th hour to do so.
So, it is time to sound the alarm. We must act with urgency. Both the intelligence and law enforcement communities must partner with Congress. And we must make the case to the American people directly.
I see the urgency of this moment in my current position. But I also recognize the critical value of 702 from nearly two decades working in national security at DOJ and in the Intelligence Community. As a lawyer in the Justice Department and the FBI in the years after 9/11, I saw how the statutory framework that existed before 702 couldn’t keep pace with evolving technologies and dynamic threats.
When I first came to NSD in 2008, I was part of the team that helped craft Section 702. I went on to become the General Counsel at NSA where I oversaw NSA’s implementation of 702 and saw, in practice, both the power of 702 as a collection tool and the rigor of the oversight procedures that are built into it.
In my time as the Director of the National Counterterrorism Center, I benefited from 702 as an intelligence consumer — nearly every day it provided key insights that supported our ability to combat terrorism, al-Qaeda and ISIS in particular.
Section 702 has faced a sunset twice in the past decade. Both times Congress voted to reauthorize it, with strong bipartisan support. While 702 is more essential than ever before, the broad, bipartisan consensus supporting this, and other national security authorities, has frayed in recent years.
If we are going to preserve this vital tool, it is incumbent on the government to do more than just demonstrate that 702 is immensely important to national security. We must also earn and sustain the trust of the American public and demonstrate how the intelligence and law enforcement communities strive to uphold the confidence placed in our institutions.
The good news is that, at its core, FISA’s privacy and oversight framework is designed to sustain public confidence through rigorous, regular scrutiny by all three branches of government. FISA was created to constrain government surveillance activity in response to concerns about surveillance abuse. When Congress enacted the original FISA in 1978 — in response to the landmark Church Committee report — it marked the first time that the government’s surveillance for foreign intelligence was subject to affirmative judicial review. This was unprecedented, not just in the United States, but anywhere.
In the 45 years since its enactment, FISA has proven remarkably durable. Its basic structure has effectively balanced operational needs with requirements to obtain court authorization and congressional approval. And, when necessary, Congress has amended the law to account for changes in technology and to enhance privacy and oversight.
Section 702 was the product of one such amendment. When FISA was originally passed, Congress intended for the law to regulate surveillance activities conducted within the United States. But with the advent of the internet, and as the technology supporting international communications evolved, FISA’s terms required the government to seek individualized court orders, even when the target of the collection was a foreign person based overseas. This situation became increasingly untenable in the aftermath of 9/11, as the government ramped up efforts to dismantle al-Qaeda and disrupt foreign terrorist plots. I saw this firsthand as an official in the newly created National Security Division.
Here was the problem: NSA would be tracking a possible terrorist located overseas — not a U.S. citizen and not someone located inside the U.S. — who happened to be using a U.S. email service provider. Because that provider was based in the U.S., traditional FISA requirements meant we had to establish probable cause that the possible terrorist was an “agent of a foreign power” before we could get access to their communications.
That wasn’t operationally feasible. Often, we simply didn’t know enough about the overseas individual to make that kind of showing. Even in cases where we could get enough information, the process of obtaining individual court orders each time took too long, often requiring months of effort — it’s simply not something we can do at operational speed, let alone at the speed required to disrupt a cyber-attack.
This is not what Congress had intended. And this arrangement made no sense as a constitutional matter. Probable cause is a standard that protects the rights of Americans and others inside this country. But the Supreme Court has long held that the Fourth Amendment doesn’t apply to non-U.S. persons who are outside the U.S.
We needed to update FISA to reflect the legal and technological reality and nature of the threats, while protecting the rights of Americans. Section 702 was the solution.
This is the key point: Section 702 only authorizes intelligence collection targeting non-U.S. persons who are outside the United States. In such cases, 702 provides the legal framework for the government to compel assistance from U.S. electronic communications service providers.
Section 702 strikes a balance. The government is not required to obtain court orders for each target. But the program is subject to judicial approval and oversight: The FISA court’s review ensures (1) that collection under 702 is reasonably designed to target only non-U.S. persons overseas; (2) that it is tailored to specific intelligence needs; and (3) that it is consistent with the Constitution. In fact, every court, including the FISA court, that has looked at 702 has found it constitutional.
