13 August 2023

A Front Row View of the NSA: Reflections from General Paul M. Nakasone


Seth G. Jones: It is our distinct honor today to host General Paul Nakasone, who all of you know has had an illustrious career as the dual-hatted lead of both U.S. Cyber Command and the National Security Agency. Following General Nakasone’s fireside chat, Glenn Gerstell, who I’ll mention in a moment, will lead a panel discussion between April Doss, NSA general counsel, and Tom Bossert, former homeland security advisor in the last administration on 702 reauthorization. There will also be a question and answer discussion after that session.

So, Glenn, I will hand this over to you. Glenn served as general counsel of the National Security Agency and Central Security Service from 2015 to 2020. Glenn, it is a great honor that you have joined us at CSIS. So I will turn the floor over to you. Thanks.

Glenn Gerstell: Thank you. Thank you, Dr. Jones. Thank you to CSIS. It’s a delight to be here. And, General, it’s a real honor to be on the stage with you. And for me, it’s a personal treat. You know, most of my former clients don’t want to have any further communication – (laughter) – so I appreciate your being an exception to that rule. So this is a genuine treat for me.

You became the director of NSA and the commander of CYBERCOM a little over five years ago. And before that, when I first had the pleasure of meeting you, you were the head of the Cyber National Mission Force and then head of Army Cyber. You went from being a one-star to a four-star in just six years, which is an impressive sign of how well-regarded you are. And I’d like to use that kind of five-year time period during your tenure at NSA as the framework for our discussion this morning by looking at some of the extraordinary technological changes that have transpired over that period, as well as a whirlwind of geopolitical events which have completely changed the scene, I think, from when you first took office. So – especially in the areas you’re responsible for.

So let’s, if I may, just start off by going back to the summer of 2018, May of ’18. You first became the director. I recall we had just months before reauthorized Section 702 of the Foreign Intelligence Surveillance Act, which I know you’re going to comment on. We were still thinking about what the Russians had done back in the 2016 elections. We were thinking about NSA dealing with the aftermath of the Snowden problems and the alleged shadow brokers, theft of tools, and so on. So there was a lot of turmoil going on. What was your sort of thought, now looking back? Looking back, what was your sort of first thoughts in the summer of ’18 when you – when you took office?

General Paul Nakasone: Well, so, Glenn, let me, just first of all, echo your thanks to CSIS, and certainly to Dr. Jones, and to President Hamre for hosting us today.

But in the way-back machine, summer of 2018, you have to back up a few months to the spring of 2018. I’m in my confirmation hearings in March. I come out of my confirmation hearings pretty well focused on the fact that we are going to have a safe and secure election in 2018 or they’re going to find a new director and new commander. And my sense is that after taking over on the 4th of May, the following week we’re already talking about the 2018 elections. How do we have a safe and secure election? How do we do that? How do we bring the command and the agency together. And so from there all the way to the 6th of November, and then beyond as the results are obviously confirmed, it’s all about the elections. You recall, the number-one priority at the agency and command, safe and secure elections.

That’s an interesting point, but I think the more important point is the fact that the midterm elections of 2018, the growth of the Russia Small Group, the ability for us to do this type of work sets the foundation for where the agency and the command are going to operate for the next five years. How is the dual hat going to function? Very, very closely between the command and the agency. How are we going to do new and innovative things such as hunt-forward operations, being able to send teams forward at the request of a government to hunt down those networks? How do we look at the private sector differently? How do we actually leverage this idea of, hey, the private sector has an incredible amount of power, and how do we do that? And then, obviously, the partnerships – the partnerships that form not only between the agency and the command, but the agency, command, and FBI; agency, command, CISA; agency, command, private sector? That’s all the summer of 2018. And so I think that that’s a really important piece. For me, as I think about it, it’s really the jumping-off point for where we’re going to go.

Mr. Gerstell: OK. So one big part of that, as you said, was – elections – was mostly, not totally, focused against the Russians because of what they were – what they did in the – interference in 2016. But you know, on the cybersecurity side, apart from the elections they were also and continue to be a very serious threat in the cybersecurity world, and I wondered how you think about that now. It seems like it – my sense is that many people feel we sort of got caught flat-footed with the SolarWinds intrusion, apparently by the Russian FSB. It took months for that to be detected. We’ve seen in the interim a wave of ransomware attacks coming from – evidently emanating from Eastern Europe and Russia. Some of that continues to this day. As you can just pick up every day’s news headlines, there’s new ransomware attacks. How do you think about the ways we need to counter the Russian cyber maliciousness in particular, apart from elections?

Gen. Nakasone: So I think that – and you mentioned SolarWinds. So I think the first thing I would say on SolarWinds is when you’re doing an intelligence operation, you never want to get caught. And they got caught. And so I think that should be perhaps the story that goes with SolarWinds.

But the other story is, hey, interestingly, the – you know, the CEO and the founder of Mandiant comes to our agency the Tuesday before Thanksgiving to have a discussion about what he’s seeing. It starts to formulate in our ideas this idea of, hey, maybe if we had an unclassified facility outside of our agency where the private sector and our agency can talk to people, wouldn’t that be powerful?

And the other thing that I would say is that it always comes back to what are the competitive advantages. What are the competitive advantages of our agency and command? Well, I think it begins with this idea of we operate outside the United States. It’s foreign intelligence. We have an understanding of what our adversaries are doing. And then how do we communicate that with the private sector?

This is the growth of the Cybersecurity Collaboration Center. This is the – that NSA has today, unclassified facility outside of our gates that’s engaging with over 400 different private-sector companies in the defense-industrial base.

And again, this idea is: How do we both give and get? Why do they talk to us? They talk to us because we have this incredible element of intelligence that comes from our work outside the United States, but they also talk to us for the fact that when they’re talking to one of our folks it’s not: Hey, hold on a second. Let me write this down and I’ll get someone that really understands. No, no, they’re talking to the experts, and that’s really powerful. And I think that that’s where we’ve been able to look at, you know, additions in, you know, abilities such as, you know, ransomware and zero days and supply chain, and being able to bring the power of what our agency and command does to address those.

Mr. Gerstell: OK. We’ll come back to Russia.

Let me spend a minute on China. It seems like in the intervening years China has to some extent taken center stage, at least in the cyber area. You know, we could talk about the decades of cyber theft, cyber-propelled disinformation, but just it seems like there’s been a little bit of a change. Maybe it’s just my impressionistic sense. In the last several months or year or so, there have – it seems like there’s almost a step up in the level of sophistication of the Chinese. We’ve seen reports about their allegedly hacking into the Japanese classified networks. That was a report of the Post on that. It sounds like there’s Chinese attribution to the Microsoft Outlook hacks that apparently led, apparently, to the emails of our secretary of commerce and our ambassador to Beijing being read by adversaries. Even more ominously, we’ve seen reports about apparent Chinese infiltration into infrastructure in Guam. So my sense is that maybe they’ve made a big step up and increase in their cyber sophistication. I wanted to ask you if that’s your perception or is my layman’s perception correct.

And there’s a lot of heated commentary about the spy balloon, et cetera, et cetera, and how we need to deal with the Chinese. But let me just put it bluntly: Are they – are they ahead of us in cyber and surveillance? Are they equal to us? How do you think about them, the Chinese, in this regard?

Gen. Nakasone: No.

Mr. Gerstell: OK. All right. That’s clear. (Laughter.)

Gen. Nakasone: No. But let me say this.

