nsa-hqWASHINGTON: The private sector — and the government — must “exhaust” the use of traditional responses such as public shaming, criminal charges, diplomatic demarches, and sanctions “before we contemplate the dangerous possibility we might encourage vigilantism,” the powerful deputy director of the National Security Agency says.

Chris Inglis offered an audience of several hundred gathered for the rare chance to hear a senior NSA official speak in public a carefully balanced view of how the US should manage its responses to cyber theft and espionage.


“At the end of the day, we need to do more than take the slings and arrows that come our way, going into a fetal crouch,” he said yesterday morning. “At the same time, we don’t want to encourage vigilantism.”

I asked him if a shot across the bow — the Navy’s traditional way of telling a possible enemy to stop what it’s doing — was part of that repertoire and he dodged the question beautifully.

If you want a clear example of just how precise and careful this man is with language and policy, here is his response to a question about the always uneasy balance between NSA’s intelligence and warfighting missions.

“There is no tension in terms of the mission outcomes, though there is distinction in the effects we bring to bear,” he said, noting the long history of duality at NSA between code breakers and code makers. Making that duality physical , the two functions had long actually been housed in separate places.

On the issue of cyber legislation — while he didn’t mention the bill, it seemed clear he was talking about CISPA or a close relative — he said it’s necessary but, in keeping with long NSA policy, it must be done with a careful adherence to protecting an individual’s privacy. “There need to be controls in place to make sure we are doing it exactly right,” he said.

Finally, he offered his own variant of something Gen. Keith Alexander, the head of both NSA and Cyber Command, has been saying for quite a while: simple defense of cyber networks is not enough. Inglis compared this approach — used by the vast majority of Americans and businesses —  to France’s magnificent and ultimately useless Maginot Line, a static line of defense that didn’t quite stretch far enough north to stop Hitler’s tanks.

“It’s almost impossible to achieve a static advantage in cyberspace – whether that’s a competitive advantage or a security advantage – when things change every minute of every hour of every day. And it’s not just the technology that changes; it’s the employment of that technology; the operations and practices,” Inglis said.

Current security practices at most companies and for most individuals rely on lists of malware and viruses. If a bad bit of code is spotted, then the attack is blocked. But that isn’t enough because attackers are launching attacks in depth, with attacks sometimes spread out across several years, originating from different servers and using different attack vectors. “If your security depends upon a static advantage and the static nature of compliance-based standards, your heart’s going to be broken on a fairly regular basis,” Inglis told the CSIS audience.


  • Guest

    You can help slow things down a lot if you started putting people like that military guy, I think his name was Bradley Manning (but I could be wrong), up against a wall with or without a blindfold and let the firing squad do what it does best.
    If nothing else he wouldn’t be repeating the offense. And it certainly might dissuade others from following him.
    Same goes for that Ft. Hood “Allahu Akbar” Muslim moron who killed unarmed military. (Actually, that should be dis-armed since they weren’t allowed to carry to protect themselves.) He should have been executed promptly and then been buried face-down in a coffin full of pig fat.
    Their having done nothing to the guy is just going to convince other traitorous Muslims to attempt the same thing. Considering how PC the military is becoming, I wouldn’t be surprised if was successful as well.

    • http://www.facebook.com/people/Ricky-Foos/100001517002924 Ricky Foos

      It’s funny how the radical right with all it’s exclamations of defending the U.S. Constitution is the first to want to forget it. Besides Bradley Manning was just informing the American people about what is going on — what the military and the NSA fear the most.

      • http://defense.aol.com/ Colin Clark

        Ricky, I am hardly the radical right yet I feel compelled to note that soldiers with security clearances pledge to protect that information — not matter how they feel about it. There are occasions when, in the face of evil or criminal actions or just really stupid decisions, that a soldier may come forward and tell the press or someone else without clearance about something. But to decide on his own that he can violate laws and policies to which he has given his solemn oath and written consent and share whatever he wants with the world is a fundamental breach of military discipline, let alone multiple violations of the law. Soldiers accept a loss of some personal freedoms to guarantee ours. That is part of their pledge to uphold and defend the Constitution and accept lawful orders. In the long run, Manning — if he’s guilty — may have helped show the world how much information is needlessly classified by our government. But I’m pretty sure it wasn’t his legal right to do so.

  • Brian

    When the NSA facility in Bluffton, UT get’s up and running this year, Anonymous and other hackers using their code-breaking skills to push idealogies are going to find existence much harder to maintain.

  • underemployed

    It’s time to release the power of this countrys’ technologists. We are here, loyal and can do the job. No need for visa’s to reduce ‘costs.”

  • Hammer6

    Interesting. While the private sector can engage in “dynamic” defense, the implied message seems to be that the other dynamic option – offensive operations – is the preserve of the state.