Dark Reading’s Becky Bracken: Hello everyone, and welcome to Dark Reading Confidential. It’s a podcast from the editors of Dark Reading, bringing you real-world stories straight from the cyber trenches. We have a really great conversation for you today. I am joined by Chris Inglis, who was the former NSA Deputy Director during the infamous Edward Snowden affair. So he is here 13 years on to unpack a little bit about what we’ve learned, and hopefully pass some of that knowledge on to our enterprise cybersecurity teams listening today. Welcome, Chris. Thank you so much for joining us.
Chris Inglis: Pleasure to be with you, Becky.
DR’s Becky Bracken: OK, so we all sort of anecdotally remember, we all, most of us of a certain age anecdotally remember Edward Snowden, a contractor for the NSA where you were the head civilian in charge with Booz Allen and found what he believed to be a smoking gun sort of evidence that the NSA was illegally collecting massive amounts of data on US citizens. He ran afoul of the law with the disclosure, eventually bugged out, and spent a month in the Moscow airport trying to find a place to be out of reach of the US authorities, where he lives today. Is that a fair summation?
Chris Inglis: Yeah, so I’m going to be fair minded in this, I’m not impartial. I would characterize it this way. What you’ve said is actually what the public record often says. But I would offer that Snowden alleged that there were abuses of privilege and authority at NSA. Subsequently, by every investigation that’s taken place, has born out that NSA was not abusing its authority or its privilege. But I think what we’re going to discover in this discussion is it didn’t matter. The effects were the same. So I would say Edward had lots of allegations, very few revelations.
DR’s Becky Bracken: I’ve read other interviews you’ve done and you talk a lot about sort of the nuance that gets lost behind salacious accusations like the ones Snowden had. That sort of idea is near and dear to my heart as a journalist. And so I would like to hear you talk more about sort of what that disconnect was in the public reporting that you referred to.
Chris Inglis: So, let me just say upfront that I don’t think it’s any secret that Americans, dating back to probably 1775 or earlier, have an inherent suspicion of government and perhaps a greater suspicion of secret organizations. NSA was both. Secret organization; we used to call it “no such agency,” or “never say anything,” and of course it’s a government organization. And so he tapped into that suspicion bordering on apprehension and fear by declaring, in the spring of 2013, June of 2013, that NSA had abused its trust and was massively surveilling Americans for salacious, vicarious, arbitrary purposes.
That actually hit a raw nerve. It hit a ready audience. And he was off to the races all summer making those declarations from places like Hong Kong and Moscow. And NSA was then left to respond to that. The truth of the matter is, and perhaps the best judge of that, was the commission that came to NSA in the fall of 2013 at the behest of President Obama. The truth of it is, is that NSA was using its lawfully authorized capabilities and authorities to collect metadata. We can go into the details of that, but I like the characterization by one of the members of that. It was a four-member panel. This person was a guy named Geoffrey Stone. Not Oliver Stone, the guy that did the movie.
But what Geoffrey said was, here’s what I told NSA. He did this in an op-ed in the spring of 2014, and he made several key points. One was, said, you need to know that I was very suspicious of NSA going into this investigation. Card carrying member of the ACLU, I think that’s a good thing. He says, lifelong libertarian, I think that’s a great thing. Once and former dean of the University of Chicago Law School, so I know something about constitutional law. He said, I was suspicious, skeptical of NSA going in, believed that I would find a rogue agency. He said, I didn’t find that. I found an organization that was not simply obeying the law, but doing what they were required to do. They could not have not done what they did. They were honor bound by law and the authorities given to them in the order to help solve this problem, this terrorism problem, to do what they did. So he says the third part was, so I came to the conclusion that NSA deserves the American people’s trust.
But the fourth part was my favorite part. He said, But we should never trust NSA, which I think that’s the deal that that is actually the compact between the American people and its government. And I actually loved that because as a as an American first, and NSA employee second, I think that really is the deal that we should earn that trust every day and the performance that we give. Now we go into the details of what NSA was actually doing, but I think that’s the top line. And there are lots of lessons in that.
