nsa-hqWASHINGTON: The private sector — and the government — must “exhaust” the use of traditional responses such as public shaming, criminal charges, diplomatic demarches, and sanctions “before we contemplate the dangerous possibility we might encourage vigilantism,” the powerful deputy director of the National Security Agency says.

Chris Inglis offered an audience of several hundred gathered for the rare chance to hear a senior NSA official speak in public a carefully balanced view of how the US should manage its responses to cyber theft and espionage.

chrisinglisnsa

“At the end of the day, we need to do more than take the slings and arrows that come our way, going into a fetal crouch,” he said yesterday morning. “At the same time, we don’t want to encourage vigilantism.”

I asked him if a shot across the bow — the Navy’s traditional way of telling a possible enemy to stop what it’s doing — was part of that repertoire and he dodged the question beautifully.

If you want a clear example of just how precise and careful this man is with language and policy, here is his response to a question about the always uneasy balance between NSA’s intelligence and warfighting missions.

“There is no tension in terms of the mission outcomes, though there is distinction in the effects we bring to bear,” he said, noting the long history of duality at NSA between code breakers and code makers. Making that duality physical , the two functions had long actually been housed in separate places.

On the issue of cyber legislation — while he didn’t mention the bill, it seemed clear he was talking about CISPA or a close relative — he said it’s necessary but, in keeping with long NSA policy, it must be done with a careful adherence to protecting an individual’s privacy. “There need to be controls in place to make sure we are doing it exactly right,” he said.

Finally, he offered his own variant of something Gen. Keith Alexander, the head of both NSA and Cyber Command, has been saying for quite a while: simple defense of cyber networks is not enough. Inglis compared this approach — used by the vast majority of Americans and businesses —  to France’s magnificent and ultimately useless Maginot Line, a static line of defense that didn’t quite stretch far enough north to stop Hitler’s tanks.

“It’s almost impossible to achieve a static advantage in cyberspace – whether that’s a competitive advantage or a security advantage – when things change every minute of every hour of every day. And it’s not just the technology that changes; it’s the employment of that technology; the operations and practices,” Inglis said.

Current security practices at most companies and for most individuals rely on lists of malware and viruses. If a bad bit of code is spotted, then the attack is blocked. But that isn’t enough because attackers are launching attacks in depth, with attacks sometimes spread out across several years, originating from different servers and using different attack vectors. “If your security depends upon a static advantage and the static nature of compliance-based standards, your heart’s going to be broken on a fairly regular basis,” Inglis told the CSIS audience.