And there are strict limits on handling any information that is incidentally collected about U.S. persons. Section 702 prohibits the intentional collection of U.S. person communications. And U.S. person information can only be incidentally collected under 702 in one of two ways: first, when a foreign target overseas is in touch with a U.S. person; or second, when two foreigners overseas, one of whom is a target, discuss a U.S. person during their communications.
This framework has worked effectively over the years. In the 15 years since enactment, Section 702 has become the Intelligence Community’s most valuable national security legal tool. And we must retain it to confront the evolving threats we will be facing ahead.
Let me offer some hypothetical future scenarios in which 702 could prove critical:
- Suppose the FBI gets information that an individual overseas appears to be recruiting employees of a U.S. semiconductor company — possibly for the purpose of gaining access to sensitive U.S. technology for military uses. An FBI analyst could target the overseas individual’s email under 702 to help us figure out what technology they may have taken and whether it is being used to advance another country’s military.
- Or suppose a foreign partner tells us that an overseas individual is attempting to sell weapons to a rogue nation under U.S. sanctions. Under 702 — consistent with court-authorized procedures — we could move quickly to acquire that individual’s communications to gather more intelligence about his activities and who he’s dealing with, even if there was not probable cause to show that he was acting as an agent of a foreign power.
- Finally, suppose a foreign partner captures a terrorist on the battlefield — and shares a list of email address from the militant’s phone. With this information, intelligence analysts could use 702 to gain insights about the other overseas individuals in the militant’s network to disrupt ongoing plots.
In each example, Section 702 could provide the critical intelligence early in an investigation that is necessary to follow leads and get more information. And in each example, it would be either impractical or impossible to seek an individualized court order based on probable cause.
I can also give you a few real-world examples. Famously, 702 was used to foil an active plot in 2009 to bomb the New York City subway. NSA analysts relied on Section 702 to target an email address used by a suspected al-Qaeda courier in Pakistan and discovered a message sent by someone in the U.S. seeking advice about making explosives. The FBI identified that person as Najibullah Zazi and was able to disrupt his plot in time to save countless lives.
And just last summer, 702 collection contributed to the successful operation against Ayman al-Zawahiri, who had served as al-Qaeda’s leader since Osama bin Laden’s death.
702 has also played a key role in countering threats from China — as well as Russia, Iran, and North Korea. We have used it to identify and disrupt hostile foreign actors’ attempts to recruit spies or send their operatives to the U.S. We’ve relied on 702 to mitigate and prevent foreign ransomware attacks on U.S. critical infrastructure. We’ve also used 702 to get information on efforts to evade U.S. sanctions, enabling us to prevent components for weapons of mass destruction from reaching foreign actors.
In short, this is a tremendously powerful legal tool. Which makes it all the more critical that we maintain the trust and confidence of Congress and the American people. This is the challenge we face today.
We build trust through judicial and congressional oversight, as well as our own oversight and accountability mechanisms within the executive branch. And by being as transparent as possible about how the law is used and when we make mistakes.
Agencies that use 702 have internal compliance processes, and DOJ and ODNI conduct independent oversight to assess collection decisions, review queries, examine disseminations of Section 702 intelligence that may contain U.S. person information, and address incidents of non-compliance so that we don’t repeat them. The oversight attorneys in NSD review every single targeting decision — 100 percent of them.
Still, in recent years, the Justice Department and ODNI have found serious compliance issues with the FBI’s queries of FISA collection for information about U.S. persons. Those problems were reported to the FISC and Congress, and the court has described them in public opinions.
I want to talk more about those issues now.
Every compliance incident matters, of course, but incidents involving U.S. person information are especially damaging to public trust. Congress authorized the government to collect foreign intelligence under Section 702 without obtaining individual court orders because 702 targets non-U.S. persons who are outside the United States. While the Intelligence Community has collected the foreign intelligence information because of the need to protect national security, we still need strong guardrails when the Intelligence Community searches this data for information about Americans.
