In Defense Of The NSA [ML B-Side]

The NSA is one of the world's most formidable and powerful intelligence agencies. Some people fear that the National Security Agency’s advanced capabilities would one day be directed inwards, instead of outwards. Are those fears justified? Is the NSA more dangerous than it is useful?
Nate Nelson spoke with Ira Winkler, who started his career at the NSA.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Ira Winkler

CISO, Skyline Technology Solutions

Ira Winkler is Author of the books "You Can Stop Stupid" and "Security Awareness for Dummies". Ira began his career at the National Security Agency, where he served in various roles as an Intelligence and Computer Systems Analyst.

In Defense Of The NSA

Transcription Editing By Dick Curtis

[Ran Levi] The NSA is one of the world’s most formidable intelligence agencies. Being that powerful, the sentiment towards the NSA in the US security community has always been mixed. Many feel pride in the NSA’s technological sophistication and successes, but there were always some people who feared that the National Security Agency’s advanced capabilities would one day be directed inwards instead of outwards. That negative sentiment can be attributed to the fact that many security professionals started their careers as hackers and thus may have strong anti-establishment notions.

But Edward Snowden’s leaked documents proved that at least some of these fears were justified. The NSA, it was revealed, was spying on US citizens as well as foreign nationals. Are those fears justified? Is the NSA more dangerous than it is useful?

Our guest today is Ira Winkler, who started his career in cybersecurity as an intelligence analyst at the NSA. Ira will try to disperse some of the thick fog surrounding the mysterious security agency. Who are the people working for the NSA? What kind of admission tests do they go through? And most importantly, how critical is the NSA to the US national security? And are those fears I mentioned earlier justified or not?
Ira spoke with Nate Nelson, our senior producer.
Enjoy the interview.


[Nate Nelson] Ira, if you could just start by briefly introducing yourself.

[Ira Winkler]Yeah, hi. My name’s Ira Winkler. I’m author of You Can Stop Stupid, CISO of Skyline Technology Solutions, and just been
around cybersecurity way too long.

[Nate Nelson] Could you tell the listeners about your experience in government and then specifically with the

[Ira Winkler] Yeah. So what I can talk about was out of college, I took some tests and NSA said I had a lot of good abilities and what happened was I basically was offered a few positions. I took a job as an intelligence analyst, whereas working with the National Signals Intelligence Operations Center. And from there, I hated that job and I ended up taking a job as a computer intern where I got cross-trained as a computer systems intern at NSA and where I did a variety of different tours.

Things involve cryptanalysis, program management, configuration management, software testing and design, so direct support to military operations and a few other things and work there. Then I left NSA after seven, eight years or so and went to work for government contractors for a while where I was supporting NSA and other intelligence agencies and military agencies around the US and around the world.

[Nate Nelson] You know, every time I talk to someone who’s former NSA, you all mention that aptitude test. Is there anything else you could tell me about that test, what it is, how it works?

[Ira Winkler] So I think they call it the CQB, it’s public knowledge that anybody can publicly take. But what they do is it’s more like the way I found this test was I was going to the career office at Syracuse University where I got my undergraduate degree and I was waiting in the lobby to talk to a career counselor because I wanted to potentially go into the foreign service or something and figure out how to do that. And I saw this book that had a bunch of puzzles in it and I just started picking up and doing it. And then when I walked in and mentioned foreign service, he’s like, well, you know, here’s this. But he’s like, if you want to do that, maybe you should look at this, you know, NSA and, you know, there’s a book out there and if you kind of do a puzzle or two, maybe you want to consider the test. And I’m like, you mean this book?
And he’s like, yeah, I go, I finished them and he’s like, okay, take the test. They don’t tell you this, but they’re testing your spatial ability. For example, you know, there was one question I remember distinctly where it says chief one sends five messages by runner, two by boat, chief two sends 10 messages by boat, et cetera.

Then they ask a question like who’s the chief of the tribe, how many islands are there, how many tribes are there, et cetera, et cetera, et cetera. So that’s one type of test. Then there’s another test of a fake language. You know, if this is this, what would these words be? There was the mathematical part, which was fun, which had basically if you have XX plus XX, you know, over XX question mark, what’s the question mark as an example, you know, figure out missing mathematical calculations and so on. Anyway, that’s part of the test they take. There’s different tests if you’re coming in as a liberal arts major, which I was at the time, or you’re coming in as a technical person, but again, there’s more they’re more like cognitive psychological tests. And if you’re familiar with psychology, cognitive tests, it’s very similar to that. And the CIA offers them as well.

