
For the first time in its operational history, FI…
Loading summary
A
Section 702 lapsed last month. So what does that mean for cybersecurity and national security? We'll talk to one of the foremost experts on it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats while also taking you behind the scenes of the biggest stories in cybersecurity. An attack is coming. It's about keeping us safe. He's just a disgruntled hacker.
B
She's a super hacker. Stay alert. Stay safe.
C
Stay safe.
A
This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment, we're going to be talking with Glenn Gerstel, the former general counsel for the NSA and a senior advisor at CSIS and one of the foremost experts on Section 702. If you've been following some of the noise in Congress around this, it's been a topsy survey time for 7 02. It did actually lapse last month and there's been a lot of talk about what that means moving forward. We talked with Glenn about it in this week's interview segment, but first talking with Derek Johnson, reporter for cyberscoop. Derek had a really interesting story that looked at what Secretaries of state, State are doing in the lead up to the 2026 election. And Derek, I gotta say, I'm not jealous of the just operating segment that they're in right now. It's a tough time to be a secretary of state.
C
Yeah. And you know, this is something that I have been doing since I've been covering elections. And usually in the lead up to, in a particular election, there's usually kind of one threat that people are focusing on that states are focusing on more than others. And I know in 2018 and 2020 it was foreign interference. It was AI for, you know, 2024. And this time around it's just a very different vibe where a lot of that stuff is now. Things like foreign interference are now kind of in the background as the states are in pretty open conflict with the federal government over, over running elections.
A
You could say the 2026 threat is the possibility of federal legal problems which we did not see coming now.
C
Yes. And, and it's always good to kind of talk about these things. I'll say. Elections, elections can be very unpredictable. Sometimes you end up fighting the last battle and then it ends up being something that you're you're not expecting, but, you know, if you just look. I spoke to Secretary of State Adrian from Arizona, swing state, home to Maricopa county, which is the second largest, I believe, electoral county in the nation. And I also spoke with Tobias Reed, the Oregon Secretary of State, which is a blue state that is never in play, is ne, has an entirely Democratic caucus, and yet they have received letters from the Department of Justice, essentially saying that they're on notice that they're looking to potentially prosecute them for election fraud, presumably against Republicans. So.
A
And before we dive into all the things you just talked about there, I think the one thing to bring up here is that continually across the board with the Secretaries of state that you talked with, they said that SZA has been a ghost and that that has been really different compared to elections over the past few years.
C
Yeah. And, you know, this is something that I've heard. This is not something, this is not the first time that I've heard that. This is something that's been pretty consistent throughout the Trump administration. Sisa, for its part, still talks the talk. Like when they, they gave us a statement that was essentially pushing back on this idea that they're not doing vulnerability assessments. I know that when they've gone up to the Hill and folks asked about their election security mission, they talk about it like it's all, all, you know, full speed ahead and everything's active. You talk to state secretaries of state and folks who have long established relationships with the Department of Homeland Security and cisa, and, you know, they tell you it's not on their, it's not on their radar, and they're not getting nearly the amount of support that they did in previous cycles. And now, because of the current dynamic between the federal government and the, the states, some of them are questioning whether they even want that kind of help and support. Because why would you want a federal agency to come in and look at cyber security vulnerabilities when the federal government is, is accusing you of being lax on election security and letting voter fraud happen? So it's, it's, it's a really tough position to be in as a state or local jurisdiction.
A
So given that tough position, I know you highlighted this in your story in that the Secretaries of state feel that they're not getting the right amount of intel or just help from the federal government, so they've created their own networks themselves.
C
Yeah. And this is something, you know, I mean, before the federal government really got involved in elections as critical infrastructure, you know, states were largely doing a lot of this stuff on their own. Now, the threat landscape has completely changed. I think over the last decade. Things like cyber security and cyber threats and foreign influence operations have become more common. But a lot of those muscle memories can, a lot of those, that muscle memory between the states can still go on even if there isn't a federal partner involved. But, you know, the Arizona Police Department or, you know, whatever they got is not going to have insights into what Iran is doing this year. Like, they're not going to have fresh intelligence from signals intelligence from the NSA that indicates that Russia is planning to do X. Right. And so there are certain aspects that they're not going to have. There are going to be a lot of places that don't have the technical expertise to even prepare for something like that. And so they're doing, states are doing what they can in that gap and there are other channels and partnerships. But there is really no replacing the role that the federal government can play as a partner in terms of elections.
