Transparency has become part of the NSA mission, its GC says
Photo of Victor Li by Saverio Truglia.
The old joke about the National Security Agency was that it was so secretive and mysterious that it really stood for “No Such Agency.” So it might be a bit of a shock to the system to see the NSA spearheading a public relations campaign to promote greater transparency—or at least as much as an intelligence agency tasked with monitoring worldwide threats and conducting surveillance can.
NSA general counsel Glenn Gerstell is front and center of this effort. Gerstell joined the NSA in 2015 after nearly 40 years at Milbank, Tweed, Hadley & McCloy, serving as the firm’s managing partner for the Washington, D.C., office for 18 years. During his career at Milbank, Gerstell also enjoyed stints running the firm’s offices in Singapore and Hong Kong.
Recently, Gerstell did a Q-and-A with me. Here are excerpts of what he had to say about cybersecurity, technology and his job at the NSA.
Law Scribbler: You’d been at Milbank for nearly 40 years and were pretty high up there. What made you decide to leave and take the NSA post?
Gerstell: I’ve always had a lifelong interest in doing something in the public service arena, and in some ways the career of being a private sector lawyer sort of deferred my longtime goal for many, many years, partly because I very much enjoyed my private sector career. It was intellectually fascinating. It was enjoyable. I got to go around the world, work with fabulous clients on some really interesting projects all around the world. … So it was absolutely fascinating, and there was certainly no particular reason to leave until I woke up one day and realized that, you know, I’m going to be approaching our law firm’s mandatory retirement age of 65.
Law Scribbler: You’ve been doing a lot of writing, a lot of podcasts, a lot of articles. Is there a reason why you’ve taken such a public role? Is it related to what happened with Edward Snowden, or was that something that was always going to happen?
Gerstell: I think it’s all part of the agency’s desire to increase transparency generally, which is part of this administration’s—as well as prior administrations, but certainly this administration’s—effort, led by the Office of the Director of National Intelligence, to generally try to make some of the things we do a little more accessible to the public. … It was something that was going to happen anyway as the world moved more and more into great internet connectivity, with cybersecurity being increasingly a threat. It’s inevitable that one portion of our mission became increasingly public, so it’s no surprise that there is just a greater effort to be more transparent.
And I think that’s a good thing. I think the increased transparency and telling people more about what we do helps underscore the rule of law here and makes it more difficult, just for example, for something to be done incorrectly or inappropriately in the future by someone else who might come into positions of power, because the more the rules are known and the more things are public, the better off I think the country is, and certainly the agency is, so that everyone’s very clear on what our legal authorities are. And my job as the general counsel is to make sure that’s very clearly articulated, both internally as well as externally.
Law Scribbler: Law firms, obviously, have to be concerned about cybersecurity. Some major firms have fallen victim to cyberattacks. But are these attacks really that common? Or are they more of an existential threat?
Gerstell: I think what the NSA is aware of and what the United States government, generally, is aware of (as well as what legal industry groups are aware of) is the fact that there is an extensive series of ongoing cyberattacks almost literally every day conducted at all sectors of the economy, including law firms. I think most law firm chief security officers or information security officers would tell you that they see attempts to probe their network in one form or another literally every day. I definitely think law firms recognize that it’s a very substantial and ongoing threat.
Law Scribbler: What are the things that they should be doing to try to safeguard their information?
Gerstell: Well, I think there’s a lot of good information out there. … On the NSA’s website, we have information assurance techniques. Additionally, the Department of Homeland Security and various industry law firm groups all offer suggestions on good cyber hygiene, so to speak. So the information’s out there.
I think the challenge is twofold: One, at the end of the day, even if you do adopt all the patches and have all the right router configurations and firewalls and this and that for a law firm…we’re dealing with human beings. So every attorney who has a password is potentially a point of vulnerability. Every attorney who gets an email at their work is potentially vulnerable to a spear phishing campaign—again, no matter how wonderful the law firm’s cyber hygiene may be.
Law Scribbler: In your opinion, what are some misconceptions that people have about the NSA?
Gerstell: The reality is that the NSA is indeed a secret surveillance agency. And we need it to be that for our perfectly valid foreign intelligence mission. And the country wants us to help protect it and prevent against [attacks], whether it’s potential terrorist attacks here domestically or whether it’s foreign actions against our troops. … So we have a clear mission. In order to succeed at that mission, because of the bad actors out there, we can’t be completely public. We require secrecy to accomplish our mission to help keep America and its troops safe. And I think the public recognizes that. Obviously, just by having a level of secrecy and classification, there is going to be some tension, because the public would like to know more if possible, and we’re also carefully calibrating that. But I think our efforts at increased transparency are making in-roads in getting the public to understand why it’s necessary to have secrecy, and what the nature of our mission is.