Skip to content
NEW

Security news and analysis brought to you by the McCrary Institute

READ MORE

To the Point: Former NSA deputy directors Chris Inglis and George Barnes on ‘Typhoons,’ the ‘dual hat’ and more

To the Point is a new video series from the McCrary Institute for Cyber and Critical Infrastructure Security, found here at Threat Beat. Hosted by McCrary Institute Director Frank Cilluffo, the series delivers fast-moving, high-impact conversations with top national security and cybersecurity leaders. Each episode tackles big ideas with clarity and urgency — getting straight to the point.

In this inaugural episode, Frank sits down with Chris Inglis and George Barnes — both former deputy directors of the National Security Agency — for a fast-paced, high-level conversation reflecting their decades of experience at the highest levels of government. They explore which emerging technologies will have the greatest impact on national and economic security, the role of red lines and strategic ambiguity in cyber deterrence, and whether it’s time to split the dual-hat leadership structure of U.S. Cyber Command and the NSA.

TRANSCRIPT

Frank Cilluffo (00:00)

I’m Frank Cilluffo and this is “To The Point,” a new series hosted by the McCrary Institute here on Threat Beat. We’ll be speaking to some of the best in the business on big ideas, but we’ll get to the point. Today, I sit down with two outstanding individuals, both of whom served as deputy director of the National Security Agency and are luminaries in the field: Chris Inglis, who also served as the nation’s first national cyber director, and George Barnes. Let’s get to it.

So what emerging technology? A lot of discussion around quantum AI and other emerging technologies, but what emerging technology do you believe will have the greatest impact on our national security, on our economic security, or on society at large and why? 

Why don’t we start with you, George?

George Barnes (00:49)

Great. Well, first of all, I’m really happy to be here. This is going to be a great session. I can just tell being with the likes of both of you. Looking at technology, I really think everything’s abuzz on artificial intelligence nowadays. And it has been for quite some time. Looking forward, the area that we cannot really predict because things are going so fast is AI maturing into the autonomous realm. And so we see now the plethora of agentic AI coming to the fore. And I think we’re grappling with that, both with excitement and also with some anxiety. And so I think it’s going to substantively change how humans interact with machines, how we are efficient, productive, but also it will illuminate some care abouts.

Frank Cilluffo (01:33)

Awesome. Chris.

Chris Inglis (01:34)

Yes, I’m going to start by agreeing with George. I worry about not the creation of sentient AI. I think that’s inevitable, but the autonomy of that. I don’t worry about sentient systems. I worry about autonomous systems. And so we need to double down on what it means to be human. Accountability has got to be on the loop of whatever generative AI is unleashed to do. And we have to actually double down on critical thinking skills. Let me add to that that quantum computing is coming right behind.

Most estimates, two to five years, I think that we’re going to be surprised. The thing I worry about there is it’s going to challenge all of the foundations of security as we know it in the internet or cyberspace. We know how to address that, but we’ve not taken the time and energy necessary to do it. I worry a lot about that.

Frank Cilluffo (02:07)

Awesome. Quick thought from my perspective, I couldn’t agree more in terms of getting someone who swore to the Constitution should be making certain decisions when it comes to anything technology. And often it’s in the application of technology that makes the most significant difference. And I’ll say to society, AI, to national security quantum, just given the crypto sets of issues that could play out there. Let’s start with, please.

George Barnes (02:45)

Even right now, I was just saying, even right now we’re seeing people are toying with the autonomous people. People are creating autonomous agents that reflect personality. So looking at those as companions, but trying to teach and inculcate what are the value systems, what are the governance regimes, all those types of things that we sometimes take for granted. We really need to think hard about that early because we’re going to have agents taking on human functions in parallel with humans. And so we have to keep us humans in the right place.

Chris Inglis (03:23)

Yeah. And I think that we’re sometimes too casual in framing this. I remember years ago, I was giving a talk to someone, a group, an international group on the autonomous weapons systems that the U.S. Department of Defense was considering investing in. And midway through the talk, somebody stopped me and said, do you really mean autonomous? And I said, well, yeah, of course. Systems that have certain properties. And he said, you mean weapons systems that can change sides in the middle of a war? And I said, well, no, not that. And he goes, well, they don’t need autonomous. You need to actually define those terms because if you get what you’ve asked for and you’re sloppy in that question, you’re going to get something that will make you rue the day that you started down there.