A
And also sort of switching gears with some of the other conversations that you had with secretaries of state is they
C
are really
A
emphasizing the safety of mail in ballots, which comes at a time when the President himself, especially with what is happening with the Department of Justice and the save by bill, like a lot of what the federal government is doing right now under the direction of the president, is really targeting mail in balloting and calling it into question when the secretaries of state are trying to go above and beyond to say that is false. You can believe in this and you should actually trust more so than anything else. The process that we have set up for the mail in ballots, I believe it was the Oregon Secretary of State that you talked to that was rolling
C
out some sort of digital companion tracking system.
A
Yes. Yeah.
C
Well, what I would say on mail balloting is, you know, I actually don't know that states are super excited about mail in ballots this election cycle.
A
Okay.
C
And that's for a lot of reasons. Right. And, and a big reason is because the USPS is under the control of the federal government and they're. The Trump administration has done a lot of things, including executive orders that have really tried to put USPS in the driver's seat in terms of who gets mail in ballots and who doesn't. Which courts have thrown that out and been illegal. But you know, I talked to, to Secretary Reid and some other folks who said, yeah, I mean, whereas in the past we would have been unreservedly recommending things like mail in ballots, now we're telling people use a Dropbox like don't you don't put your franchise in the, in the hands of, of the usps, which is a huge change from what we've heard in previous years. And it's a direct result of the lack of trust that now exists between the federal government and states.
A
Really interesting times, especially with what we're seeing, how all of this is really connected with the election security. And we're seeing Acting Director of National Intelligence Bill Polt be pulled in on a lot of this and how the President is really holding up a lot of legislation that has nothing to do with things that we cover. But everything is being attached to the Save America act, which you've written about extensively, and it doesn't seem like it would hold up to legal scrutiny the minute that something like that was passed. It's just such a fraught time that I really think that and to the audience I'm speaking to you is that the perspectives here on how much really goes on outside of the federal government when it comes to election, on election security, it's really important to understand that it's not just a federal, a federal thing. The states really have the, the power here.
C
Yeah. And that's been, I mean, I think the, the through line that we've seen through the courts has been a really upholding this pretty sort of clear and simple sentence in the Constitution about how elections get run outside of the Supreme Court where the decisions have been more narrow. The lower courts have been pretty consistent on that front and I expect that to largely hold at least at the lower court level through this year.
A
Great. Derek, as always, appreciate your insights on this. Thanks for joining the program.
C
Thank you.
A
All right, and now to our interview segment this week. And in studio we have former NSA general counsel and senior advisor at the center for Strategic and International Studies, Glenn Gerstel. Glenn, thanks for joining us. Very interesting time for you to be joining us given that FISA has been one of the big political footballs in Congress and we saw in June that there was a lapse in fisa and everybody has kind of been like, okay, well there's a new paradigm here now and what exactly is that paradigm? So you're obviously one of the foremost experts on this. Where do we sit right now? What's, what's the lay of the land when it comes to fisa?
B
Well, first, Greg, thanks for having me on your great podcast. I'm a big fan of it. Second, you're right, it's a political football. But you know what? It's always been. And let's maybe just take a step back for some of your audience that isn't totally familiar with all the details here. We're Talking about section 702 of the Foreign Intelligence Surveillance act, which was added in 2008 when the technology changed in the intelligence community, instead of spying on telephone calls overseas by satellites, recognized that the Internet was the main way of communicating with emails, et cetera. And so the law changed to allow the US Government under court approved procedures to go to communications providers in the United States, telecom companies or Internet providers, and say to them, turn over the information you have on a foreigner. Only foreigners can be targeted under section 702. Let's be crystal clear. There's not been a case of targeting US People. There are other sections of FISA that do target US people, but that's pursuant to a separate search warrant procedure, et cetera. And 702 is a streamlined version of enabling the United States government to target foreigners residing overseas. And wrinkle is if a foreigner, foreign citizen happens to be in the United States at the time, 702 doesn't apply because the Fourth Amendment says that anyone in the United States, whether legally or illegally in the United States gets the full protection of the Fourth Amendment. So anyway, so that's what, that's what Section 702 does. It allows the government to target foreigners and get their voice calls, emails, some other things that haven't been fully declassified as what? But essentially they're electronic. It's proven incredibly invaluable in this counterterrorism effort, including the cybersecurity effort, in the anti proliferation effort. Ever since the statute was adopted. It's been adopted with declining majorities in Congress, bipartisan, but declining. And most of that has to do with the fact that the Federal Bureau of Investigation, which has dual capacity, dual enforcement capacity, law enforcement capacity, as well as an intelligence function, unlike the other agencies, has the ability to go back and look at its historical database of collected information against these foreign targets, some of whom talk to Americans and search that database for Americans information. And while that wasn't the intent of the statute, that's a byproduct, an inevitable byproduct of the statute. And that's been the nub of the controversy