Former National Security Agency Deputy Director Rick Ledgett weighed in on the veracity of the Intelligence Community’s assessment of Russian interference in the 2016 election as well as his experience in the aftermath of NSA leaker Edward Snowden’s reveals during a wide-ranging conversation at The Cipher Brief’s Georgetown Salon Series event on Wednesday night.
Ledgett, who retired in April, served as deputy director and senior civilian leader of the NSA and prior to that role, led the NSA Media Leaks Task Force from June 2013 to January 2014. That meant he was responsible for overseeing the NSA’s efforts surrounding the investigation of Snowden.
Ledgett called it “in some ways the best job I ever had, in some ways the worst job I ever had.”
It was hard because of the impact on the agency and its employees, he said, especially with some of the press reporting he characterized as wrong or misconstrued. But, he said, it was “really good” in that the agency was able to spend time informing people about what work was actually done there.
“There’s never been an administration that had a better appreciation of what NSA did than the Obama administration,” he said. “I’m serious — we spent hours and hours and hours in the Sit [Situation] Room explaining it to people and answering questions and doing that.”
Snowden fled the country in 2013 after handing over a trove of classified information to media organizations, some of which revealed the agency’s data mining and surveillance programs that impacted American citizens’ privacy. The leaked documents also included information on U.S. monitoring of foreign heads of states’ phone calls, Chinese cyber espionage, and the existence of surveillance programs in other countries.
As Ledgett put it on Wednesday night, “NSA had a couple of bad incidents” in the insider threat space. He noted he talked to Director of National Intelligence Dan Coats and his deputy Susan Gordon last week about the insider threat problem and what NSA “has been doing to lock down its networks” in terms of physical, personnel, and IT security.
There’s a “balance point” that needs to be reached within the IC, particularly in three areas, he said.
Many potential employees will have other far more lucrative career opportunities, and “we need to figure out how do we get them to attach to our values, our mores, and our norms in a way that most of the insiders that I’m familiar with did not,” he said. The IC must also figure out how it monitors behavior “without being Orwellian, without having a drone hovering over their head or things like that,” Ledgett added. And the IC must also figure out how it can identify, early on, the “signs of someone who might be becoming an insider threat,” he said.
And all of those factors must also be weighed with the importance of not alienating the workforce, Ledgett noted.
Ledgett also addressed the Intelligence Community assessment that found Russian President Vladimir Putin had ordered a cyber and influence campaign aimed at interfering in the United States presidential election and boosting Donald Trump’s chances for victory. The assessment was drafted and coordinated by the CIA, FBI, and NSA, and Ledgett noted that he “personally looked at every single report” that went into the document and spent hours talking to the analysts who were part of the team.
“It was the Russian government. There is no question,” he said.
Russia’s election meddling provided a “really interesting look at cybersecurity and cyber writ large,” Ledgett noted, from the hacking of the DNC, to the weaponization of the emails, to the attacks against state election infrastructure. Then there is what he dubbed the “most interesting story” that emerged from this, which is “the impact of cyber on the traditional information operations and the use of news” and on how it shapes people’s opinions.
“And it’s starting to come out now in the Facebook story with the ads being bought by the Russians, the troll farms in Eastern Europe and Russia that were automated Facebook and Twitter feeds that were shaping what people saw. You think about how social media companies work when they have automated programs that look for training things and sort of maps that with your interests, the Russians did a really, really good job of using that and our respect for and belief in free speech against us,” he said.
During the question and answer portion of the evening, Ledgett was also highly critical of proposed congressional legislation, the Active Cyber Defense Certainty Act drafted by Rep. Tom Graves (R-GA), that would make it legal for victims of hacking to hack back against the attacker. Ledgett called it “maybe one of the worst ideas I’ve heard in a decade.”
That’s because companies get attribution wrong — every single time, according to Ledgett.
“Every time a private company has come to me in my cyber time and said, we’ve been hacked and we know who it is, they’ve been wrong. Every single time,” he said. “Because of that, you’re going to hack back against the wrong thing, most likely.”
Ledgett pointed out there are larger geopolitical concerns with the concept.
“The part that really concerns me is for those nations who view something like that as an act of war, I don’t want Disney deciding they’re going to hack back against a Russian organized criminal and starting a war with Russia. That’s bad. So that’s why I think it’s a horrible idea,” he said.
Broadly speaking, attribution is fundamentally an intelligence activity, while the decision to publicly disclose it is political one, he noted. “Be short when you attribute, use precise language,” Ledgett advised.
“North Korea and Sony — dead solid certain. Russia and the DNC — dead solid certain,” he said.
Ledgett also discussed the recent ban on all Kaspersky Lab products for all federal civilian departments and agencies, calling it a “pretty solid case.” Officials of the 20-year old Russian cybersecurity company are suspected of having ties to Russian intelligence services.
The information will not be made public because it is very sensitive, he said, but added that it has been going on for “a long time” in the IC.
There’s a lot of “nonsense in the press” on this, he said. “Eugene [Kaspersky, the CEO of the company] is saying, oh, you can review my code. Nope. That’s not the point. It’s not the code you put in the devices, it’s the fact you can command and control software implants in computers around the world, including government computers. That’s the issue.”
If Kaspersky really wanted to offer up a mitigation proposal that could work for the U.S. government, “say all of your updates will go through a government clearinghouse where they can look at them before they go, and all of the data that comes back to you can go through a government clearinghouse where they can look at it before it goes back.”
As for why this ban occurred now, rather than earlier, Ledgett said that “what happened was our understanding of the threat posed by Kaspersky, the connections, and their activities has evolved over time to the point where we were confident that this is something we need to do something about.”
Mackenzie Weinger is a national security reporter at The Cipher Brief. Follow her on Twitter @mweinger.