[Nate Nelson] Last thing about your time at the NSA, could you just, you know, what was the environment like in the office for you, at least, you know, to whatever extent you could tell me what kinds of people work at the NSA, because, you know, from the outside, this is kind of mysterious stuff.

[Ira Winkler] So I wrote in my first book, Corporate Espionage, that NSA is more the land of Dilbert than the land of Bond. You do have a few offices which are really, really cool. I’ll give you that. Most of it, though, are people who basically work nine to five. They get in there, they’re engineers, they work in crappy government office buildings. You know, it’s not like you’re walking like there is NSOC itself, the National Sig &
Operations Center. That’s really cool.

It is a, you know, center where you have lots of desks. It looks like a NASA mission control with lots of monitors on the wall and everything. But otherwise, you’re walking into a drab government office building for the most part, lots of cubicles. And you work there, you go to government workers, you can take nice long lunches. You have some of the smartest people in the world working there. You have some of the strangest people in the world working there. Then you have the bureaucrats that look like they should be that race of people at the  Hitchhiker’s Guide to the Galaxy, where literally you try to do something, they want paperwork, they want something. You have, again, a stodgy organization that somehow manages to succeed despite itself.

So you got pretty much the gamut of, for the most part, a government bureaucracy with some really cool and smart people thrown in.

[Nate Nelson] All right. So let’s get to the point of this discussion. The main subject we’re talking about here is U.S. offensive cyber operations. Ira, could you give us a bit of an overview just to start off? What kinds of cyber offense has America been known to carry out in cyberspace? And also, you know, why do we do these things?

[Ira Winkler] Okay. So I’m going to say this, and let me be very clear. This is not from any personal knowledge. This is from an observer of everything you all could read, possibly with some flavor thrown in.

So NSA in its history, for example, there was going back a while, and this was famously reported, NSA and the CIA essentially acquired a Swiss cryptography company that sold crypto equipment to foreign governments. And they were able to, for example, put a back door in. It was a really famous coup of intelligence collection and things like that along the way. NSA has also been publicly credited with essentially hacking different government agencies around the world, doing a variety of different things, putting bugs into places and things like that over a period of time, having, you know, lasers to gather conversations and things to that effect and so on, you know, essentially spying on the world in whatever form it is. There’s the equation group, which people have attributed to NSA.

And you know, the equation group is essentially a group of, if it’s not NSA, they should pay homage to those people because those people are incredibly smart. They’ve intercepted equipment, they’ve gone ahead and, you know, basically modified chips and replaced chips into pieces of equipment and so on so that there’s back doors into a bunch of equipment that was shipped around the world. Theoretically, you had NSA involved in Stuxnet to a certain extent in supporting, you know, other people who might have done it, such as Israel, theoretically, if they actually did that and helping to go ahead, figure out how do you plant malware in what essentially is the closed network, which depending on how you look at it, involve the collection or interception of equipment or potentially working with a contractor, I think it was a Norwegian contractor or something like that, that was working with the appropriate Iranian research company that then was able to plant the malware into systems that then were delivered into the Natanz facility, the underground facility in Iran and been able to do that. Then I think you showed me the information regarding Cottonmouth and, you know, where you have USB plugs and things like that.

But those are more tools of espionage that would facilitate other on-site type of attacks. You have remote type of attacks, again, over periods of time that have been performed, intercepting cell phone signals and things to that effect. There’s a whole lot of things that if NSA, well, NSA is credited with doing that if they didn’t do, you’d be mad they weren’t doing as a taxpayer given all the money, such as tapping phone lines, satellite communications and so on.

[Ran Levi] Ira mentioned two interesting stories, one was Stuxnet and the other involved a Swiss company. I imagine most of our listeners are somewhat familiar with Stuxnet, the worm that attacked the Iranian uranium enrichment facility about 10 years ago. It’s an amazing story and we covered it in depth in our three-part series we did a while back, which you can find on our website,

The Swiss company story, however, is not that well known, so here’s the gist of it. Crypto AG was founded in Switzerland in 1952. It manufactured and sold a variety of encryption systems for radio, ethernet, phone and fax communications to many organizations and governments all over the world. In 1970, Crypto AG was secretly purchased by the CIA and a West German intelligence agency. Many, if not all of its products had embedded backdoors that allowed the CIA and the NSA to decrypt secret messages sent using these systems. This audacious operation went on for an amazingly long time, from 1970 to no less than 2018 when Crypto AG was finally dissolved. The US government’s involvement in the company was revealed in 2020 by the Washington Post. As I said earlier, this is just the gist of this amazing story and we’ll cover it in much more detail in a future episode of Malicious Life.