for years because Congress sends privacy and civil libertarian folks have wanted to reign in and put restrictions on it. And it's been very contentious. The FBI hasn't helped the situation with some documented evidence uses over the years and failure to follow their own rules. So the net effect is this has become a political football Again, so that's the, that's the big picture of where things stand now to continue as to where we are. Congress knew that the extension that the statute, which has been periodically extended for a number of years, never was fully, never was extended permanently. It's always had a couple of years. Sunset provision that came up in April. There was a lot of contention back and forth over what amendments and reforms would be introduced on top of a big reform package already, already established in 2024. Just, just two years ago, Congress couldn't decide. The House finally agreed on a new provision to put the statute in effect for, for three more years. They voted on it. It passed by significant margins, then went over to the Senate where it died.
C
Why?
B
Because the House had attached to that bill a completely unacceptable bill, a ban on cryptocurrency having nothing to do with foreigners, foreign intelligence, just simply stuck this on the Senate said, we're not voting for that. Make a long story short, the statute lapsed for the first time ever since 2008. Now, technically it lapsed for an hour before the President signed the bill in 2004, but that count. This is, this is an operational.
A
We're beyond, we're beyond an hour here.
B
We're beyond an hour. So statutes lapsed and that's where we are.
A
So the grandfathered certifications that are attached to this, I know, run until March. What does that look like in practice? Because I know that the government can, under the law, the government can compel these providers to turn over that information. But now it gets a little bit more dicey and there's a gray area there. How does that work out right now?
B
So you're absolutely right. The statute has in a different section 702, a general provision that says in effect that orders and court orders and directives and other legal mechanisms that are in place at the moment of expiration continue for as long as they are valid, underlying. And in the case of certifications, it's assumed, we don't assume that it's a one year, which would take us to March of 27th. Okay, so in theory, those certifications which allow collection against broad categories of targets, again, even this year we still don't know the precise targets. We can assume those categories. We can assume it's the same as the last couple of years, which are basically counter narcotics, foreign foreign leadership, anti proliferation and mass weapons of mass destruction, and counterterrorist. So those are the four. We don't know that for a fact, but presumably those. Okay, so they stay in effect for a Year. And the big bumper sticker, if you had one headline in this area, the one headline is by and large, surveillance continues uninterrupted until March of 27. So, so the, the short answer is what are you worried about? Because there's time. There's time. We got another eight months or so before we need to do anything those, those statutes. And that's true. And I don't want to over, I don't want to overemphasize the exceptions that I'm about to get into, but there are some important exceptions. So it's true that collection continues and it's true that if a target who's already been targeted by the National Security Agency, an ISIS terrorist, a Chinese spy or whatever, NSA's got his name, it's true that they can continue to continue the surveillance on M. Or it's also true that if a new target appears, they suddenly discover the name of a new Chinese spy or something, they can go after and do surveillance on that new person. So new targets are okay, but they have to fit into the existing certifications and most importantly, they have to fit into the existing directives. And what I mean by that is if a directive has been served on, I'm just going to pick a name, hypothetically, Yahoo, okay, And say give us your Gmails for this Chinese spy, new Chinese spy. If there already is a directive covering that under an existing certification, that'll cover. But hypothetically, if that Chinese spy is now using Snapchat, okay, And it turns out there isn't an existing directive against Snapchat telling us give us all our Belgian information from partners. We couldn't track that person. So, so new providers can't be added to the list who don't already have a directive. New topics that aren't already covered by existing certifications can't be added because there's no ability to get a new certification. The statute slapsed and technical changes. When I was at the nsa, we, we had a need to go back to the court for technical reasons to say this is the statute and procedures it place for minimization and targeting etc and we need to change it because something's happened. We didn't realize the target changed their behavior. They changed. They're trying to evade surveillance and we now need to do X instead of Y and we can't go back to the board now because so, so that's one, one issue. We don't know what we're missing. Right. And the second, which has been talked about very briefly, is there is a concern that some providers, telecom companies, the Internet providers, will say to the federal government, look, we want to be absolutely sure that we're need have to be compelled here. Our corporate policy, our shareholders, the way we deal with customers is we're not going to do anything unless we're absolutely. If we're compelled, we have a court order, we'll do it. And so they could go into court seeking a declaratory injunction. They could slow things down. They could say, you know, we've never had a full statutory lapse before. It's true that they would be subject potentially to penalties. But they could say, we're worried about the potential loss of immunity during this period. We get into some technical details about that. We're worried about just the uncertainty here. We've never had a court case that squarely presented what happens in this kind of long term apparent possibly permanently. And so you could see a situation where some provider will either slow down or slow walk or absolutely refuse apply. And again, we won't know what we're missing. I don't want to overemphasize that, say the sky's falling, it's not clearly, but we're taking a risk in this area.