For people who also do things that aren’t perhaps transparent or publicly disclosed to the madding public or to the press. If someone can tell a story about you that is a maligned version of that story that perhaps is so titillating, so viral that you kind of can’t go second, then you better tell that story first. And if there’s something you do that isn’t quite right and you know it’s not quite right, you should never expect that secrecy is going to protect you for all time. That’s never true.
And if there’s someone who might raise a concern and you don’t give that person the full and fair opportunity to raise that concern internally first, then you’re never going to get the kind of adjudication and due process you want when that person goes outside. All of those were lessons for me coming out of the Snowden affair.
DR’s Becky Bracken: So do you you say that you would have provided him an opportunity to report internally what his concerns were? What would that have looked like operationally compared to what actually happened?
Chris Inglis: Yeah, look. Great question. A little bit more nuanced than that. Turns out that he had any number of opportunities. He could have done it anonymously. He could have told the supervisor. He could have sent a letter to the oversight committees within the Congress or the Senate. He could have sent a letter to the Department of Justice, to the Director of National Intelligence, all of whom provided material oversight for NSA. All of those opportunities were there. I’m actually after something slightly more nuanced. He (Snowden) was a contractor. And if you’re a contractor in the federal government, many members of your audience will know this, you’re largely treated as a commodity. You’re not treated as someone who has the authority to make decisions on behalf of the government. You’re not given training opportunities within your government service. You’re not, when you’re brought in, enculturated to kind of believe that you’re one of the members of the federal part of that government. You’re a contractor, you’re a commodity. And in the worst case, you’re told to sit down, shut up, color between the lines.
When you have some amount of ego, we all have ego, and you believe that you do have a contribution to make, possibly in excess of what the contract calls for, and you raise your hand and you kind of speak to what you think should be done, your boss may say to you, “You’re a contractor. If you want to tell me what to do, change the color of your badge, become a federal employee, reduce your salary to what a federal employee makes, and then and only then can you talk to me.”
That’s actually what happened in the case of Edward Snowden in the late spring of 2012.
It wasn’t an issue of collection or abusing NSA’s privilege. It was a bad boss kind of in an environment where Edward spoke to that. And the record shows that Edward, having said that to the boss, the boss said, “Sit down, shut up, color between the lines. If you want to tell me something, change the color of your badge.”
Edward, having a not small ego and a great deal of intellect, decided not to get mad, but rather to get even. You can see it in the public record or you can see it in the forensic records soon after that he began to collect information which he ultimately disclosed a year later in Hong Kong. I think in an attempt to embarrass NSA and to get perhaps even with NSA but I don’t think that this was born of his concern that NSA was egregiously collecting mass quantities of information. To the extent that he might have thought that, my hope would be going back in time if I had a time machine that he would raise that concern inside the workplace and somebody could have said to him, “No, this is what we’re actually doing. This is what we actually do. This is why we use it. And this are the conditions, the belt suspenders, Velcro zippers that are attached to that to make sure that we do that the right way.”
I’ve had an opportunity to explain that any number of times after he came out and made his allegations. And the vast majority of those times, and I would say to include testifying in front of Congress, testifying to that investigative committee, testifying to audiences far and wide, most people say, “That makes sense, what you were doing. Why didn’t you tell us that story beforehand?”
That’s, think, one of the mistakes that we made, believing that people would assume that we were doing the right thing the right way, even if we didn’t tell them.
DR’s Becky Bracken: Snowden’s leak sort of mirrors of the ultimate insider threat for your enterprise cohorts. Can you tell me what the damage was besides reputationally and the bad press? What was some of the other fallout of this leak?
Chris Inglis: We’ve stolen my thunder. You’ve gone to the high end. I think that the most insidious, the most perhaps kind of enduring damage was to reputation. NSA, a member of the government, the executive branch of the government, has to, like the rest of the government, earn the trust of the American people. Back to Geoffrey Stone’s comment, it has to achieve what the Constitution calls the consent of the government. And if you lose that trust, then you lose not just the trust and the reputation that goes with that.
But your authority, easily given in some days, perhaps mean-spiritually given in others, you lose the flexibility in that authority. You lose the confidence of those who allow you to do the thing that you must do to execute your mission. And so I leave that at the center of the table. But what were the other costs? Edward disclosed any number of means by which NSA collects information. And those were all then immediately disclosed and acted upon by our adversaries.