And now back to Ira and Nate.

[Nate Nelson] Ok can you expand on that last thought though, why as a taxpayer would I want the NSA to be doing these kinds of things?

[Ira Winkler] You know every so often when things are reported everybody’s like oh my god how can you do something like this?
You know for example, you know I interviewed Pierre Marion who was the former head of French Intelligence, the DGSE back in 1995 or 6 for my book Corporate Espionage and he’s like everybody spies on everybody, it’s a given, we know it, it’s accepted. It’s just a matter of world affairs, you know what would happen if the US was not spying on for example Russia and China?

I remember when the world was outraged at the NSA and the US government for not predicting the terrorist attack that happened in Paris back in 2016 or so. You know and everybody was like you know why didn’t NSA tell us and warn us about this you know in the process and all of a sudden France was complaining or French citizens were complaining, why didn’t NSA tell us about a looming terrorist attack carried out by people living in France and Belgium? Like ok now NSA is expected to do this but if NSA spies on a French citizen they get mad but if they don’t spy on a citizen they get mad.

Likewise in the US we need to understand what’s going on around the world regarding terrorism, regarding hostile governments, regarding people who are stealing US technologies and so on and so you have a lot of that type of activity. We need to know what’s going on, we need to know when China or some other country has stolen US military data as an example. If they potentially have access to the power grid that’s something we really want to know which they do and that’s been well reported back almost for more than a decade at this point. So we expect NSA to have warnings and tell us what’s going on so we don’t have to worry about it and so and if they’re not doing that with the you know billions and billions of dollars that they theoretically get there’s a problem.

[Nate Nelson] Right but of course when do you then draw the line in terms of what the US government should or shouldn’t do? I think we all assume that governments hack into one another and their militaries maybe but is it okay for the USA to hack into a foreign or domestic corporation or individual citizens in other countries for example?

[Ira Winkler] So the answer would be theoretically expect not a US company, frankly a US there are laws about this and despite you know like obviously the whole Snowden thing is looming over this but if the US does something NSA never violated the actual law, NSA went through FISA to do whatever they wanted to theoretically do so there was no violation of the law just to be clear when they needed access to something that might involve US people they had to go through and say look this foreign person was talking to someone who happened to be inside the US and that person you know this known foreign operative this known terrorist whatever it was, you know, we want to figure out what phone that person was talking to and see who they were talking to theoretically because that has potential foreign intelligence data. So now once they figure out is this actually a US citizen they pass that on to somebody else like the FBI and say these people are talking to known terrorist as an example and we follow the process through the legal system which is how the work is supposed to be done.

And let me say yes there have been abuses but the abuses you read about are far and few between I mean NSA doesn’t have this extensive resource base where they could just spy on a random person overseas at will. there is a has to be a justification put in place why would NSA want to look at that person? Why is there an interest in this one single person theoretically or why is there an interest in a company because for example if a company you know overseas company is attempting to sell North Korea equipment that could facilitate their nuclear program you want to know about that! You know if there is an embargo around Iran yes you want to know if for example a German company is selling equipment to Iran and violating the you know embargo on Iran if it’s still there I frankly don’t know what’s there anymore on that front again for the U.S. people that shouldn’t be done and if it is done you know talk to your congressman at the end of the day because congress has to pass laws that the president has to sign and then usually given the whole FISA thing they have to then go NSA then has to go to the FISA courts and say hey we want to do this. There’s a whole system of checks and balances and if you don’t like that system of checks and balances really the place to start is congress at that point.

[Nate Nelson] Except the concern would be that the NSA by its nature is going to be working in secret until that secret is broken. I mean I think that if you’re a Russian or a Chinese citizen or whomever there’s sort of an assumption that the Kremlin or the CCP acts on its own accord you know independent of whatever you would want them to do as a citizen but in this case in our democracy citizens are purported to at least have the you know the right and a little bit of insight into what their government agencies are doing but not really for the NSA right. So how will we know what’s going on what we have to then complain about as you say if we don’t know about it in the first place.