A
So I want to talk about specifically for our podcast and being so focused on cybersecurity is that a lot of the scenarios that you just presented, there are really more, I don't know, traditional national security is the right word, but a broader aperture or national security. You know, most people hear FISA and 702 and think the counterterrorism examples that you brought up. But I know that 702 has really been a big driver in helping the FBI in cybersecurity cases. When did this really pop up? Like when did 702 become such a cybersecurity tool alongside a counterterrorism tool?
B
Yeah, well, it tracks the nature of threats we've seen. So obviously ransomware wasn't a thing in 2008 when the statute developed. Of course, our focus then was on counterterrorism. When I was at the national security agency from 2015 to 2020, I saw this transition. At the beginning it mostly focused on surging against ISIS and ALEA etc and then by the end of my period there, one of the big things we were focused on was election, election interference by far foreigners, Russia and China, which was cyber interference, cyber attacks on, on infrastructure. And then subsequent to that, of course in ransomware gone crazy, as we all know, and, and state sponsored cyber maliciousness is everywhere. So right now the FBI says that informally that about half of all the queries they run against their database that I talked about earlier, the podcast, are cyber related. And the big spike, there was a case a couple years ago in 20, maybe 20, 21 or so, I don't know the exact date where they had over 3 million queries. And the privacy and civil libertarians were very upset. You're querying the database millions and millions of times. How can you do that? It turned out that more than half of that was one cyber incident.
A
I believe that was a solar wind.
B
That's what it's assumed to be.
A
Okay.
B
And so, and the way this works, people say what do you mean it's used cyber? So, so I'll just give you a call. So it could be that we're, that we're busy tracking a foreign ransomware gang or a state sponsored Iran, China, Russia, cyber, cyber malevolent cell. We're tracking the FSB, the C.G.R.U. and the Russia. And we could see because we read their emails, if in turn we happen to be doing again hypothetically, that maybe they've got a campaign to go after all hospitals in the United States. Just we come across a piece of information from someone to say let's go after all the hospital or go after health insurance. Why? Because those are the ones who are most likely to pay because they can't afford to not do its other juicy ransom paying. And we discover that information. So maybe the FBI again just would would say let's plug in the name of five or ten hospitals and see if the foreign cyber criminals whom we're tracking under 702 have mentioned the name of Mount Sinai Hospital, Children's Medical Hospital or XYZ. Maybe they have, maybe they're on their hit list. And maybe we should go warn that hospital and say look, we think you're on the hit list of this ransomware gang or this. So it has real world implications for warning people. And once an incident has started, we can then use section 702 to go back and find out where. Who's talking about this? Where's money going? And this famously resulted in the colonial pipelines incident. Whereas, you know, people were lined up on the east coast waiting to get gasoline Colonial pipelines turned off their, their system due to a ransomware attack. And the FBI was able to find out the cyber criminals behind this and actually recover almost all ransom. Not all, but almost all. All through 702. Okay, so it's valuable afterwards in, in using intelligence to figure out who did this crime. Where'd they put the money, what Bitcoin wallet is, et cetera, we can't always find it. But that information, so it's valuable in the tipping and warning part, and it's also. And tracking down the bad guys. And also, as I said, once an incident occurred, sort of working backwards, finding something out.
A
Interesting. Okay, so with the way that things are now and the way that cyber intelligence, specifically threat intelligence, you know, it's all about speed and that early warning. So I'm wondering, does the reauthorization stalemate right now sort, Sort of put a wrench in the system when it comes to that early warning? And is there a capability at risk if we are where we are come eight months from now?