Mr. Gerstell: Do you want the next – you want the next question?

Gen. Nakasone: But no, here’s the piece, right? I mean, this is – I think this is to your really good lead-in here, which is there is a scope-scale sophistication that we ascribe to what China is doing today. Are they getting better? Yes.

But I think the question always comes back to us. As we think about this, how do we address it and what are our competitive advantages against a nation that has so much scope, so much scale, and increasing sophistication?

I think it begins with this idea of our competitive advantages are, first of all, being able to understand what our adversary is doing. You mentioned intelligence gathering. You mentioned this idea of, you know, utilizing different capabilities to spy on us. Certainly, we have to address this. I am very concerned, and we are addressing the issues that we made public in May of this past spring about China living off the land, this idea of positioning themselves in different critical infrastructure elements of the United States, our allies, our territories, to perhaps utilize in the future.

Why are they doing that? Why are they in our critical infrastructure? So that’s the thing that we’re addressing today.

Mr. Gerstell: Can I interrupt? Is your sense that perhaps the Chinese are infiltrating some of our infrastructure networks not only for surveillance but, in essence, for positioning themselves to do future malevolent actions such as taking down networks? They’d want to be in that position if they needed to –

Gen. Nakasone: So, certainly, what, Glenn, we have said is that there is an option that provides the Chinese against, you know, many different scenarios and if you’re in our critical infrastructure it’s not to collect intelligence, it’s our view, and so we want to make sure we’re addressing that and we’re doing that today.

But I think the other piece that we have to think about is – so, clearly, if it’s not just the ability for us to understand what our adversaries are doing I think the other piece that is our huge advantage is the private sector. I mean, this is what we’ve learned from Russia-Ukraine. Being able to leverage the private sector, being able to work with the private sector, being able to understand what the private sector is doing is tremendously important.

And the other piece is we have a global set of partnerships. We have a global set of partnerships that allow us a look throughout the world, allows us a series of like-minded nations to be able to address actions such as these. This is something that is truly a competitive advantage for us and this is what we are utilizing today to address some of the issues that you’ve just highlighted there.

Mr. Gerstell: Let me maybe turn the question around and ask something. Not to put you on the spot but how confident are we, given the technical sophistication of the Chinese hackers – how confident are we that our own classified networks for which you are the national manager under statute and executive order – you’re responsible for the Pentagon’s classified networks, defense contractors’ classified networks – that’s your responsibility. How confident are we that that our classified networks have not been infiltrated, they haven’t been compromised, and maybe you can comment on how would we know if that’s happened?

Gen. Nakasone: So confident and vigilant, and I think those two are very, very important words. It’s not confident that it’s just we’re confident. It’s confident we have a vigilance every single day that we’re looking and making sure that our classified networks, the networks that are responsible for our most sensitive communications or the operations of our most lethal weapon systems, that they’re assured, that there is an integrity there.

You spoke about my responsibilities as the national manager under my role as the director of National Security Agency. I’m also responsible for the DOD Information Network, so both the classified and unclassified networks in my role as commander of U.S. Cyber Command.

So an example of what we’re doing is how do you work with different combatant commands to keep this vigilance alive. We learned this in Ukraine. Why is it that we’re able to share intelligence so effectively with a partner? Because we set the theater, being able to understand that what we’re going to share has to be protected.

The other piece is that I would come back to this idea of Hunt Forward Operations. It’s the fall of 2018 and we have a really intriguing idea bubbling up from the bottom, folks that are saying, hey, wouldn’t it be really interesting if we sent a team at the request of a foreign country to hunt on their networks at the request of a foreign network. Hey, please come. Help us look at what’s happening on our networks. If you find malware, if you find, you know, tradecraft, if you find some other areas that you think are concerning we want to be able to publicize that.

One of the first places we go 2018 Ukraine. Following Ukraine four other times. The fourth time, the 3rd of December 2021 with a team of about 19 Marines and soldiers go back to Ukraine to Hunt Forward Operations. So this is the piece of vigilance that’s really important. We don’t necessarily believe it because we think it. We believe it because we test it. We exercise it. It’s the whole idea of being persistently engaged on our adversaries.

Mr. Gerstell: Good. OK.

Well, let me maybe take a step back, but still on China for a second, more broadly than just cyber. You know, obviously when – again, when you took office five years ago, while China was very much perceived as a threat, it perhaps didn’t have the same level of intensity now, including partly because of the sort of political focus on it these days. Everything from Chairman Gallagher’s committee in the House, which is newly created to address the perceived threat of China, but you just pick up any op-ed today or every think tank conference seems to very much focused on the pacing threat presented by China, particularly in the area of other technologies, just beyond cyber.

How do you think about that? Because obviously the – both Cyber Command and the agency deal with some of these advanced technologies – artificial intelligence, quantum, et cetera, the threat of potential threats to our encryption, for which you are also responsible since you both make and break codes. Can you comment on some of this? Are we thinking about this the right way in terms of China as a threat? How do we need to address this more broadly?

Gen. Nakasone: I highlighted 2018 as kind of a big year for, I think, the department in looking at cyber. I think 2021 is the inflection point for our nation in cyber. And I think about it, you mentioned, you know, the beginning of 2021 with SolarWinds. But remember what 2021 was like for us as a nation. It’s SolarWinds. It’s Microsoft hacking in March. It’s Colonial Pipeline in May. It’s JBS and Kaseya by the summer. In one year, nine months really, we have supply chain, we have ransomware, we have zero-day attacks.

It was the point in time, I think at least for myself and for our agency and command, cybersecurity is national security. That’s a big year. And I think that that – from that year forward we think differently. I think the nation thinks differently. We have a number of different abilities now I think that we didn’t have before. We have partnerships that have been developed. And so when you say, how do you think about it? I begin with this idea that 2021 sets the foundation for us to go forward. How do we ensure that we bring quantum-resistant encryption to bear for our nation, as is directed by National Security Memorandum 10? How do we think about defending our national security systems differently? How do we work with the private sector?

2021 leads into 2022. And I think you know, if we talk about Russia-Ukraine, one of the things that I’ll certainly highlight is the fact that we’re learning in 2018 and 2021 we have to be engaged with the private sector. The private sector gives us the ability to address, again, the piece that we talked about previously, an adversary’s scope, scale, and sophistication. Doing it with a series of partners, with a very, very focused strategy, it pays off.

Mr. Gerstell: So could I summarize by saying you don’t think the Chinese threat in these areas is being hyped? You think it’s something we very much need to continue to focus on? Or do you think there’s some excess hysteria –

Gen. Nakasone: China is the pacing challenge of our nation. It is the generational challenge that we will address, our children will address, our grandchildren are going to address. We see it across the major lines of, you know, national power. And they’re diplomatic, information, military, and economic. It’s different than adversaries that I’ve seen in my three decades-plus of service in the Army. You know, we – you know, when I came in, it was the Soviet Union. But I don’t remember anyone every saying, boy, I hope they don’t bring the cars from the Soviet Union to sell them in Detroit, right? That wasn’t one of the things we were thinking about. We were thinking about a military component.

Now we think about many, many different components of national power. And I think, you know, this is, again, where I think our agency has also pivoted, our command has pivoted, to think about, you know, how do we provide support to broader issues and competition? How do we empower the – you know, the elements of national power that our agency has? Maybe it’s in Commerce or in Treasury. But these are all critical elements that we are working towards today.