Frank Cilluffo (04:02)

Well said, both, and let’s turn to a topic. Chris, I’ll start with you. First, something we discussed ad nauseum during some of our deliberations with the Cyber Solarium Commission, but it’s looking at the deterrence question. Lots of discussion now about leaning forward, proactive, more proactive posture, some of which I think we’ve started, but maybe you’re going to see some acceleration. But the first question I would have is, do we need red lines? Are we finally at the point where we need to clearly delineate lines in the silicon or lines in the sand? Chris, I’ll start with you on that.

Chris Inglis (04:38)

I think we need to be crystal clear about what it is we will defend and what constitutes then unacceptable risks to that. I don’t think we have to be as clear about declaring what we will do under those circumstances. I forget who it was that said this. It might have been Jim Mattis, but we need to be crystal clear about our strategic equities and somewhat ambiguous about what we’re going to do to defend those so that we actually put a seed of doubt in the in mind’s eye of somebody who would hold those at risk.

Frank Cilluffo (04:39)

Thank you.

Chris Inglis (05:08)

If we give them the explicit playbook, chapter and verse, then they might actually say, you’ve been precise enough that I now know how to navigate that landscape because you’ve given me every detail of what you intend to do. And so some ambiguity is useful, but not in a declaration of what we choose to defend under what circumstances.

Frank Cilluffo (05:26)

Well said. George.

George Barnes (05:28)

Yeah. And I think we have a lot of power and latitude in that respect because we luckily today, and for many years prior, we’ve had the ability to choose the manner in which we actually counter things. And so we don’t have to do an eye for an eye. You don’t have to respond to a cyberattack with a cyberattack. So again, giving some ambiguity creates a sense of deterrence, but at the same time, we do need to establish some lines. And I think we’ve been all too soft on ransomware, as an example. Because that is an attack on our society by nominally non-state actors that are harbored, well, they started in Russia mostly, but now they’re scattered around the world. And so I think we need to actually have a more sharp response to that. And I think our legal system tries its best, but falls short. And that’s our domestic and our legal system with respect to dealing with those.

Frank Cilluffo (06:22)

You know, a tie back to the… Wait.

Chris Inglis (06:23)

If I could add to that, think there are two dangers here in terms of thinking our way through this. I agree with what George has said. The first is imagining that we can achieve an absolute level of deterrence, right? That this is a binary proposition that we fail if we don’t kind of completely remove mischief from the field. That’s not possible, right? So, and I don’t mean to say that I’m striving for mediocrity, but the cost of entry is so low, the lucrative assets that somebody might acquire by having a, doing a transgression in this space.

They’re too high that you’re never going to keep that adversary off the field. But we can change their decision calculus. I think it was Edmund Burke who 250 years ago said that the greatest mistake that you can make in life is doing nothing because you can only do a little, right? I think we need to do what we must and can to change the decision calculus of adversaries in this space. The second danger is actually being kind of one-armed or coming up with one single strategy.

Frank Cilluffo (07:06)

Okay.

Chris Inglis (07:18)

In the moment, we might think that what we need to do is to penalize transgressors in this space as a substitute for security by design and resilience by design. I would say that we need to do both. We need to reduce the possibility that they would succeed if they try and increase the probability that they would suffer a consequence if they do or if they succeed. If we use both of those, then I think that we’re stronger still in changing the decision calculus of adversaries.

George Barnes (07:45)

Definitely.

Frank Cilluffo (07:45)

Well said, and I think you, like the previous question, clarity, nuance, and specificity around some of these matters is essential. And just out of curiosity, Volt Typhoon, vis-à-vis, flak, Salt Typhoon, did that cross a line?

Chris Inglis (08:02)

Mind you, think Volt Typhoon crossed a line. Now, Salt Typhoon is, it might look the same at a distance of 50 miles or more, but Salt Typhoon is a classic surveillance operation. The scope and scale is impressive, possibly gets close to what might be an inferred red line, but Volt Typhoon is a fundamentally different thing. The only purpose of Volt Typhoon is to hold critical infrastructure at risk by the insertion of malware. There’s no…

Frank Cilluffo (08:24)

Thank you.