Whether it’s terrorists around the world or rogue nation states, take North Korea, Iran, kind of the cases in point. They said, oh my goodness, this thing called the Foreign Intelligence Surveillance Act is actually quite effective at extracting intelligence from communications that they thought was going from one foreign place to another foreign place, but being routed through the United States. That’s what that act was essentially focused on. It allows them to pull that up and to take a look at it under the lawful conditions associated with the act. But giving away all of those techniques made it such that NSA lost that capability and had to earn it back. I’m glad to say, kind of, and I can’t say, you know, how, but I’m glad to say that it earned it back, right? It won all of that back, but that’s not something you want to do when you’re hanging on by the fingernails to kind of an understanding of what terrorists are going to do, what kind of narcotics traffickers are going to do, and so on and so forth. You don’t want to give that away. You don’t want to have a dip in your performance.
The other thing was, is there was no small amount of time and capital cost associated with fixing the problem, with essentially earning that back and then putting controls in place that are necessary if you believe that there is the possibility that this might recur, that there might be an insider who takes unfair advantage, who abuses their privilege, or that there might be some opportunity for someone to say that you haven’t done the right checks and balances. And so we installed an extraordinary number of checks and balances that previously we didn’t believe were necessary, that we’d never actually discovered or determined were absolutely necessary, but to win back the confidence we had to actually put those in. As Keith Alexander once said, we then had people with clipboards, watching people with clipboards, watching people who work, and that’s a huge penalty. Some number of your audience may be working for banks or financial institutions, and they’ve lived this dream over the last two, three years. Silicon Valley Bank failed. They failed because they perhaps had not thought about their liquidity the way others do. And because of that failure, the Federal Reserve and other regulatory components within the banking sector imposed extraordinary requirements on every other bank in the system, who didn’t actually have that weakness, but nonetheless they were paying the price for the sins of others. And so that was a cost as well.
DR’s Becky Bracken: So the damage was done and Snowden, as we said earlier, is living right now in Russia as a naturalized citizen. There, as usually once a year or so, has been a recent bubbling up of talk of pardons, especially pardons seem to be flying around these days. What would your reaction be to Snowden being pardoned today?
Chris Inglis: Disappointment to be sure. You know, I would say that I think he should get his day in court.
And he should have access to the best lawyers that money can buy. And I have every expectation that there’s money behind him that can do that. He ought to make his case. Why is he a whistleblower? What were his concerns? How did he attempt to exercise those concerns within the system if he thought that the system wouldn’t meet his needs? How did he attempt to exercise those outside of the system before he went to Hong Kong?
And I think the record will show, but we can actually kind of show this or not in court. The record will show he did none of those things. As a whistleblower, he had the obligation to find the lowest possible damage route to exercise those concerns. He needed to do so in a way that was necessary and proportionate to those concerns. He released a million and a half documents that did untold damage, not just to the National Security Agency’s sources, but sources that we actually benefited from because others gave us access to their sources.
None of that has been determined to be unlawful. None of it. Now subsequently NSA gave up on the collection of telephone and email metadata. Subsequent to that there was a court action that determined that perhaps that was disproportionate to the need of the global war on terror. We can argue that until the cows come home. But up until the moment that NSA voluntarily gave up on that program because it was no longer as useful as it once been, think it was 36 different federal judges had ruled on it and also said that it was legal. So I’d like Edward Snowden to make his case in a court of law. If he’s pardoned without the opportunity for us to examine that, his side and the government’s side, then I would be at least disappointed, if not just a little bit mad.
DR’s Becky Bracken: I think that’s fair enough. I just want to circle back and have you say a little bit more. You talk a lot about the context of the reporting, the storytelling, and sort of the pickup of the more salacious nature of this. Looking back on how the story was told, and you’ve been pretty frank about that, I say maybe you should have been out ahead of the story, of course, with limitations. I don’t know how you get out ahead of a classified story necessarily.
But I’m interested for you to sort of tie this to what enterprises can do. This was a catastrophic breach, essentially, of an organization that’s supposed to be unreachable, as much as that’s even possible. So my question, too, is what is the advice that translates over to our enterprise leadership and security teams?
Chris Inglis: Yep.