Mr. Gerstell: Yeah, well, I know you’ve talked before about how this sort of has – partly due to technology, but also geopolitical events and, as you said, the pacing threat of China – the aperture of national security has expanded. So NSA, therefore, is focused on a much wider array of threats than before, obviously. So I know you’ve commented on that too.

Let’s go back to Russia. You mentioned just a second ago the Ukraine war again. I know we’re bouncing back and forth, but these are two big topics. So what’s your – what lessons have your learned from the Ukraine conflict? I know you get asked that question a lot but, again, from the perspective now several years watching this. The war has now obviously now gone on for well over a year, a year and a half. And could you comment in particular from an intelligence perspective on the role of open-source information that’s been so important to this area? The role of declassifying information at the beginning of this? Not something that the U.S. intelligence community has previously done. What lessons have you learned from an intelligence perspective on this?

Gen. Nakasone: Yeah. I think, you know, a lot of times when they ask what have you learned from Russia-Ukraine, I’ve talked a little bit about the preparation and what Hunt Forward does. I talked about the private sector, in terms of what private sector can bring. But let’s talk about public information, right? And I think a brilliant decision by, obviously, the president, the director of national intelligence, how do we take some of our most sensitive information and share it with our allies, and share it with the public? What does it do?

At the end of the day, I think it does three things. First of all, it builds coalition for us. Secondly, it disrupts an adversary. Russia has never been the same since the fall of 2021, when we called out what they were doing. And the final thing it does is it enables a partner. Every single day, the work that’s being done to provide information to Ukraine. This is tremendously powerful. And I think, you know, even our National Security Strategy talks about this idea of, you know, inherent national strengths of the intelligence community. We think differently about it now, in terms of how do we take the information that we’ve collected, the intelligence that we’ve produced, and how do we protect the sources and methods, and then somehow be able to utilize that and share it.

It comes back to what we were learning even in the summer of 2018, in the Russia small group. Boy, if you can have an ability to garner this information – you know, a lot of the things that we classify we don’t classify for what it is, but how we – how we obtain it. So if someone else obtains it, isn’t that powerful to be able to tell that story? I think we’ve done a very, very good job as an intelligence community of doing that. I would also tell you, if you would have came to me in the summer of 2018 and said, hey, General, we’re going to consider our most sensitive intelligence and we’re going to have it released this fall, I probably would have been looking for a new general counsel, is my thought. (Laughter.)

Mr. Gerstell: Exactly. Exactly. That’s why I didn’t go into your office with that question. (Laughter.) But, yes, again, another remarkable change in just a relatively short period of time.

I mentioned at the beginning of this talk how just after you took office the Congress had reauthorized Section 702. I was – I had the privilege of being in office the year before you, and at the agency. And I recall how very involved the agency was in that, in a technical sense of supplying information and briefing Congress, et cetera. Obviously, the political decisions were made by the administration at the time. But 702 was – has been passed, the Foreign Intelligence Surveillance Act provision that allows the targeting of foreigners overseas. It was passed since 2008, with declining majorities in Congress.

It’s now up for renewal at the end of December, this December. I presume it’s on your list of – on your to-do list of things before you leave the office. It plays such a critical role. I don’t know what the percentage is, some 50-60 percent of the president’s daily brief is attributable to 702. I’ve seen statistics about that. You can probably correct me. It’s critical to all of the wide aperture of national security issues that we just talked about. As Congress considers this, what would – if Congress was here and you had the privilege of addressing them, what would you ask Congress to think about as they consider this reauthorization process?

Gen. Nakasone: You know, Glenn, I really begin with the idea of 702 is perhaps our most important authority, that we utilize day in and day out. It provides us an agility to do so much of what we need to do to provide insights to policymakers and warning to our military commanders. But here are the things that I would emphasize. First of all, 702 saves lives and protects the homeland. Saves lives and protects the homeland. 702 allowed us to provide information on Chinese precursor chemicals that are being utilized to synthesize into fentanyl. It allows us to be able to block some of the international shipments of these chemicals into the United States, saving lives.

Protect the homeland. I talked about Colonial Pipeline in the spring of 2021. 702, essential for us to understand how we need to react and be able to utilize a series of actions as Colonial Pipeline is taking place.

Second thing is that I would emphasize to everyone is this idea that it’s not just national security or civil liberties and privacy. It’s national security and civil liberties and privacy. That is a culture at the National Security Agency. That’s a culture in our intelligence community that is so important. It’s an and statement. How do I know it’s an “and” statement? I know it’s an “and” statement because from the director all the way down to people that handle this data, everyone gets trained on it. There’s a culture of compliance at our agency. Seventy-seven percent of our employees in a recent survey said among the most important cultures is compliance.

The next thing is that we have a series of legislative, executive, and judicial oversight of what we do. Ninety-nine percent rating in terms of our ability to utilize 702 lawfully. That’s the latest look at what we’re doing.

And the final piece is that at the end of the day we have become much more transparent, I believe, in terms of talking about this. The Presidential Intelligence Advisory Board talked about the fact that this authority is among the, you know, most-publicized authorities that we have across the world, and I think that’s an important piece.

And the last thing I would say with regards to 702 is there is an important role in 702 for all of the intelligence community members, to include the FBI. The FBI has, obviously, the authorities and the focus inside the United States. Being able to provide intelligence that allows them to do their counterintelligence mission, that allows them to be able to address cybersecurity issues is essential for us.

And so for me, you know, hard to imagine anything right now that’s more important than being able to ensure that 702 gets reauthorized.

Mr. Gerstell: And if it didn’t and it lapsed for some reason, Congress couldn’t come to agreement on it, what’s – what’s left in terms of your statutory abilities? I don’t mean in a legal sense, but I mean in an operational sense.

Gen. Nakasone: There’s less capability for us. I think – I think there is clearly, you know, a national security impact if it isn’t reauthorized. And so it’s an important authority that it gets reauthorized.

Mr. Gerstell: Right, right, right. And on the legal side, I know just that there is no other legal substitute for the ability to compel U.S. communications providers, so at a minimum to produce this information. So there is definitely a legal gap as well as, far more important, the operational gap. So we’ll see how that unfolds over the next several months.

I guess we’re coming up on the end of time here, so – because we have a panel discussion after this. Maybe we can move away from some of these more gloomy threats and just talk a little bit about the future and solutions and end on that note. And I’d like to ask you to expand on some of the comments you’ve made about partnerships and leveraging the ability of the agency’s – the agency’s own authorities. Can you just talk a little more about how you’re setting the agency up both – to succeed in the future, both in terms of the people – recruiting and retaining people within the agency; you’ve touched on that a little bit – and then more importantly or equally importantly outside the agency? You mentioned partnerships in the private sector, other countries that we rely on. So there’s a lot of effort here focused on both internal people and people externally as a way of leveraging your position. I recall the motto on the inside of NSA. One of the things emblazoned on the hallways there is ”Defend the Nation.” And how do you – how do you see the agency defending the nation with these challenges?

Gen. Nakasone: So it’s “Defend the Nation, Secure the Future.”

Mr. Gerstell: Yeah.

Gen. Nakasone: And I think – when I think about those two pieces of it, you know, let’s talk a little bit about how we do that at our agency and the command.

So you mentioned people. We are the midst of perhaps the largest growth in our agency’s history. You know, we’re going to hire over 3,000 folks this year. We’re going to hire probably half of our civilian workforce over the next five years because there is a tremendous demographic change with folks that had been hired in the late ’80s that had worked at our agency now becoming, obviously, retirement-eligible, and then a continued demand –

Mr. Gerstell: Sort of a bump in the Reagan years –

Gen. Nakasone: It is. Right.