Chris Inglis (08:29)

There’s no other purpose. That, in my view, crosses a red line.

George Barnes (08:33)

And I think we can, we can totally, and I think it helps to put the different types of activity in a categorical framework. If you will, there’s attacked, denied, disrupt, disable. There’s theft, whether it’s for espionage, personal private data, what have you. And then there’s also information, ops and influence. And all three of those have different ramifications and they need a different type of a response. And so to Chris’ point, Salt Typhoon is espionage. It’s stealing.

Frank Cilluffo (08:33)

And I am in same place. George, how about you?

George Barnes (09:02)

Right? We don’t like it, it feels bad, we should defend better against it, but in the end, people have stolen from each other from time immemorial.

Chris Inglis (09:11)

But they leave the original. Don’t take the original, right?

George Barnes (09:13)

That’s right.

That’s right. Exactly. It’s a different thing if you take it, destroy it, preclude access to it, et cetera.

Frank Cilluffo (09:15)

I, again, nuance, I think this is an issue that there has to be an imposition of cost and consequence, or we’re going to continue to see. You can’t expect it to induce changes in bad behavior unless there is a response. As to what that should actually be, I think strategic ambiguity has its place, but not when they’re crossing certain lines that should trigger a visible response. Both of you added a lot of nuance around that issue.

Last question, and this one I think there may be a point of diverging opinion on, and one of the hottest questions in D.C. right now is the so-called dual-hat question, whether or not the director of the National Security Agency, DIRNSA, should also simultaneously be the combatant commander for U.S. Cyber Command, as is currently the structure. Lots of discussion, lots of reports.

The Dunford report, it’s been looked at at length, but I think it’s up for discussion now. George, why don’t we start with you? Should we keep the hat together or do we split?

George Barnes (10:28)

Well, I think I’m pretty open about keeping it together. And I stepped back to my experiences watching – I was at NSA during the formation of Cyber Command as predecessors and, helped run the organizations on the NSA side that were performing the functions that created the foundation for operations in cyberspace. And so my big thing is form follows function and we have to be careful. We’re trying to propagate prior structures forward because we’ve always had them. And I think cyberspace changes everything, right? And we have to be responsive to the environment. We have to be actively engaged in the environment. There are a lot of equities in play, so having a common sense of visibility is key. Having a unified unity of effort, whether it’s for intel gathering, preparation of the operational environment, or preparations for offensive action, it requires common view, a common…

Frank Cilluffo (11:06)

Okay.

George Barnes (11:26)

…workforce with common agendas. We have in our system, we have a predominantly military workforce in CYBERCOM and a predominantly civilian workforce in NSA. Luckily, there are the other types in each, but those cultures don’t naturally come together. And what I saw most explicitly under General Nakasone is the creation of a common focus, a common will for the nation and not about an agency or a command, and also the visibility to take into account key equities across Title X and 50. Those equities, those nuances, that specificity doesn’t naturally come together at the levels that it needs to in cyberspace if you have separate Pentagon and IC lineage.

Frank Cilluffo (12:14)

Chris?

Chris Inglis (12:16)

So I appreciate the question. I think we are going to diverge somewhat on this. So three points. One, I was at the table in the summer of 2009 when U.S. Cyber Command was being created. It was largely the work of Paul Nakasone, Jen Easterly, TJ White. But I was the deputy director at the time and accountable to Keith Alexander, who is the director of NSA and the oncoming kind of commander of U.S. Cyber Command to ensure that NSA was providing full support.

At that moment, it was believed that it was an existential proposition for Cyber Command to have a dependent relationship on NSA. There was no other way to start. And so it was the right model at that time. We left off the table the possibility that this would be indefinite or short term. We said, we’ll come to that later. My view, a second point, kind of in the fullness of time, is that the span of control for one person, and there’s only one person who’s in both organizations, that’s the commander of Cyber Command and the director of NSA, the span of control for that person is simply too broad, right? And in order to actually give the center of gravity in each of those distinct organizations proper time, attention, strategic leadership, I think that we need to split the hat.

