Big Law Business is holding its inaugural Summit at the Apella in New York City. Below are excerpts from the 3:20 p.m. interview between Rajesh De, former general counsel of the NSA and leader of Mayer Brown’s privacy and security practice, and Sam Rascoff, faculty director of the NYU Center on Law and Security. Below is a lightly edited transcript of key excerpts.
(3:31 p.m.) Sam:What’s it like to be a lawyer in the NSA?
Rajesh:One thing that surprised me is the operational tempo. The office of general is about 100 lawyers or so. It provides advice on a range of issues, including cyberdefense. When I joined I received two complete contradictory pieces of advice, don’t be concerned everything you do is secret. Be concerned everything you do is secret.
NSA is a highly regulated agency.
FISA is anything but a rubber stamp. They’re article III judges and they control their world just like district court and appellate judges.
(3:40 p.m.) Sam:What’s your take on the Snowden revelations?
Rajesh:One of the great untold stories is the cost of the Snowden revelations. The actual operational harm is quite difficult to talk about openly. We saw countererrorism targets making very specific reference to the Snowden material and changing the way they communicate.
There’s also diplomatic harm. One could say, well the government undertook those activities. It was one person who made the decision to disclose.
It’s hard to quantify this harm but I think the inflammatory nature in the way this played out really setback our discussion on cybersecurity. The more cybersecurity is falsely equated with surveillance and the falsely negative connotations isn’t helpful.
(3:44 p.m.) Sam:Who’s responsible for the Office of Personal Management hacking?
Rajesh:This has personal consequences because I’m one of the people who got a notice in the mail that my information was obtained.
The patchwork of protections that were in place to protect this material seems to have been a relevant factor. The problem of legacy systems is one businesses are struggling with all the time.
(3:48 p.m.) Sam:If there’s one big theme it’s that public and private entities will have to collaborate to produce cybersecurity. What role is there for government to prevent cyber attacks?
Rajesh:That is definitely the issue of the day. I think there have been four stages to how the threat has evolved. Stage one: exploitation, stealing IP. that’s the equivalent to a mugging on the street, low-level. What I would call phase two: disruption. The sort of attacks we saw on Wall Street ... that basically impacted a number of bank, messed with their public interface. Phase three I would call destruction. The most famous was the attack on the Saudi Aramco company that wiped out 30,000 computers, all data wiped. The one were most familiar with is Sony. While most of what we read was about salacious emails but there were also a number of computers destroyed. Phase four, I would call manipulation. Fiddling around with what’s in a system so one’s no longer trustful of what’s in it.
That gets to the question of what role does government have in this. One role at NSA is providing information about threats. It also has a role in protecting communication systems in the government. Lastly, I was in a position of thinking through how we could assist investigations.
That’s the NSA. There are others.
Clearly, the primary responsibility is going to be with the private sector.
To view the full agenda, click here , and stay on our home page for further coverage.