That’s a great question. So let me walk through the mistakes that NSA made, and you can pin these on me.
First, I don’t think we thought we were unbreachable, but we gave that kind of a characterization of very low probability, if not high consequence. And when you have that set up, very low probability, high consequence, you need to actually lean into the high consequence part of that. You need to figure out what are you gonna do about that? Because low-probability things are not zero-probability things. And so you need to work your way through, what would you do under that circumstance?
Second mistake we made was now in hindsight looking over our shoulder, bringing people into the NSA workplace who are contractors, giving them extraordinary privilege and treating them as if they were commodities. Now, why would you bring somebody in to be a SharePoint system administrator? That’s what Edward Snowden was. Give them that extraordinary privilege. His job was to categorize tools that were used by analysts who were either collecting or accessing information, then calling those up to actually conduct their analysis and production responsibilities.
We did that because the Congress dictated that the private sector was much more efficient at doing IT, general-purpose IT, than the government ever could be so the Congress directed that NSA and other federal entities use private sector resources to do that so we were kind of in in that corner because we were directed. But having done that, we should have thought, “So what does it mean for those persons to have extraordinary privilege?” It means that they could then abuse that privilege. How do you then provide the checks and balances on them to make sure that you understand when that happens? Be a little bit more careful about that. And how do you enculturate them so that they feel like they’re part of your larger organization? If you’re an NSA employee, we take them to the museum, I mean a government employee, we take them to the museum at NSA on the first day and we tell them the stories, the true stories, about the contributions NSA has made over time. And why do we do that? To give them the sense of noble purpose and the high moral cause that NSA is engaged in.
We take them across the street at that point, give them a mentor, give them challenges, give them feedback on how they perform in those challenges so they feel like they’re part of something bigger than themselves. If you’re a contractor, we bring them to work on the first day and say, “sit down, begin to do your work. If you have any complaints, see your contractor boss. But at the end of the day, we just want you to do what you’ve scripted to do.”
That doesn’t sit well with somebody that has some degree of initiative, perhaps some degree of ego. And Edward Snowden, very smart person, had some degree of self initiative inside of him, some degree of ego inside of him, nothing evil about that. But it’s a bad mix. It’s like sodium and water. Third mistake we made is understanding, perhaps in hindsight, that there might be the opportunity for somebody inside to abuse privilege. didn’t connect the various ways that you might see that.
Now there are at least three ways that I would describe you can see abuse of privilege. You can look at what somebody does physically on a campus. When do they show up? Where do they show up? What spaces do they enter? Some of those spaces are more interesting, more important than others. What do they do online? What’s their persona doing? What is the kind of persona associated with the system administrator doing? When do they log on? When do they log off? What do they touch? What do they access? And the third is the personnel record. Do they have a clean kind of record in terms of employee never raises a voice, never kind of in a difficult moment, never having an argument, or do they have some challenges that require some degree of counseling? It turns out that we did not connect those three looks into kind of the work environment. NSA in May of 2012, a year before he came out, had a workplace incident, right? There are lots of workplace incidents. There’s no harm, there’s no shame in that in the longer term. But clearly a person who was at odds with the local environment, that was not tied to the IT environment that said, this person who’s got perhaps some kind of issues in his personnel file is somebody who has extraordinary privileges in the IT environment. Maybe we should turn up the focus on that just to make sure that those privileges aren’t abused? And it turns out that Edward Snowden would show up at other campuses in the Hawaii complex. NSA has multiple campuses there. He’d show up at other campuses at odd times of the day. Anyone’s authorized to do that, but he wouldn’t log on.
Why would a contractor show up at a campus and not log on? You don’t go there for the food. It turns out what was going on was Edward Snowden had borrowed, the credentials of other system administrators, so he’d show up at those places and he’d sign on as somebody else. But we didn’t map that physical access to the IT access to say, Are these congruent? Do they make sense? If we’d done that, we would have seen, a), there’s a person who has some personnel issues. Let’s tip and cue the IT system (to alert) when the IT system doesn’t match what he’s doing on the physical campus. There are other members of the system administrator community who don’t show up on the campus, but they log on. How is that possible? If you don’t reconcile those three different looks into that space, you’re kind of then creating scenes that someone who’s clever, Edward Snowden’s quite clever, can take advantage of. You know, one description of him in the 2014-15-16 timeframe, which I recall, which is quite accurate, is that he was low and slow.