There’s also a distinction here in terms of the authorities. We talked earlier about Volt Typhoon and Salt Typhoon being very different from one another. They look the same at a distance. It’s the use of cyber techniques to crack through firewalls to achieve some end purpose. But those end purposes are fundamentally different. Salt Typhoon is typically attributable to what we call Title 50, intelligence operations. Volt Typhoon, attributable to Title X. And because we’re saying that there’s a very real distinction between those as an adversary addresses us, I think we need to actually kind of look in the mirror and see what sort of message we’re sending in return as to whether we think that they’re distinct or whether they can be melded and blended in that they become indistinct, where that scene then is a problem for us. Other organizations in the world who are kind of analogous to us have chosen very different kinds of organizational models and yet achieved, I think, great benefit. GCHQ, the UK equivalent to U.S., to the National Security Agency, is hosted by what we would call the Department of State. And it works. They have a wonderful relationship with their version of Cyber Command. Are there tensions? You bet. But the distinguished leadership that each gets then allows them to optimize each of those so that they can then, moving forward, deliver what’s necessary. And let’s not forget that NSA has other customers besides U.S. Cyber Command. Other combatant commands, other agencies, other departments. And the best way to optimize the delivery of NSA services to all of that…

Frank Cilluffo (14:51)

Okay.

Chris Inglis (15:01)

…is to give somebody the challenge of saying, do you optimize the whole as opposed to optimize one piece and then figure out what to do with the rest? The last thing I would say, the third point, is that we actually have some experience in this regard. NRO, the National Reconnaissance Organization, does all things associated with space, quickly gets classified, but all things associated with space for the U.S. intelligence community. And yet there’s a U.S. Space Command that operates in exactly the same space.

Frank Cilluffo (15:27)

Okay.

Chris Inglis (15:28)

And there was a very strong consideration about five, six years ago to subordinate or merge NRO into Space Command. And there were a number of arguments thrown up that I’ve just walked through for kind of signals intelligence and cyber operations, which were put up for the space kind of issue that we came to a conclusion on a clean white sheet of paper that we shouldn’t meld those two, that they can in fact be complementary and optimize the whole by giving distinguished leadership to each. That’s what we did then.

And that’s what I think that we will do in the fullness of time going forward on NSA/U.S. Cyber Command. Having said that, if we split that hat, I think we need to give both of those leaders the charge of you need to work for the success of each other. You need to work for the success of the other. Otherwise, we’ll see that there are unnecessary seams and inefficiencies sewn into this.

Frank Cilluffo (16:17)

That was a very robust discussion from both of you. Just one quick follow-up. Do we have the horses in the stable? I worry that we’ll be fishing from the same pond and these aren’t women and men that grow on trees, so I’d be curious what the thoughts are there. And I’m really glad you underscored, Chris, the reminder that NSA is a combat support agency for all the both regional and functional combatant commanders.

George Barnes (16:28)

To you.

Frank Cilluffo (16:46)

I think that’s a very valid point, but my simple takeaway is will it increase and improve our outcomes or not? And that’s the simple litmus test that I have, but I’d be curious if we have enough bodies and can it be done just as well? However it’s structured or…

Chris Inglis (17:03)

Can I offer an anecdote?

I want to give George the lion’s share of the time here on this because he’s most recently in the job. Years ago when I was the chief of analysis and production for the National Security Agency, the J2, the person in charge of intelligence for Pacific Command in the day out in Hawaii, called me up and said, “Hey, you’ve got some assets, some intelligence assets on my island, the island of Hawaii. From this day forward, I own them. They do what I tell them to do because there’s just too few of them. I need all of them.”

Frank Cilluffo(17:16)

Okay.