Mr. Gerstell: – basically, that’s now reaching retirement. Yeah.

Gen. Nakasone: And so, you know, we are actively working to bring in the next generation of those that – those that will contribute to our national security.

But it’s not only the new hires, but it’s also folks across our agency and being able to get out and talk about it at the mid-career level: Hey, how about coming back to our agency? Or: How about taking a look at what’s going on? You know, it’s a tremendous opportunity for us to move forward.

We have an initiative called the Future-Ready Workforce that is looking at such things as: How do we onboard our personnel better? How do we take a look at well-being? How do we do hybrid work, you know, this idea of perhaps some that we do doesn’t always have to be done in a SCIF?

Mr. Gerstell: Sure, sure.

Gen. Nakasone: And then: How do we take a look at our leadership development? Those are critical components of what the agency has to do.

And then I would say is that, you know, coming back to the partnerships piece –

Mr. Gerstell: Can I interrupt for a second? And retention, how do you feel – is that – is that less of a problem these days or is still a problem, given the allure of the private sector?

Gen. Nakasone: So I think that, you know, if someone says, hey, what do you think about all the time, I think about our workforce all the time. How do we ensure that we recruit, we train, and we retain? Yes, there are a tremendous amount of competitive opportunities for people that work at our agency and command, and so that is a challenge for us and things that we have to be able to address.

The partnership piece. We’ve talked about artificial intelligence for quite some time. And as I think about artificial intelligence both for the agency and U.S. Cyber Command, it comes back to this idea of, you know, what’s our role in it? Well, I think our role is a couple.

One is the fact that we’ve used artificial intelligence and machine learning at our agency for many, many years. But you know, the generative models that have come, the large language model, provides us great opportunity not only on the signals intelligence side but also the cybersecurity side. How do we think differently about looking at a number of different data and being able to address them, you know, in a manner that continues to keep a human in the loop, that provides us safe and secure networks? We’re working through right now an artificial intelligence roadmap that looks at how do we engage with a series of different key private-sector companies to ensure that they understand first of all what we need, but also the idea that they’re targets, and ensuring that they understand that being able to protect their intellectual property is critically important in the environment that we live today.

So there are a number of things that keep us busy every single day, but I would tell you that, you know, we are, obviously, thought about I think day in and day out as an agency that has tremendous technology – the fastest computers, incredible ways upon which we make code and break code. But the true secret of what we do comes back to our people. It’s our talent. It’s our talent that thinks through the most challenging issues and being able to address solutions for the future. And so that’s how we’re going to defend the nation and secure the future.

Mr. Gerstell: OK. Well, speaking of the future, your successor has been nominated by the president and some confirmation hearings have been held, and hasn’t moved any further than that in the Senate. We won’t get into the politics of that at the moment. But at some point, your five-year – current five-year-plus tenure will come to an end. That’s been longer than usual, as a – as a reflection of the esteem in which you’ve been held. What’s next? Sleep, golf course – (laughter) – a big new job, CEO?

Gen. Nakasone: So my next is determining today what I have to do this afternoon –

Mr. Gerstell: OK.

Gen. Nakasone: – determining next week what has to be done in the following months. You know, I’m the director of NSA and the commander of U.S. Cyber Command until my successor has been confirmed by the Senate, and that’s my focus right now. But once I determine, you know, the future, I’ll make sure I come back and tell you, though, Glenn. (Laughter.)

Mr. Gerstell: All right, well – OK, well, as I said, secure the future is still part of that piece there. So, well, thank you so much. As I said at the beginning, this has been not only for me an honor and a treat, but I’m sure it’s been a treat for the entire audience both here in person and online. So thank you. Thank you for your service, your comments here today, and I wish you the best of luck. And I’m going to ask the audience to join me in thanking you again. (Applause.)

(Break.)

Mr. Gerstell: We’re just going to do a quick set change and then we’ll introduce the panel in one minute.

(Break.)

Mr. Gerstell: – having two wonderful former colleagues of mine here on the stage.

To my immediate left is someone – I think both are known to you, but Tom Bossert is the former homeland security adviser who served under both President Trump and previously had other roles under the Bush administration and is the current head of – the current president and CEO of Trinity Cybersecurity.

To my far left is – not in a political sense, necessarily, but position – is April Doss, whom I had the delightful pleasure of overlapping with when I was the general counsel and April was the assistant general counsel for intelligence having served as a lawyer at the agency for many years who then went into private practice, wrote a terrific book about who has cybersecurity – cyber data – who has your – “Cyber Privacy: Who Has Your Data and Why,” which is – which is a terrific read for those of you interested in furthering the topic so – and, obviously, now the current general counsel, my successor.

So what we’re going to do is spend about half an hour with a couple of questions to follow up on some of the topics General Nakasone talked about and then we will take questions from the audience. You can write them down and hand them to one of the CSIS people here.

And speaking of CSIS, let me just thank the institution again, in particular Devi Nair, who’s out here in the audience who did a terrific job organizing this. I also want to mention Suzanne Spaulding, who’s head of the Defending Democracy Project here, who was not able to attend but very much wanted to be as part of this panel but she was out of the – out of town.

So with that, let me get started. You know, I guess I can’t resist the temptation, April, to start with 702 since that’s what the general talked about and that’s a big focus for you. You’ve had the advantage of – somewhat like the general of having a period of time to assess this. When you were originally at NSA my own recollection – this predated my arrival – was that there were some points of tension and friction between the NSA and the Department of Justice over a number of things. The Foreign Intelligence Surveillance Court was occasionally critical of NSA’s use of the authority in some areas – not fundamentally but in certain areas but, again, don’t want to minimize it – and there were some points of contention.

My sense now is that that has essentially evaporated, in part because of some changes at NSA, which I’d like to ask you to talk more about, and some of the focus these days of the Foreign Intelligence Surveillance Court and the Department of Justice is much more on the FBI.

So could I ask you to sort of talk about that evolution, what’s happened in terms of compliance? The general talked about a culture of compliance. Can you sort of from the – because you were there at the sort of ground level implementing these changes. Can you talk about what’s new, what’s different, how you were able to turn some problems into a clear success?

April Doss: Yeah. Absolutely. And, Glenn, thank you. Let me add my thanks to CSIS for the opportunity to be here and it’s a pleasure to get to be here with you and Tom today.

So, you know, first, as we think about 702 I think the top line we have to start from is exactly what General Nakasone pointed to, which is the importance of the authority. From a national security perspective it is vital. It does save lives. It does protect the homeland.

There is 59 percent of reporting and the president’s daily brief sourced 702. I mean, it is – you cannot overstate the importance of it but, to your point, also cannot overstate the importance of that culture of compliance, of the really robust oversight that goes along with this program, and all of the – all of the measures that the government as a whole, certainly, including NSA have undertaken to build that trust and confidence with overseers.

And, you know, you asked about that history. And those of you who, you know, sort of very involved in tracking 702 at a detailed level certainly are aware that there’s been a great amount of transparency reporting released about 702.

So you can track back through all the years of the major opinions from the Foreign Intelligence Surveillance Court and you can read those opinions online at the ODNI website, with some redactions here and there as necessary for national security. But, nonetheless, these are declassified opinions and you can see the semiannual and the annual reports that are made to Congress and that are published every year, every half year describing compliance successes and failures.