B
Yeah, you're right. Speed is essential. I can tell you one thing that if we had a warrant requirement added to section 702, talk about that would come things up and slow things down, especially in the cybersecurity area. But, but right now, I mean, to be fair, I. I don't. I don't sense that it has. It's having a pro. Profound effect. But again, it's the point you mentioned. We don't know what we're missing. We don't know what's happening. One of the issues which, the Privacy and Civil Liberties Board had a staff report issued earlier this spring, and the Inspector general, the Justice Department, also had a report issued this spring on 702. And they both said something that wasn't picked up too much in the press, which was really fascinating when they said, there's a couple of compliance issues we need to talk about. We need to talk about how the problem works and how the program works, et cetera. But they said, we're worried that the total amount of restrictions that are imposed in this area, especially on the FBI, may be having a chilling effect, may cause some agents to not run a query that they otherwise would want to run, and we can't prove it because we can't prove a negative. But. But anecdotally, they interviewed a number of FBI agents who said, look, frankly, I'm going to use the 702 querying as a last resort only if I absolutely, positively have to, because I have to fill out so many forms I have to check. I'm worried about internal liability and restrictions. You know what? I'm just not going to do it unless I absolutely have, and that's not a good thing. Again, I'm not suggesting we take the gloves off the FBI, allow them do everything. I'm not. I got that. I'm understand the issues involved. But it's notable that two government agencies themselves pointed out the fact that they're worried about the chilling effect. So in the cyber security era, we need to be really quick. We need to track down the bad guys very quickly. And if there's any hesitancy on the part of, of, of any of the intelligence community in using all the tools we've got at our disposal against cybersecurity, that's at risk.
A
So you kind of got into it there. But given that you have been behind the scenes on this and seen how this work, give us like an honest operational cost of what a warrant requirement would look like. I, I know you said it was chilling, but almost going back to the speed thing is really what I'm getting at here. Like that. That warning needs to go out from a cybersecurity perspective asap. So are we talking like hours or days?
B
So there, so There, there are two areas where, where 702 information that's collected could potentially be really important in a very timely way. One is counterterrorism. So if someone's landing a bomb on a bridge, we want to know about right away, we don't want to take three days to get a warrant about it. And the second is cybersecurity, where things move immediately. If some ransomware gang attacks hospital number one, they're off to hospital number two in seconds. So we want to have speed in both and agility in both those areas. And just to get into some of the details on the warrant, what people are talking about is imposing a requirement to get some kind of individual court ordered approval for the FBI to query its database. Now take a step back. I'm going to get into a little bit of detail. That's too much. But it's crystal clear as a legal matter that the FBI could review all the information coming into it in real time. As if you want to imagine a thousand FBI agents with earphones sitting in a basement somewhere listening or reading on a computer as the 702 information comes in real time. There's no question they could do that, including incidental collection. So this information, instead of being reviewed in real time by thousands and thousands of agents, is stored in a computer, electronic. Sometimes it's never accessed. It might be accessed only when we run a query and say, let's plug in a, let's plug in a name and see if Joe Smith's name pops up. If we had a requirement that we needed a warrant, first of all, there's a question of what does the warrant have to say? Is It a warrant that says you have probable cause to believe a crime has been committed, which isn't sort of, or that there's evidence of a crime. So that's really difficult in the, in the 702 context because the area where 702 is most valuable is in the initial stages of investigation where all the FBI has is a tip. Let me give you a real world example. Okay? So let's just say, take a counterterrorism example. This may be a little easier. Understand? Let's assume the SEAL team captures or kills a ISIS terrorist overseas who, who is a 702 target. And they happen to get his, his or her cell phone. And they look in the cell phone and sure enough, there's a bunch of contacts, most of which are foreign, but one happens to be a +1 202 US number. Okay? And they say, gee, that's a little suspicious. What's the 702 target located in Syria, Iraq. Contacting an American or, or an American phone number. They don't know for sure. All we've got is that just that piece. It could be completely innocuous, could be something more. They send that to the FBI saying here's, here's this information. And maybe the FBI, at that point, all they have is, is a tip of this American, right? They don't know anything about this, this America. Let's assume it's America. They might want to plug that number in into their database to see whether this number, which all they have is a tip, yields any information. And if it suddenly has a hit against four terrorists who were in the database. Wow, that's interesting. Maybe all we'll get is metadata. We'll see that this, this number has been in contact 42 times. Each time for conversations lasting 15 minutes. That's pretty interesting. I'd want to know more about that. Right? We still, even at that point, Even at that point, we still don't have probable cause to believe there's a prime or evidence of a crime. So we couldn't get a search warrant. So what is it we're getting? Are we getting just a warrant that says there's evidence to believe that there's could be war, foreign intelligence? Well, that's not getting. So it's not clear what the standard would be. It's not clear. And if you then said, well let, okay, fine, don't use it in counterterrorism cases. Fine, don't use it in cybersecurity cases. You start whittling it down. What's the purpose of the war? And last piece of