Chris Inglis (17:33)

I said, that’s great, but let’s do an experiment. For a week, I’d like to actually tag the intelligence that I shipped to you, and I’m going to tell you where it actually came from. Some of it comes from the island, people who are there sitting cheek-by-jowl up alongside you. Some of it comes from other places. And by the end of that week, he was shocked, stunned, and amazed to realize that the broader National Security Agency was able to generate things in places like NSA Texas, NSA Georgia. And it’s Europe, all sorts of places that then focused on the Pacific Command’s challenge that the idea of ownership, tactical ownership, physical ownership was really a substandard, a suboptimal solution. So I said, if you want to own those assets on that island, that’s fine, but I’ve got to cut the same deal for Europe and for Southern Command and for the State Department. We’re now going to balkanize this such that we suboptimize this so that we can optimize in silos…

Frank Cilluffo (17:58)

Okay.

Chris Inglis (18:26)

…for each of those kind of those dependencies. I think that we run the risk of doing that to the extent that we dedicate some resources at NSA to U.S. Cyber Command. It will remain a cripple and will not develop the distinguished resources it needs to prosecute Title X in a space where we’re richly prosecuting Title 50. George.

Frank Cilluffo (18:47)

George.

George Barnes (18:48)

I’ll just give a point of reference. I know of no other country that has a system working that’s robust that has two separate entities. Our adversaries in Russia, we have the GRU, which is military enterprise, and the FSB, who both have offense and defense and intel. We have the cyberspace force and the MSS in China who do not; it’s all unified together. We also have in the United States, and GCHQ is a great example, but there are models predicated on GCHQ building the tech. And that’s something that we have a problem in the United States because our technology system, our acquisition system and then the Defense Department does not lend itself today to rapid iterative technology development as fast as the target. And so that’s something that with CYBERCOM’s relationship to reliance on NSA, it gets some of that pedigree. It also leans on a civilian workforce that has depth on target over time. We have a rotational military workforce that can definitely operate, but they need the texture of the target to navigate and understand the nuance with respect to the nation-states that hold us at risk. And so a lot of things have to change, notwithstanding bigger things that are harder, which is cryptanalytic support and those types of entities. But I would say just the synergies required drawing from expertise in the civilian workforce and drawing on the way that NSA has developed technology and employed it. Those are big areas where CYBERCOM lacks in ability.

So the model, not just that it’s separate or together, but the model, the acquisition model of the Pentagon is being adjusted and challenged right now. It needs to be for many reasons beyond CYBERCOM, but rapid technology evolution and pursuit requires a different model than our traditional acquisition.

Frank Cilluffo (20:46)

Gentlemen, both very thoughtful. And I would ask the last question: Chris, maybe. Deconfliction in speed, would splitting it potentially stymie and slow us down, what is already not fast enough? Just a quick thought.

Chris Inglis (21:02)

No, I don’t think so. So I love George. I disagree, though, with the premise. So if you look at any kind of effective military organization in the United States military, you’ll find very different color uniforms, the Air Force, the Space Force, the Marines, the Army, the Navy. And yet it’s incredibly concurrent and coherent when it operates. Why? Because the silos that generated the capability that shows up on that battlefield understand that in the employment phase, the employment and deployment phase, that they need to actually respond to a single commander in the employment phase. But the generation of that capacity and the creation of that in the steady state that actually lives before you have that intense moment of application, you require the depth of expertise that comes from stovepipes.

So there’s only one person who’s in both NSA and U.S. Cyber Command. And when there’s an operation where you commit resources to the execution of that operation, whether it’s that commander in CENTCOM or Southern Command or Northern Command or U.S. Cyber Command, there needs to be great clarity that at this moment in time, NSA is going to ensure the success of that operation. But if you want to optimize the application of NSA, preserve the color of its uniform, preserve the responsibility it has to create those resources that when deployed, when employed, they will actually achieve the synergy, the concurrence that’s required. We can actually take advantage of both of those strengths, the depth of those stovepipes and the application of them on the common battlefield.

Frank Cilluffo (22:30)

Gentlemen, fair to say a complex issue that incredibly thoughtful and smart, and people I respect, will have different opinions on, but I think everyone agrees at the end of the day we need to strengthen our capabilities as to how to best do that. We will see. So thank you both for taking some time with us today and really appreciate it. So thank you.

George Barnes (22:54)

Thanks for the opportunity.

Chris Inglis (22:55)

Thanks, George. Thanks, Frank. Good luck to us. Take care.

Read More