And so what NSA certainly has done, what the government has done is really lean forward in this rather extraordinary way to show our homework, to show what we’re doing to be entrusted with this authority, how we’re managing it. And when I say it’s unprecedented, you know, it’s not my opinion or view necessarily. I mean, it is but the President’s Intelligence Advisory Board recently released a report on 702. It was a unanimous report that included a number of recommendations for further reforms to the program.

But in that report the PIAB talked about the fact that this is the most transparent surveillance program of any government in the world. The PIAB also talked about the fact that if it’s not renewed the lapse in that authority could prove to be the greatest intelligence failure that the U.S. has ever known. That’s the importance of it.

If you’ll permit me I want to say one more thing.

Mr. Gerstell: Sure.

Ms. Doss: It’s not often that I get to come to an event and do show and tell so I’m very excited about this. So this actually – for folks, again, who are interested in 702 if you go to the ODNI website – the Office of the Director of National Intelligence – there are a whole range of information products on that site that just are designed to explain what the authority is, how it’s used, how it’s overseen, what some of those mechanisms are.

So this happens to be the front cover of that. But, again, for people who are interested in delving more deeply into the topic I would really recommend those resources to you because I think it’s extraordinarily useful and, again, I think in terms of showing our homework I think that the U.S. is really leading the way in that regard.

Mr. Gerstell: The transparency has, obviously, been a big piece of it with an incredible amount of information released including in the annual statistical transparency reports, which are also on that website, were full of lots of statistics about how the authority is used, how other authorities are used, et cetera.

Before I go to Tom – and I do want to make sure we cover a couple other aspects of 702 with Tom – let me just ask you one issue that kept bubbling up when I was there, which is some of the privacy and civil liberties advocates understandably have been saying, gee, we just would like the sense of the scope of the number of U.S. people – U.S. persons – whose communications are picked up in the course of the absolutely lawful monitoring of the foreign targets. So when a foreign target – most foreign targets are busy talking to other foreign targets, of course. That’s, you know, an ISIS terrorist is talking to another ISIS terrorist, for example.

But, obviously, some of them you could envision – not that this is necessarily a 702 target but you can envision, for example, a Chinese spy located overseas who is trying to recruit an American, just taking a hypothetical example, well, there would be communications back and forth with that American potential victim and that might get caught up.

So some of those privacy and civil liberties advocates have said, we’d like a sense of just how many Americans’ communications are inadvertently picked up in this, and the intelligence community has – for years has said, we’re not going to tell you, not because we don’t want to tell you but we can’t tell you.

Can you elaborate a little more on that?

Ms. Doss: Yeah.

Mr. Gerstell: Because that continues to be an issue that’s percolating in the current debate.

Ms. Doss: Absolutely. It’s an important question and it’s a difficult area to really get a good grasp around.

So, first and foremost, I just want to sort of remind everybody that, you know, with respect to NSA’s foreign intelligence mission what we do is we stand at the shores of the nation and we look out, and with respect to the 702 authority in particular 702 only permits specified targeting of non-U.S. persons outside the U.S. who are reasonably believed to possess, communicate, or receive foreign intelligence information that is tied to a specific authorized intelligence purpose.

So all of the targeting under 702 is always in that context, non-U.S. persons outside the U.S. tied to a valid foreign intelligence purpose.

Mr. Gerstell: And can I interrupt you just – sorry, one more technical detail because some of the people in the audience may not know the details. In order to become a target, what’s the process? Does someone – does just an agent say let’s go after X, or how does it happen?

Ms. Doss: No, it’s a great question. So as a matter of fact that ties right back into our culture of compliance. So it’s a multi-layered process of review. General Nakasone talked about the annual training that everybody at NSA is required to receive and there’s very intensive training for people who work with 702 data and there’s competency testing required every year and that kind of thing.

And so initially what happens is an analyst who has reason to believe that a particular entity might be a suitable target does some research using non-702 kinds of sources and puts forward a target nomination that explains why they believe this is a non-U.S. person outside the U.S. reasonably believed to possess, communicate, or receive foreign intelligence that is tied to a valid intelligence priority and is tied to one of the court-approved certifications that define exactly how 702 can be used. So all of that has to be documented.

Once that’s submitted, then somebody else, another analyst who’s received the same kinds of training and has the same rigor, has to review it to assess whether or not they believe it meets that standard. Then a third level of review happens, all within the NSA, by a tasking adjudicator who gives it additional levels of scrutiny. And then all of the taskings that are done under 702 are subsequently reviewed by the Department of Justice, every single targeting sheet. And so there’s a really – there’s a tremendous amount of oversight, right.

Mr. Gerstell: Lots of layers. Anyway, I interrupted you on the U.S. person –

Ms. Doss: Right. So back to the U.S. person issue and incidental collection. So we stand at the shores of the nation. We look out. 702 is used to target non-U.S. persons overseas for foreign intelligence purposes. Sometimes in the course of that targeting our target may be in communication with a U.S. person. And this is called incidental collection. It’s a challenge that Congress has known to be a challenge, going back to the beginning days of FISA in 1978. And so we have a set of minimization procedures for how we handle that data. And this question of how to quantify it is something that, as you pointed out, civil liberties and privacy advocates have been very concerned about for quite some time, and understandably so.

NSA has made a number of efforts over the years to try to quantify that. It’s been an extraordinarily difficult challenge. And part of the reason is because it’s difficult to find a way to assess the U.S. person information in a way that is not itself privacy intrusive, right? If you think about – so it’s interesting. From an intelligence tradecraft perspective, there’s really a very strong alignment between what makes good tradecraft and what makes for good civil liberties and privacy protections, in the sense that what you really want to do is hone in on the information that is of most relevance. And that means the foreign intelligence.

So we have not yet cracked the code, if you will, on how to find – how go quantify that U.S. person information that’s incidentally collected without doing – taking actions that would, themselves, be intrusive on privacy. So as I’m sure you’re aware, there have been proposals from outside researchers. We absolutely welcome those proposals as, you know, there’s – as there is a continued shared interest, you know, just sort of across the community of people who are interested in 702, on how to do this better.

Mr. Gerstell: So, just because – putting it – maybe I’m putting words in your mouth. But when you come across an email of glenn@yahoo.com, we don’t necessarily know whether that’s a person in the U.S. or not. And that’s the problem.

Ms. Doss: That’s exactly right.

Mr. Gerstell: Anyway, all right, so that continues to be a big challenge. Tom, let me – I know that was a long description, but an important one, on some of the mechanics of 702.

Tom Bossert: I’m surrounded by lawyers. (Laughter.)

Mr. Gerstell: Exactly. And so I’m going to give you a nice, big, juicy, non-legal question. Which is: You had a, you know, really front-row seat on some of this legislative process, the political process, the administration trying to work with Congress to reauthorize Section 702. I recall our many conversations in 2017 leading up to this. Give us your perspective on where we are sort of in the congressional landscape. Obviously, this audience is sophisticated enough to know that the FBI is a very much center of concern in this area, not necessarily the NSA. Although, there’s still concerns about the entire intelligence community’s use of this authority. Is it going to get passed? What’s necessary? What are the main concerns and what are the likely solutions, if you have a sense of it? What’s your picture of the landscape? And how does it differ from 2017, most importantly?

Mr. Bossert: Well, I want to jump in on this. I have the most straightforward opinion on this matter in town, so it’ll be short.

Mr. Gerstell: OK.