information here. When we're looking at getting a warrant in this area for the FBI to look at information that's already collected, we need to understand the scope of the problem. This is something that your audience should appreciate because it's not reported in the press. Last year the intelligence community said There are about 350,702 targets, around 350 up a little bit from the prior year threats. So of those 350,000, only about 3% of those were targets who were also the subjects of a, what the FBI calls a fully predicated national security investigation. That's of the top serious most investig. That's not based on just a tip. That's there's some real concrete evidence, fully fledged national security investigation is warranted against this 702 target. Who might that be? A Chinese spy trying to recruit someone of whatever. So that person, that person's communications, that 702 target, who of, of whom there's only about 10,000. Only about 10,000 those names, and only those names get sent to the FBI for their data. The other 300 and roughly 40,000 names do not go to the FBI. They're kept to the NSA or the CIA or the National. So the FBI is getting just this, this, this 3% sliver, this 10,000 names. Of those 10,000, most are probably talking to other foreigners, but some might be talking to Americans. And it's those Americans communications who are in touch with those 10,702 targets who are the subject of a fully predicated national security investigation like Chinese spy, Russian agent, whatever, ISIS terrorist, trying to recruit someone. Those are the communications that we're talking about that are in the FBI database and it's that to which a warrant might apply. I might add that's sort of already a fairly suspect pile of information because of the way I've described it. And I'm not saying we could never have a warrant. I'm not saying we can't have the restrictions about it, but that we should understand when we talk about the pluses and minuses of warrants, what we're talking about, it's a tiny, tiny fraction of this. You probably have a greater, excuse me, greater chance of getting hit by lightning, the FBI says, than being the subject of a 702. So it's. We need to put this in context. Again, not saying that there, we don't need restrictions, but let's put it in context.
A
How do you juxtapose that between the, between that which, what you said there, which Obviously from a practical sense, in an operational sense makes sense. But with the reforms that we talked about or, or what was it? I'm sorry, I'm looking at notes here that I had regarding. Regarding the queries themselves, that the FBI was still finding ways, not finding ways to get around it in an, in a malicious sense, but that it wasn't adhering like there were still some needs to. To put more guardrails up on exactly what the FBI was seriously dropped ever
B
since the statute was implemented. The last set of statutory restrictions were implemented in 2024 and before that when Christopher Wray was the Director, he implemented significant regulation. Significant restrictions by regulation, not by statute. So the combined effect of that is that the number of queries a few years ago drop from a couple hundred thousand to over just over 7,000 last year, which is a 90 something percent drop. So the number of times this database that I've talked about before has been query by the FBI is just 7,000 times. And that's the. That is the number to which these warrants were required. I would suggest that those 7,000 or ones where we're pretty interested in worrying about those context for the reasons I described. But. Okay, so what further restrictions might be imposed? There's talk in Congress, there's a couple of bills pending that would impose more restrictions over and above the warrant requirement. I'm not really sure what Privacy act real world privacy interest is being advanced here. It's a little hard for me to understand. Yes, of course we don't want government just generally snooping around. No one does. But what exactly is, what exactly is the privacy interest that's being invaded when the FBI searches its database looking for this information? I have trouble articulating exactly what the real privacy interest is and whatever it is weighed against this other national security risk. When the TSA looks in its database to see who's on the no fly list, they're searching the entire database, including your name and my name in the database. I don't particularly feel like privacy is abated when a TSA agent is do running that computer search. I understand the issue. I'm not dismissing it completely. But we need to understand. So Congress is talking about a number of restrictions that would impose additional audit requirements, GAO audit of recruiting procedures, getting the privacy and civil liberties people more involved, adding more power to amicus curoi. Friends of the court to look at this. Additional reporting to the Fisk and to the Foreign Intelligence Surveillance Court for this requiring that what is now implemented by regulation around that statute requiring that the FBI has an attorney approve every single query, not just a supervisor. So and, and saying that sensitive inquiries say of politicians, of members of the purging members of the press have to meet a heightened standard. You know, you could imagine all these things and there various congressional proposals to do that. I'm not offended by any of these restrictions individually because it's hard to argue that we shouldn't be worried about more sensitive queries. What I worry instead Greg, is about the cumulative effect of these. We've, we've. Any one of them is probably makes sense and two of them make sense. Cumulative effect of all this reporting, all this certification with layers of oversight of the FBI General Counsel, the FBI supervisors, the reporting to two congressional committees, the Department of Justice Inspector General, the entire National Security division of the of the Department of Justice that oversees all these queries layer upon layer of these with lots of certifications all lead to. I'm worried a. Even if it's subconscious, a subconscious effort on the part of agents not to warn queries that they probably should, that might keep us safe. No way of proving it. But if we, if we were starting from fresh or blank sheet of paper, we wouldn't design the system this way and instead what we have is a whole bunch of patchwork individual patches here.