[Ira Winkler] So for example the FISA laws and laws that say NSA is allowed to collect you know those are public those are like laws that are passed and at a certain extent then this sounds cliche but if you’re really concerned that NSA is looking at you as a private citizen you’re really you know really what are you doing that you really think this? However I will say again there have been abuses in the past that have been well documented and that is a concern and it should never happen again however at the same time you know at that point this is where at the end of the day you have to say who are you putting in Congress? Because this is literally their oversight. NSA does not have a random group of people who sit around and say you know what I want to just go ahead and randomly listen into these people NSA has to document and there are auditors and programs in place that regularly go through and say if NSA does for example go to that database of telephone calls that they have that is now known which I think has since ceased operations but if NSA did that everything had to be audit logged and the oversight had to be put in and NSA did find people or I think there was one person who was abusing a look up there and they punished that person and that person was looking up his girlfriend’s phone records as an example. But anytime somebody goes in there has to be a justification and a warrant to do so or well whatever the FISA court issues.

[Nate Nelson] One of the stories I’ve been interested in lately, it’s not necessarily a new one, it refers to an NSA project called Shotgiant, not that well known. I want to pose it to you because it’s an interesting sort of case study in where the line is. In this case the NSA was hacking into Huawei, the Chinese corporation which many have suspected collaborates with the CCP. In a case like this, do you see it as warranted that the NSA would proactively hack into China’s version of Apple, Verizon? Is that the kind of thing that we should be doing?

[Ira Winkler] There’s the cynical part of me which says China is hacking into Cisco, Juniper, all these other companies around the US. you know, Get over it China. It’s like it is happening. This has been documented that foreign governments have been hacking into US companies both for economic and nation state type of espionage. And I would be concerned if, for example, if you’re going to buy a piece of US networking equipment, how do you know there is no back door from China, or some other country? And this has actually been a serious concern for supply chain security for a while. Now again, should NSA go ahead and hack into Huawei? That’s something obviously that has tasking oversight. There has to be a national intelligence directive to go ahead and authorize something like that, but would it clearly be a valuable intelligence source? The answer would be yes. That would be a valuable intelligence source. Because again, it’s not just espionage. Is there a magical kill switch? It would really suck that during a time of a crisis or a potential hostile action by a nation that they go ahead and put a kill switch into the telecom infrastructure and so on.

Here’s the concept. Russia and China make the mistake of getting caught. Other countries sometimes get caught. They just aren’t getting caught as much as Russia and China are, as the example. I have friends who are CIA operatives. They’re like, there are things you’re not supposed to do. At the end of the day, the only thing you’re not supposed to do is get caught. And that’s where these things go. From a professional perspective, at some point you have to do a tip of the hat to foreign intelligence agencies who have come off with an intelligence coup. You look there, you criticize them, you do whatever because you’re supposed to. You then go ahead and you then to the extent it is, you punish the country for doing something like that. That’s where at the end of the day, the balance of power comes in. For example, if, I’m just making this up, let’s just say for example, if the country of Malta was accused of found to be hacking into Cisco or something like that to put malware in there, you would go ahead and you would punish them. Why? Because the fact of the matter is there is this power inequity and this power inequity throttles who essentially can get away with spying on who. When Russia is accused of hacking into United States, for example, the US has a much larger economy. Russia has more dependence on foreign entities for resources, technology and everything like that. There is a balance where Russia has to basically control itself and if they don’t, they have to be willing to go ahead and pay the penalty that other countries may or may not choose to levy upon them depending upon who the person is in charge at a given moment. There’s no perfect answer to this and yes, there is a hypocrisy there. It’s just a matter of world events and it’s just a fact.

[Nate Nelson] Ok it seems like we’re drawing an equivalency there. Where in your view, Ira, is the distinction? What do America’s enemies do that the NSA or the CIA refuses to do? Do we have any moral ground to stand on?

[Ira Winkler] The US government does not participate specifically for the goal of economic espionage. The US government will not, for example, steal a military, you know, they will not steal the design of like let’s say an airplane and give it to Boeing. On the other hand, foreign countries will steal the design from Boeing and give it to their local manufacturing. They will steal parts designs and then be able, for example, to flood the market with low quality, you know, aftermarket parts. The US government is not going to necessarily do that for the
financial gain of a private company. The US government limits to what it does to national interests, not personal interests, not other interests, or at least now is not doing it for personal interests.

[Nate Nelson] Yeah. And you know, when we talk about these things in the popular narrative or maybe just in my head, it seems like every country has kind of their own cyber character. Like China uses their big tech companies to do their bidding. Russia uses cyber criminals. Ira, what do you think is America’s character? What’s our profile? You know, what kind of hackers are we?