He knew what the thresholds were and he lived below those thresholds such that he never actually crossed kind an explicit threshold within the IT or the physical or the HR environment. But if you looked and cross correlated those, you would have said, “This doesn’t look right, doesn’t smell right.” You probably would have found him kind of in the longer term of that. And then the last thing, which we already talked about, is that understanding that the American public was inherently suspicious of any government organization and NSA was more than any government organization, was this legendary organization that would kind of cut into other people’s secrets, presumably. And in my case, I would say, kind of foreign secrets that are materially relevant to foreign intelligence kind of needs. But that suspicion has to be addressed not in arrears, but upfront, right? And NSA assumed that having made its full representation to the Foreign Intelligence Surveillance Court, judiciary, to the executive branch overseers, and to Congress in the form of the oversight committees, we said, “We’re done. We don’t need to tell the American public anything more about what we do. They will take full and fair kind of confidence from the affirmations of those three parties that everything’s fine.”
That’s not the way it works in America today. And so I would say my kind of reversing all of that, if you’re an enterprise CISO or an enterprise kind of risk officer, you need to first and foremost say, “If somebody can tell a story about you that is interesting, titillating, malignant about something you do, they can describe it in a way that’s untrue but nonetheless will have some traction.”
You need to tell that story first. If you’ve not reconciled all the facets of your security to the common kind of aspect of is there something, some entity that can abuse privilege inside your system, reconcile those. And if there’s something about how you treat your workforce that might make them feel like their first obligation is not to you in terms of work matters but to somebody else, then deal with that. Either don’t hire them in the first place, bring them in because you can’t meet that standard, or actually address it by actually enculturating them and saying, hey look, I’m gonna treat you with respect, I hope that you will treat me with respect in reverse. Those are mistakes that I, looking over my shoulder, would say that NSA made. We never violated the law, as far as I know, and as far as I can testify, but those are mistakes all the same that caused enormous harm to us in the period of time.
DR’s Becky Bracken: This is still such a fascinating story 13 years later. It hasn’t really lost any of its mojo, I have to say. There’s still a lot we can learn from it. I also want to take a minute to talk about your upcoming documentary that you are in, Midnight in the War Room, a documentary on cyber war. Now this is slated to premiere at Black Hat USA this year on Aug. 5. Can you tell us a little about what we can expect to get out of the documentary?
Chris Inglis: I’ll tell you three things. One, it’s centered on the human aspect of defending digital infrastructure, what we might otherwise call cyberspace, and principally through the lens of CISOs, chief information security officers, those dear sweet souls who daily labor to figure out how do we defend business viability, kind of personal aspirations, all the things that are dependent upon digital infrastructure. So that’s the first point.
The second is that it’s told through the lens of everybody that’s involved in that. I’ve got a very small part in it. Jen Easterly’s got a small part in it. Some number of CISOs have a large part on it and some number of kind of once and former hackers, people who say, “Look, this is what I did to the system. This is how I thought about that.”
So I think it’s a really interesting story told from the ground up as opposed to from a moderator’s perspective, top down. The third is, is that it’s a public service activity funded by Semperis organization. And so kudos to them for creating this documentary.
It’s about a year and a half in the making, should be released at or around the time of Black Hat. And I’m really looking forward to seeing it elevate the role of the CISO who most of us, myself perhaps excluded, I know you’re excluded, but most of us think about the CISO only when things go wrong, as opposed to thanking our lucky stars every day when things go right, that there’s somebody back there who’s actually making sure that the trains run on time.
DR’s Becky Bracken: Well, you are absolutely preaching to the choir. CISOs are our, those are our people. And so we will be keeping a very close eye on this documentary’s rollout and report back to our listeners. Chris Inglis, thank you so much for joining us today. I learned so much that I didn’t even know I didn’t know. And I really appreciate you applying that to sort of the current modern conundrum many of our enterprise CISOs and leadership finds themselves in. Thank you so much.
Chris Inglis: Thank you, Becky. Thanks for the time and thanks for serving a community that matters greatly. All the best. Take care. Bye.