A
Well also the thought that comes to mind too is that given all of guardrails on the set has operationally slowed it down, it's no wonder that we've reported on stories and we see stories out there about buying data from private data brokers too. And this is my personal opinion, I don't want that either because they don't have the same type of restrictions that the government has when it comes to collecting data. Now of course I don't want the government collecting all of that data either but I also feel like there would be more. I, I'm happier with any sort of restrictions that are applied to the government collecting that over going out to a data a private broker which has God knows what I've signed up for over the past 20 years. And that's. I hate saying that but that's just the nature of the world we live in.
B
Reality is that Google knows way more about me than the government could even hope to because Google reads all my emails because I am the Gmail and by definition they're reviewing it. Not, not in the sense that there's a human being sitting there reading my emails, but the machine is looking at it, checking for scams and cybersecurity problems and you know, and also substance because When I then write a new email, it seems to know what I've said and ready to supply an auto, you know, an auto completion for something.
A
Right.
B
So a lot of benefits to that. But we do not have, as you well know, base privacy legislation in the United States. We're one of the few and the only one industrialized democracy that doesn't have base privacy legislation. We could regulate data brokers far more. You're right that the government does have the ability to account acquire this information. I think it's important that we have government restrictions on how the government can use this and aggregate it and as they say, build a dossier on someone. I think it's important not to conflate this with 702. Earlier in the legislative debate in the last year, there was an effort to close the data broker loophole. There's, there's a loophole in FISA about. This has nothing to do with fisa. There's a loophole that in FISA that, that was deliberately left open that now needs to be closed. It. There's a separate issue about regulating data broker purchases and uses of it by the federal government not related to 702 should be conflated with 702, which is all about targeting foreigners. And yes, there's some incidental collection of Americans, but it's about targeting foreigners for specific identified purposes. But you know, it. We've seen with recent Supreme Court cases on geofencing warrants that.
A
Yes, we've talked about them on this podcast.
B
You have. And before that, of course, the famous Carpenter case on cell phone geolocations. So it's pretty clear that the law is moving in some way toward more privacy and restricting, restricting collections in this area, balancing that of course against national security needs. So that's always, there's always going to be a tension there. We have yet to see how the law develops. It's pretty clear that the Fourth Amendment does not require a warrant. One court case that said that and all the rest. Majority are clearly against that position, but we'll see how the law develops. This is an area where technology is moving at a thousand miles an hour and the law is moving at 100. And that's a big gap.
A
Yeah, I was going to say this may be too broad of a brush, but in one sentence, given the paradigm of everything that we just talked about right here. Is 702 more politically risk today than it's ever been since 2008?