To be clear, it is critically important that the government is able to do exactly that. When we examine 702 information using query terms associated with U.S. persons, we are often trying to identify U.S. person victims of foreign hacking or spying. That’s what lets us warn and protect them. If we are to keep protecting Americans from escalating cyber and espionage threats, we need to maintain the capacity to conduct U.S. person queries. This is especially true for the FBI, which is responsible for protecting the homeland from national security threats emanating from overseas.
The Zazi example I mentioned earlier shows how important it is that we can connect the dots between foreign-based threats and individuals in the U.S. That was a key lesson of 9/11, and we can’t forget it.
Here are a couple of additional hypotheticals:
- Suppose a Chinese citizen overseas is suspected based on intelligence reporting of plotting to assault dissidents living in the U.S., who are speaking out against the PRC government. The investigation reveals that the Chinese citizen is in frequent contact with an associate in the U.S. Again, at this very early stage of an investigation, FBI analysts are likely to want to query 702 information — data that has been lawfully collected — using the name of this U.S.-based associate.
- Or, to give another scenario: suppose the FBI learns that a foreign actor has hacked into an American energy company and exfiltrated data. The FBI may want to immediately query 702 data, using the company’s name or other U.S. person information, to figure out the scope of the breach, what happened to the data, and whether there were other U.S. victims.
This is logical and lawful investigative activity. It also directly implicates the rights of Americans and so we need to be exceptionally careful. Unfortunately, in this highly sensitive area, we’ve made mistakes in recent years that have undermined trust.
Many of those mistakes resulted from misunderstandings by FBI personnel about the rules governing U.S. person queries. In other instances, FBI personnel queried raw Section 702 information inadvertently, without realizing that the 702 dataset was included in the query as a default.
Understanding that context is important to fixing the issues, but at the end of the day, these mistakes are not acceptable. They aren’t acceptable to us, are not acceptable to the court or Congress, and not acceptable to the public. Nor should they be.
We knew we had work to do. So, we’ve implemented key reforms including:
- Changing default settings in FBI systems so that you must affirmatively “opt in” to query 702 information;
- Requiring FBI personnel to record specific, written justifications before accessing 702 information from a U.S. person query;
- Imposing pre-approval requirements for certain types of sensitive U.S. person or large-scale questions; and
- Improving guidance and training.
We are already seeing concrete improvements as a result of these efforts. There has been a dramatic decrease in the total number of U.S. person queries since the FBI adopted these reforms in 2021, along with a significant reduction in the number of inadvertent queries of 702 data. And we’ve made these advances, without undermining the value of Section 702.
But I want to be clear, this is about more than just imposing a checklist of new requirements.
Our fundamental task is to ensure that we are building a culture of compliance—a culture that recognizes the harm caused by even the smallest mistakes. Of course, there are going to be compliance incidents in a complex system, involving human beings, trying to work on tremendously difficult problems under time pressure. But the reality is that every mistake undermines public trust and confidence in how we use these tools.
Here’s the key point for me: all of us in these jobs need to recognize that the American people are entrusting us with the immense responsibility of keeping them safe and protecting their liberties. Speaking personally, I feel honored by that, and I feel the weight of that responsibility. I know my colleagues in the FBI and across the Intelligence Community approach their jobs in exactly the same way. Just as we are determined to protect the American people, and to defend our Constitution, so too are we determined to be worthy of the trust placed in us every day.
The stakes are so high. Repressive and authoritarian regimes, like China, Russia, North Korea, and Iran pose a range of threats to our country and our allies, while terrorist groups continue to plot violent attacks in secret. These are not just threats to our safety, but threats to our freedoms and democracy and to fundamental American values around the world.
Against this backdrop, renewing 702 is a national security imperative. That’s really beyond dispute. And going forward this year, we share the responsibility with Congress to preserve it. This requires us to be strong partners with Congress and to be as transparent as possible with the American people. Welcoming hard questions; being open and candid about our mistakes, even as we’re relentlessly determined to fix them; and fulfilling our role as stewards of the public’s trust.
This is what the American people expect and deserve.