NSA's Former Head Lawyer on Snowden and Cybersecurity

In honor of National Cybersecurity Awareness Month, we caught up with former NSA GC Rajesh De. Now the head of Mayer Brown's Cybersecurity & Data Privacy practice, Raj spent the past three years as NSA's legal chief while the agency experienced the Snowden leaks and subsequent government surveillance debate.

The debate over surveillance is ongoing, as the controversial Cybersecurity Information Sharing Act may see a Senate vote this month. CISA encourages companies to share cybersecurity info with the government, in exchange for liability immunity. "Legislative action in terms of information sharing is important," says Raj, "and it can't wait." When CISA opponents say that information sharing wouldn't have prevented particular attacks, that "is the improper metric. There's nothing that's going to solve any given hack." It's really a question of whether we're building a strategic approach to managing risk better: "Information sharing clearly is an important brick in building that structure."

Raj says the areas of difference between CISA proponents and detractors have been narrowed enough to be "eminently resolvable." Compromises may include companies sharing info with DHS rather than intelligence agencies and stripping personally identifiable info before sharing. Thinking through the life-cycle management of data is key, something the government has a lot of experience in. (At the NSA, data privacy rules are built into "minimization procedures" to ensure that any surveillance program comports with the Fourth Amendment, and guides how data is collected, used, stored and destroyed.) Maintaining a privacy-security balance is imperative, says Raj; it's a dynamic effort as technology changes, threats evolve, and attitudes fluctuate about what we as a society find acceptable.

One of the biggest lessons from the Snowden affair is that the intelligence community—not just NSA—needs to be more public in its articulation of what it does, Raj says. "Particularly in a democracy, you can't have a gap between what's being done, and those on behalf of whom it's being done." Raj is a proponent of moving in that direction, but he says it's far more complicated figuring out how to do so than is claimed by advocates on either side ("it just can't be done," or "everything needs to be in the open"). He adds that much more can be revealed by innocuous-seeming information than people would think.

After leaving the NSA—where he led a staff of 100—Raj spent three months with his family, visiting the Dominican Republic, Disney World and Deer Valley with his wife, 9-year-old daughter, now 8-year-old son, and his father. A Harvard Law grad, Raj was at Mayer Brown from '06-'09 before moving to DOJ, then to the White House (as staff secretary for two years he managed all of the paper that went to President Obama). White House photographer Pete Souza snapped these pics of Raj's children with the President. Rejoining Mayer Brown last month felt like returning home, Raj says. (And now that everything he does isn't classified, it's nice to be able to take work home, too.)

At Mayer Brown, Raj heads a 50-lawyer (and growing) group that advises on an array of issues: cyber breach preparation and response (eg, creating a written information security plan, having a data breach response plan, conducting tabletop exercises, being able to deal with law enforcement, having communications folks and lawyers on call); litigation strategy (invariably, there are lawsuits filed in the immediate aftermath of a breach, and case law developments suggest there will be more litigation in this space); board governance; policy and legislative advocacy; regulatory compliance; and supply chain and vendor management. Helping GCs integrate all these threads is part of the group's approach.

The once-distinct "buckets" of cyberthreats (state actors, often spoken about as Russia, China and Iran; criminal actors selling information; and "hacktivists") are blending. Attacks are growing in frequency, scope and scale—and also morphing in type. They started with stealing data, added on disrupting web service, then layered on destruction of data (such as Saudi Aramco and Sony attacks). What's concerning intelligence professionals now is the threat of manipulation of data (in order to undermine, for instance, the integrity of the financial system) or of physical objects through the Internet of Things. As a result, people need to think not just about prevention but about speed to detection.