B
Oh, absolutely. I, it, it's, it's definitely more political risk. I believe that it's gotten hung up not so much over the warrant requirement, which I, which is an issue. But I, I don't think that's what's really holding it back because it looks like Congress in both Houses willing to go ahead with an extension of seven. Every member of Congress recognizes the nation needs 702. There's no, there's no congressional debate about, oh, let's get rid of the statute. That's not all. That's not. But what reforms, if any, should we have is what's on. As I said, it's been passed with declining majorities. The House did pass it back in April with provision that would extend. It was a bunch of additional reforms. I think the Senate was all set to do that until the President nominated Bill Pulte to be the Acting Director of National Intelligence, which sent the Democrats in fury and actually many Republicans too, because they thought he was not qualified. And so that just threw a monkey wrench into what was already a rather tenuous process. It's clear that nothing was going to get accomplished in the 702 area because of while Mr. Pulte was the director. Today there's a hearing on Mr. Clayton to be the, the new permanent Director of National Intelligence. He seems to be a little more palatable to many and that will probably remove sort of the political stigma of Democrats voting on this at a time when they simply had no trust in the intelligence community under Mr. Pty. So my guess is, and I'm just a guess, is that Congress will feel more comfortable going ahead and, and with, with an extension. However, there's no political impetus for it right now. There's a sense let's wait till March. And Congress is famous for saying, well, if we can wait till March, let's do that right. So there's no impetus to do it. And to complicate matters, the President has said he wants this SAVE act, which securely passed, and he doesn't want Congress doing anything, including 702 until that's passed. So he's made it difficult for members of his own party to buck him or thwart him going ahead with something he said he doesn't want. So I fear that, yes, 702 will remain captive of unrelated political issues even if Mr. Clayton is confirmed. And my hope is that they'll do some kind of short term retroactive extension, maybe extending it to December or to some other time. And then the Congress will at some point after the midterms, maybe in a less passionate way, take this up. I'm skeptical that it's going to be. That's going to have a substantive approval in the next few months. It might, but I, I think we're more likely looking at some temporary extensions and then tackling this substantive, which is not good for the national security community and it's not good for taxpayer dollars either because every time this statute comes up to close to an extension, intelligence agencies scurry around with the telecommunications provider saying, what are we going to do if the statute expires next Tuesday? There's a lot of meetings, a lot of conferences, and we're wasting taxpayer dollars in addition to providing uncertainty international security.
A
Great. Glen, really appreciate you coming in to discuss this. Like I said at the top, it's been a hot button issue and I'd like providing people with clarity on what is trying to bring signal other than noise, because I feel like there's a lot of noise around this and I appreciate you giving people a chance to hear what is and isn't noise.
B
Well, thank you. It's, it's an area where the details are important. Nuances are important. Congress doesn't do nuance very well, but it is an important area. I remain hopeful that Congress will go ahead with, with an extension at some point. And as I said, it's a statute that is vital to our national security. So thank you for the opportunity.
A
Thank you. Thanks for listening to Safe Mode, a weekly podcast on cyber security and digital privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.
Date: July 16, 2026
Host: Greg Otto (Editor in Chief, Cyberscoop)
Guests: Derek Johnson (Reporter, Cyberscoop), Glenn Gerstel (Former NSA General Counsel, Senior Advisor at CSIS)
This episode of the Safe Mode Podcast explores the recent lapse of Section 702 of the Foreign Intelligence Surveillance Act (FISA) and its consequences for both national security and cybersecurity. Host Greg Otto interviews Derek Johnson about the states' tumultuous relationship with the federal government in the 2026 election landscape, and then presents an in-depth, expert discussion with Glenn Gerstel on precisely what the Section 702 lapse means for intelligence, operational agility, and privacy concerns.
Notable Quotes:
Notable Quotes:
On Section 702's Value:
“It's a statute that is vital to our national security.” – Glenn Gerstel (43:12)
Policy vs. Technical Reality:
“Technology is moving at a thousand miles an hour and the law is moving at 100. And that's a big gap.” – Glenn Gerstel (39:33)
Senate Stalemate:
“The statute lapsed for the first time ever since 2008. ... We're beyond an hour.” – Glenn Gerstel (14:40)
Cyber Response Example:
“We can then use section 702 to go back and find out where. Who's talking about this? Where's money going?” – Glenn Gerstel (21:05)
The conversations are candid, technical yet relatable, and focused on cutting through “the noise” to explain both technical and policy realities. Greg Otto is direct and curious; Derek Johnson is analytical and grounded; Glenn Gerstel is nuanced, thorough, and pragmatic.
The lapse of Section 702 is unprecedented and, while not an immediate crisis, the downstream risks for both national security and cyber defense are real—especially if Congress remains gridlocked by unrelated politics. Both state election security and federal intelligence collection are operating in a period of unusual uncertainty, with meaningful consequences for cybersecurity in the months ahead.