Mr. Bossert: So I’ll start with how cool it is that we just watched the end of General Nakasone’s – close to the end of his tenure here on stage. I personally think he’s been a tremendous national treasure. And I can’t thank him enough. I can’t thank CSIS enough for having us all here, but I’m tickled that I get to be part of the – hopefully, what seems to be the exiting set of speeches that General Nakasone is going to deliver.

Mr. Gerstell: That, in part, depends on Senator Tuberville, of how long a period of time that is. (Laughs.)

Mr. Bossert: Well, the political machinations will work themselves out, and he’ll get himself to a place where he realizes how proud he can be.

I do want to say something to add to his timeline of importance. I agree with his assessment that 2018 was a very important year. But the seeds for 2018 were planted in 2017. And I don’t say that for self-interested reasons, although I was a part of planting those seeds. The idea of us creating a defend forward concept and giving him the policy, and the procedures, and the legal latitude to go out and execute against that, I thought were important. And to hear him confirm that five years later is something I would like to share with the audience.

So, secondly, I think – this dovetails with 702 – he pointed out that 2021 was an inflection – a big inflection year. He cited all the major attacks. He missed one. I think 2017 and NotPetya was probably the beginning of what he cited as a phenomena of cyber national security conflicts. But he was right in his assessment of all the big events that happened in 2021.

And note, for those people who are worried about the high volume of queries from the FBI on the 702-collected information in 2021 and 2022, that a lot of them were tied to the SolarWinds investigation. And I’m not sure if that’s ever really been fully drawn out as a point, but of course the largest cyberattack, with 18,000 victims, correlate with the FBI searching a lot of 702 information. I mean, you know, just to address the volume question. And then maybe I’ll come back and answer your first question.

Let me try something before I do that. Does that help with the volume? No? All right. How about this? Better? All right, that’s better.

702, I was somehow or another fortunate enough to be in the White House in charge of its passage in 2000 – or, helping coordinate its passage in 2008, and then again in 2017 for the 2018 slim victory. Slim victory. So before people think that this is different, this political debate, in 2008 the world distrusted American centralized authority. And we would never allow George Bush in the Patriot Act abusers to have such an authority. It was bad rhetoric, but it was it was coming from a place of public distrust of central authority. And in 2017, we saw the same thing. And in 2018, we ended up getting passage of this critical piece of legislation by a slim margin, a couple of votes in the Senate.

And so just to put it in perspective, I’m not worried about its passage. I’m predicting passage. And I want to explain why. I don’t buy any of the complaints. I don’t buy any of the concerns. I don’t even buy any of the premise of some of the questions that there needs to be better or different oversight or compliance cultures. All that exists already, and it’s getting better, and it’s demonstrable. And so for me, it’s based on misunderstanding. And the difficulty that I’m seeing right now in the political environment is people that have taken strident positions publicly that have now learned all the details having to now kind of square that peg. They have to figure out how they’re going to support this thing given the fact that they’ve said it’s the worst abuse ever.

And I think they’re going to get there. And I’ll tell you why. Because the guy that’s going to give them the top cover is the previous president. There’s a lot of distrust right now, and some of it well-placed, in the FBI, right? This is an abuse of other authorities, though, not the 702 authority. And President Trump, back at the time he was in office said I confused the two. FISA was abused, and so 702 must be bad. And he said, I don’t support 702. And he said, this is just bad people coming after me. And he went out and publicly said things that you would think would put him in a political bind.

And what did he end up doing? He’s given a roadmap to anybody that wants to support this towards the end of the year. He supported it. He signed it into law. And he put a tweet out saying I was wrong in my last tweet. Literally, and it went away. And so if they’re looking for political top cover, he’s given it to them. I guarantee you that there’s a trust problem that falls along party lines. It’s not entirely the right and it’s not entirely the left. It’s kind of an unholy marriage of the far left and the far right on some privacy issues.

But on this one, it seems to come down to the House, how many votes there are there. And there are people looking for kind of a political insight into whether they can vote yes for this thing and not be, you know, primaried or thrown out of office. And I’m telling you, there’s no other – there’s no other place to look than the fact that Donald Trump signed this thing into law. And he did it in a conversation with me based on a thoughtful recognition of how important this is, and how little these claims of abuse really merit attention, especially when compared to the value that this collected information yields every day in helping protect Americans – or, helping to protect American interests and allies.

So one other thing I’d add, it’s not just about a name, glenn@yahoo.com. Sometimes it’s an IP address. So you really don’t want the intelligence community digging into every IP address to figure out where it resolves in order to answer the question of how much information has been incidentally collected. So I’ll have more to talk about on this, but to me 702 is a straightforward question. And I’m probably the last guy standing in this town that thinks that it’s an absolute patriotic obligation for you to pass it in a straightforward reauthorization. And people that suggests otherwise don’t understand the implications of what they’re messing with.

Mr. Gerstell: Well, that was certainly very clear. So that’s good. (Laughter.) Not entirely sure all of Congress is going to agree with you, but I appreciate your position.

Mr. Bossert: The 9/11 Commission, the Webster Report after Fort Hood. Every sane, sensible authority that’s looked into how we can better protect America after big losses have said: Develop controls and systems like this. And General Nakasone, the least partisan human being you’ll ever meet in your life, just sat here and told you it saves lives on a regular basis. And all those things are because we take advantage of our national treasure, which is our private sector. Not because we’re using some, you know, weird government surveillance authority, but because we recognize that U.S. industry, 45 percent of the NASDAQ represented by these big tech companies, right, are kind of today’s Standard Oil. They’re today’s U.S. Steel. They are what makes the United States great. And we can utilize the fact that the rest of the world uses these platforms to track what our enemies are talking about.

You know, the one thing – let me put some data on this. I think it helps. We’re talking about targeted use of surveillance on foreign bad guys on foreign land. Remember that every time you say it somewhere in public, you’re all now deputized to make this argument for me. You’re talking about surveilling foreign bad guys on foreign land. If it’s a foreign bad guy on U.S. land, not doing it here. If you’re talking about a U.S. bad guy in foreign land, we’re not doing it. This authority is foreign bad guys on foreign land, OK? I think most people get that, but it needs to be repeated over and over again.

And the target list is probably somewhere around 35,000 targets. So we’re talking about our enemies. These are bad guys. And they’re not messing around. Of the billions of people on the planet, we’re talking about surveilling somewhere around 35,000 foreign bad guys on foreign land. Now, if they’re talking about me, or talking with Glenn, I think that’s relevant. I think that’s relevant. And I don’t think that that’s a violation. In fact, I know it’s not. The courts have over and over again said that that’s not some search. They’re not protected by our U.S. Constitution.

So don’t talk about warrants. That’s not a search. We’ve already lawfully collected information between bad guys, on bad land, you know, doing bad things to us. And for me, we’re only talking about volume. We’re only talking about volume. So does anybody know this story? Do you know how Benedict Arnold got caught? Do you know who Benedict Arnold is, our Revolutionary War, you know, he pulled off some patriotic, you know –

Audience Member: Of course, we do.

Mr. Bossert: Of course you do. All right. We captured the head of enemy intelligence. The good guys, the U.S., the Americans. We captured him. On his person, he had papers. We read them. Was there any violation of anyone’s rights in that situation? When we read those papers, we discovered that he was in correspondence with Benedict Arnold, not only to undermine our war effort but to assassinate General Washington. He was dimed out as a treasonous traitor right there, but nobody violated – even though this predates the Constitution. So but you understand my analogy here. Nobody was violating American rights there. That was righteous collection on a bad guy in a war. And we caught him in direct communications with one of our citizens doing bad things. And I’m all for it.