[Ira Winkler] So I would somewhat disagree. Like, yeah, the criminals are the criminals, that’s a given. And Russia makes use of the Russian criminals because they do the typical, they’re very effective at what they do. Russia also has an incredibly effective hacking tool in their nation state apparatus. The GRU is incredible at hacking overall, and that shouldn’t be downplayed. You know, likewise, China, I mean, the Chinese military has some really great hackers as well. They’ve just incorporated to a large extent the, you know, different students and universities and government. There’s a whole infrastructure in who they assign to what.

For the U.S. for espionage, that is specifically limited, however, to U.S. intelligence agencies and military agencies doing the hacking. It would be NSA, it would be CIA, it would be the information warfare commands and so on who are doing this work. They’re not going to go to students, they’re not going to go to private companies to do the work, for example.

Let me actually take a step back. There is something that’s fascinating. Maybe you’ll have them on. There was one case, Sean Carpenter, who was at one point an admin at Lawrence Livermore National Labs, I think it was, or one of those national labs. He basically detected China logging into their stuff, trying to steal nuclear data. He essentially hacked them back. And he hacked China back successfully to their origination, you know, to the actual people in China hacking other people overseas. He was collecting data on where China was hacking around the world. Then the FBI came in and said, wow, because he was providing the data to the U.S. government. Then the FBI stepped in and said, you have to stop that because you don’t have permission to do this type of work. We got to try to get you permission and it just died. So that’s an example where you even have somebody doing something and start it for the right reasons. Then it became a potential asset that the U.S. government just let fizzle away because he wasn’t part of the U.S. government officially.

[Nate Nelson] My last question, Ira, is this. Our podcast listenership, I would think myself knowing them for a few years now, it’s going to be split on the discussion that we’ve had here. There are a lot of folks who are sort of of your mind that world affairs are world affairs. We have to be doing these things. The NSA is doing largely good work, if not for some big slip ups. Then there’s going to be a large percentage of people who are of the opposite mind who are going to take the sides of the whistleblowers of the NSA, who are very suspicious of the NSA, who have taken the history of the things we’ve been talking about very seriously and very negatively. Ira, if you could leave us with a thought, something to maybe say to both of these sides about what you think, at least, people don’t get quite right about the U.S. and its contingent organizations, how they’re doing cyber warfare, planting whatever they’re planting, doing whatever they’re doing. What do you think we aren’t quite understanding that you see from your perspective?

[Ira Winkler] From my perspective, and just for the sake, and people could look this up, when it was determined that NSA was doing the warrantless wiretaps that was allowed to it under the Bush administration, I actually wrote an article condemning that, because it bypassed a variety of different controls. I would say so to the extent for the people, I’m not just somebody who blindly supports it, I’m more of a pragmatist. For the people who want to go ahead and say they support what they’re doing and all that, I go, they should support it wholeheartedly as long as NSA and everybody else stays within the legal bounds it’s been afforded. When there are any violations, they should crack the hell down on those, even if it’s a minor violation like a guy looking at his girlfriend’s cell phone records. And the reason I say that is, it’s like in politics, you have one small thing on one side of the aisle and it’s like a small inconsequential thing by a low level nobody and all of a sudden it becomes a national issue to the other side.

Likewise, you have to make sure, NSA makes sure there’s no screw ups because somebody will take good hard work of people, pick this one little thing up and hold this one little thing up and say, look, I told you and try to ruin all the other things, killing all the efforts in its tracks. You got to make sure there are no violations and wholeheartedly approach that.

To the other side, I have to say, thank God or whoever you want to, that you’re living in a place where you can fully express those opinions, where you have potential recourse to go to people to complain and my thing would be, yes, you have to stop living in this Pollyanna world that you’re living in at the same time because if NSA stops it again, I could tell you you’re going to get another situation like Paris. Like, I remember when I was at NSA, I remember working there and Pakistan exploded a nuclear weapon. This was way back when, and everybody was saying, why didn’t NSA warn us? The same people who are complaining about NSA were saying, see, I told you, why weren’t they looking where they were supposed to? In other words, you want us to look even further than you were? Yes, they do. There is a purpose to what’s being done. There is a reason to what’s being done. It is actively saving people’s lives, both US and more frequently other people overseas lives and helping other people. So yes, there shouldn’t be violations in it, but to think you live in a Pollyanna world where nobody’s going to spy on nobody, get over yourself.