Mr. Gerstell: OK. Very clear. My own sense – I appreciate your comments. I agree with you, but I think the situation in Congress still remains a little uncertain. I think the Senate, my own sense – and I’ve been talking, just because of my interest in this area, to a number of members of Congress and their staffs, is that is the Senate is probably more likely to feel comfortable in reauthorizing 702. The House a little less so. I think that’s where the most attention is going to be paid. And again, as we’ve talked about, it’s going to be heavily about the attitudes towards the FBI. There’s a – we’ve heard there’s a trust issue as well as 702 compliance issues, et cetera.

One thing – April, you mentioned the President’s Intelligence Advisory Board Report, which specifically said in an appendix that the NSA model and method of doing queries of the database was actually a model that the FBI should follow. And I think the FBI – and we’ll see how this unfolds in the congressional campaign here – has not – has not really made its case as well as it could have, not on the use of it – because I think most people understand the value of it – but on the scope of the reforms that they undertook after what was, frankly, several years of debate between the FBI and the Department of Justice on the nature of the authority to query the database to search for American names. That’s really the heart of the contention.

And some reforms were put in place by Director Wray at the end of ’21. They took effect over 2022. And the results only became apparent in ’23, when Director Wray and the Office of the Director of National Intelligence announced a dramatic drop – 90-odd percent drop – in the number of queries, searches of this database, precisely because the new rules were put in place. And so I think as that story gets more well-known among members of Congress about the scope of the FBI, I think that’ll take some of the heat out of this. There will still be some. My guess is – my own guess, Tom, is that – although the administration originally said they would like a straight reauthorization for either indefinite or at least for another five years, my guess is that Congress will go ahead with a reauthorization but probably with some amendments that curtail in some way the scope of the FBI’s authority in this area, perhaps merely by enshrining in statute their current regulations, which wouldn’t have an – which would not have an adverse operational effect; perhaps limiting the number of FBI employees who can do this.

So my sense is I hope the Congress will recognize what you both have said and what the general has said, which is the operational need for this should not be – should not be affected by the amendments. But again, it’s a political process. We’ll have to see how that goes.

We’ve got some questions –

Ms. Doss: Could I – yeah, let me just offer –

Mr. Gerstell: I want – yeah, sure. No, please. Yeah.

Ms. Doss: – yeah, just a little bit more clarity. You mentioned the PIAB report and their discussion of U.S. person queries. And you know, it is really important to note that – a couple of things, right?

Every U.S. person query that NSA does is reviewed by the Department of Justice. And 60 percent, roughly, of those queries are not natural persons. They’re not human beings, right? So you know, we’ve – to talk a little bit more about the value of 702 –

Mr. Bossert: Give you an example, what if you searched the name of a school that might be a target of an attack?

Ms. Doss: Exactly. Exactly. And that was – that was one of the examples in the PIAB report. If there is a foreign terrorist organization that is communicating about plans to launch an attack against a school in the United States and intelligence analysts then have a need to quickly find out what other information might be relevant to that threat, being able to search in that already-collected data – this isn’t new collection; it’s already-collected data – being able to search quickly using things like the name of that school would be considered a U.S. person query. So I think it’s just helpful in really kind of parsing out the details.

And I will just interject, Tom, I think that your number on targets I think is low. However, the latest numbers are available in all of that statistical transparency reporting just for clarity.

Mr. Gerstell: Thanks. Yeah, 246,000 last year, but – that’s the number.

Ms. Doss: That’s right. So – but we’re –

Mr. Bossert: I’m a year out of date.

Mr. Gerstell: OK.

Ms. Doss: Yeah.

Mr. Bossert: My guess is – my guess is that a significant portion – that’s still a low number, and I still believe that – good points on the not just a person or a human. But a lot of that has to do with the scale and size of the cyber world, the reality that there are billions of IP addresses, there are significant numbers of email addresses and infrastructure associated with our target list. So fantastic point on why you can’t count and why the numbers are a little larger, but that’s still a pretty small number. So how much does the FBI get of that?

Ms. Doss: So the FBI gets about 3 percent of – access to about 3 percent of the data collected under 702. It varies from year to year. And again, those numbers are publicly reported.

Mr. Gerstell: It’s actually – it actually, last year, to your point –

Ms. Doss: 3.2 percent.

Mr. Gerstell: – about 3.2 percent, so about 7,900 of the total universe of 702 targets. About 7,900 of the foreign targets, these are people who are relevant to a fully predicated national security investigation. The FBI tells NSA, we want information about those, only those 7,900 in round numbers, and that’s all that goes to the FBI. And so all the remaining hundred-odd – I can’t do the math in my head – but 200-odd-thousand doesn’t go to the FBI.

Mr. Bossert: It’s relevant to those who haven’t studied the matter yet that have legitimate concerns – I didn’t mean to dismiss those people in Congress –

Mr. Gerstell: Yeah. Sure.

Mr. Bossert: – for them to be worried about this being used as a backdoor collection on Americans. You have to understand that it’s a targeted collection program on foreign bad guys that has a small scope. And then, when you realize that, you realize it’s a very unusual thing to think that could be used as a backdoor collection. For those that think it’s as massive, sweeping, ongoing collection that could turn into a backdoor, they need to understand those numbers.

Mr. Gerstell: Sure. We’ve got a lot of great questions, and I’m going to – I do want to get to some of them. I also was hoping we could talk about some of the other things General Nakasone raised, such as artificial intelligence, whatever. Maybe we can work it into one or two questions.

But I’m going to try to combine a couple of these really excellent questions. We could – we could be here for hours with some of these very thoughtful comments. This is probably a little bit for more – maybe more for April, but also, Tom, you’ll have a view, talking about the post-Schrems privacy regulations. So the European Union has been concerned about the scope of United States surveillance, mostly 702 but also surveillance conducted under other authorities, executive order authorities. And there’s been some back and forth over the years involving a famous court case involving Mr. Schrems, who initiated this against Facebook originally. Tom, I know you were involved. April, you’ve been involved. So what’s your thinking on the current state of relations in this area between the U.S. and Europe? And what should the U.S. be doing? What should we be thinking about?

I’m just looking at some of these other questions to see if I can tie them in here. How has – in particular, how has Snowden, which we commented on earlier, which was the source of some of the concerns in the Schrems case, impacted the geopolitical landscape of today?

So could both of – you both have perspectives on this. Could you just sort of comment on where we are on this privacy issue and the surveillance?

Ms. Doss: Yeah, absolutely. So, you know, as many folks who are here will know, the heart of those concerns that were raised in the Schrems litigation in the Court of Justice in the European Union was the concern that U.S. surveillance law focused on rights of U.S. persons and persons in the U.S. Now, this is typical. Most countries do this, frankly – provide some set of special protections to their own nationals and people within their borders. But this was of great concern to the European Union, particularly in a context of transborder data flows.

And so, as a result of those concerns and, you know, sort of a few iterations of programs to address it over the years – safe harbor and privacy shield – where we are now is with EO 14086, which was signed by the president in October and which articulates the set of conditions under which SIGINT can be done. And that is SIGINT under 702 but SIGINT – any other kind of SIGINT operational program as well. And what that says is that as a matter of government policy, the U.S. will afford to European – well, will afford to non-U.S. persons the same kinds of protections that are afforded to U.S. persons. And the assessment of who gets those protections is whether or not the governments have entered into an agreement. And so what we have seen now is that through these international negotiations between the U.S. and the European Union, following the signature of EO 14086 we now have an adequacy determination from the European Union saying that, yes, this framework of protections for EU persons is consistent with EU data protection law. And it includes things like a redress mechanism so that persons who are not U.S. people can come to – come to the government, the U.S. government, and complain to say we think we have been improperly surveilled, and there’s a mechanism for reviewing that complaint and considering it.

Mr. Gerstell: Can I interrupt you on that? And one of the comments that people have made is that U.S. citizens might not have that same right, and that – to contest surveillance because of standing issues, et cetera, in the U.S. So is there any sensitivity that we’re giving foreigners, potentially those in Europe if that agreement is concluded with the U.S., some rights that Americans don’t have? Is that something that –

Ms. Doss: I, obviously, can’t speak to, you know, sort of the policy, you know, kind of views on that.

Mr. Gerstell: OK. Sure, sure.

Ms. Doss: But what I can say, of course, is that, you know, U.S. persons are protected by the Constitution, by statute. And for example, in the context of a concern that perhaps surveillance might have been – made its way in some fashion into a criminal prosecution –

Mr. Gerstell: Right.

Ms. Doss: – which is the heart of the backdoor concern in many respects. There are mechanisms within the U.S. set of criminal procedures and laws to raise those concerns in that context. So it is different approaches to try to both provide for and protect the rights of U.S. persons and non-U.S. persons.

Mr. Gerstell: Right. OK.

Tom, your thoughts?

Mr. Bossert: I don’t know, I think – I think you’ve pretty much covered it there. I am worried about extending any rights and protections to non-Americans that Americans enjoy, because there’s a series of cascading consequences, if you think them through, that you won’t want in that world. But that’s not to say that privacy’s not important. Despite my stridence on 702, I take privacy very seriously on all of the rest of our collection authorities and all the rest of our law enforcement authorities. It’s just a 702 has somehow been, you know, thrown into, I think unfairly, that debate.

So nothing more to add on the privacy issue, except to say that – just a framing here. It seems as if – and this is a bit of a hyperbole – but the Europeans have assigned themselves the referees. You know, the United States has a lot of big players in the big data game that were kind of dominating the industry in terms of market share, size of companies, and innovation. That’s great. I think the Europeans realized they didn’t have any big players competing in that space, and so they’ve kind of assigned themselves as the referees on that field. And they’ve become the regulator, in a sense.

And I’m a little bit worried at times of this California emission standard, right? They’ll set a standard that’s very low, and they’ll impose the costs on all of us because the big companies can’t afford to build two different platforms, one that operates in one continent and one that operates in another. And so I watch some of these debates with some concern, that the privacy protections that we afford Americans creep into a form of distrust of big tech that’s hard to quantify. And in that regard, I would offer – I’m not the most trusting guy of big tech either – but I would rather have big U.S. tech given some latitude as opposed to the latitude being given to the Chinese and Russian authorities, who are absolutely going to abuse our data, absolutely going to abuse our rights, and absolutely do it without regard for what we consider to be some sense of, you know, righteousness or human fairness.

Mr. Gerstell: Yeah. Let me – again, lots of good questions. Let me close out. Some of the questions are about some of these newer technologies, mostly artificial intelligence. And let’s end on a sort of future note on that. Which is, April, can you talk a little bit about how the NSA is currently utilizing AI? Obviously, there have been lots of articles written about how AI has the potential to transform intelligence collection and reporting. It’s very important that that – I know the agency is already using it. What are the guidelines, guardrails they’re using? The current debate is all about that. Everything from data collection, including commercially available data, et cetera. Can you talk a little bit about that? And then, Tom, I’m going to come to you for just a sort of sense of how you feel we should be thinking about China in this regard, because the general talked about that.

Ms. Doss: Yeah, absolutely. So, Glenn, you might have seen the remarks that NSA’s Deputy Director George Barnes gave recently talking about NSA’s AI roadmap, a sort of work underway. And, to your point, yes, NSA has certainly used things like – has used AI technologies to assist with things like language translation, machine translation, that kind of thing for many years. And I think everybody recognizes not only that this is a fast-growing area of technology, but it is one that presents a number of threats from a national security perspective. And also, that the government and the intelligence community in particular need to be looking at how to make use of what’s best in it, how to make fair and ethical use of it that respects privacy and civil liberties, and has that built in.

So from an NSA perspective, you know, of course, what we’re looking to are things like the DOD guidance on ethical use of AI that came out in February of this year. We’re looking to the ODNI’s standards for the ethical use of AI. And so from an internal perspective as we work on things like that AI roadmap that Deputy Director Barnes talked about so recently, we’re making sure that we have compliance personnel and lawyers and our civil liberties and privacy team right in the mix of those conversations as they’re taking place.

Mr. Gerstell: Tom, your thoughts on – closing thoughts on sort of the AI race with China? And from your perspective as a serving of the prior administration?

Mr. Bossert: Yeah. AI is so profound. The effect it’s going to have is going to touch every aspect of our society. I think that’s an understatement. I don’t know how to overstate it. And so, from the fears of labor replacement, to the fears of privacy, and economic dominance, and so forth, the social distrust that could be sown by generative AI is terrifying. We can’t figure out what was written by whom, if it’s true, what images are real and not. So I think a lot of this is coming down to trust.

But as I look at the central issue of AI, it seems to be data and privacy. And, as I said earlier, the race is on for who’s going to get and use data. And it’s who owns the data? Is it your data? Is it mine? Is it the company whose platform you’re operating on? What rights do they have?

Mr. Gerstell: How do we make sure it isn’t poisoned?

Mr. Bossert: Well, poisoned data is an interesting thing. From a cybersecurity perspective, I’m worried about the particular issue of poisoning data in the fields of code generation with generative AI. If I were the bad guys right now, I would be intentionally training AI to give predictable and known code writing mistakes to the world of code writers right now that are out there taking shortcuts, so that I wouldn’t have a roadmap into the exploits they don’t even know they’ve put into their software yet. But that’s just another issue, right? And so I think it’s just going to accelerate everything we’ve talked about today. But the big question of the future will be whose data is it? Who gets to work on it? And it is a sort of a race with the Chinese, but it’s really a question of trust. Do we trust ourselves or do we distrust ourselves more than we fear our adversaries?

Mr. Gerstell: Obviously, this topic is one we could have many, many conferences on, let alone just spend the rest of the afternoon on. But we’re coming up to the end of our allotted time. So let me just simply close out on that AI point, just to show the rapidity with which sort of the level of acceleration that this debate has taken. I had occasion this morning, just in thinking about what we were talking about, to look at the Global Trends 2040 Report published by the Office of the Director of National Intelligence, which is a long-term lookout, that I guess was – came out in 2021. So it’s not quite two years old, 20 months old.

It has about two pages in it – and it was a very prescient, brilliant document trying to forecast future trends. It has two pages in it on AI, which says: AI is likely to be a problem. We will really keep a sharp eye on it. I’m understating a little bit, but it’s fascinating how it has become, of course, even in just 20 months, such a high level of conversation. So lots more to follow on that.

Anyway, we are up for time. We had a fabulous conversation with General Nakasone. An equally fabulous conversation with April Doss and Tom Bossert. So thank you again and thank you to the audience for joining us. (Applause.)

No comments: