Former Senior Executive with the National Security Agency (NSA), Richard (Dick) Schaeffer joins us to discuss the role of NSA in the future of Cyber, what Cyber looks like in 2030 and Commercial vs. Government leadership in cyberspace.

Episode Table of Contents

• [0:35] Introducing Our Guest, Dick Schaeffer
• [1:41] The Journey to Marine Corps
• [6:53] Spending 37 Years in NSA
• [10:50] The Possibility of Going Up Against United States
• About Our Guest

Introducing Our Guest, Dick Schaeffer

Arika: We have a great guest, someone who is very well known in the industry. We have Dick Schaeffer who was the former IAD at NSA, which is an information assurance director. Hi Dick. How you doing?

Richard: Good morning. Doing very well.

Eric: And Erica, there are a couple of directors in there so I just want to clarify. Dick was the director of the information assurance director directorate at NSA. Dick, how many years did you do that?

Richard: So I was the information assurance director from 2006 until I retired in 2010. A little over four years under Keith Alexander, who was the director at the time.

Eric: Okay. And you were a Marine early in your career, correct?

Richard: Early life, I joined the Marine Corps out of high school. Sort of at the height of the Vietnam War and served in the Marine Corps from 1966 to 1970.

Eric: Those are some busy years in Vietnam back then.

Eric: Yeah. What makes you join the Marine Corps out of high school?

Arika: That was my question.

The Journey to Marine Corps

Eric: I did the same thing with the army. We weren't in an active conflict like the Vietnam War. But what makes you do something like that?

Richard: Well, so I come from a Marine family. At the time that I graduated from high school, I knew I wanted to be an engineer. I just wasn't ready for the next phase of education. And so I felt compelled. I actually joined the Marine Corps before I graduated, which enabled me to sort of pick what I wanted to do. I had hopes of being a Marine aviator.

And so I went into the aviation field of the Marine Corps. So joining early allowed me to do that. It just didn't work out relative to being a Marine aviator when I was in Vietnam, and I was there from 1968 through 1970, and 1970 the Marine Corps began to sort of wind down their movement of folks. They had a program at a university where you could go and get your degree, graduate and then go on to flight school from there. And the program wound down. So I exited the Marine Corps and went to college and ultimately did become the engineer that I wanted to in the beginning.

Eric: You know, it's interesting. That's almost the same story that I had. I signed up for the delayed entry program in high school, left right after high school, went through the army. There was a green to gold program that just didn't apply to me. So I got out and finished off my college and also the technical background. Interesting parallel there.

How Dick Schaeffer Got Into NSA

Richard: Yeah, it was interesting. I didn't know NSA from any other agency. And one day a recruiter comes to campus and we're talking and I said, oh, you are the guys that built that lousy crypto that we had to use in Vietnam. He said no, we don't build lousy crypto. And I said, well, it-

Eric: It's heavy.

Richard: It didn't work operationally for us. He said, well, why don't you come help us fix that? And that was the beginning of, I ended up at NSA in 1975 and had no idea how long I'd stay, and 2010 I walked out of there with 36, 37 years behind me, never knowing how long I was going to stay. It went by very quickly.

Eric: Did you make crypto better?

Richard: I'm sure you saw a lot of... Oh, good question Eric.

Eric: Sorry. I had to carry some of that [inaudible 00:04:41] infantryman in the army and it was very heavy Arika, jumping it and just humping it through the bush. It was quite heavy. So I didn't care about its ability to encrypt as much as I did the weight of the batteries and the device itself.

Dick's Experience Flying an Attack Aircraft

Richard: So I ended up in an A4 squadron, a small attack aircraft, and we were flying KY-28s in the aircraft, and at the same time, that wasn't, by today's standards it wasn't a Mach 1 plane. It was about a 600-knot maximum plane, but when it takes more than a couple of seconds for two systems to sync up, you've moved a long way at 400 plus knots, which was kind of typical. So it wasn't as if it worked very well. And then there, of course, there was compatible hardware for the ground, and in the same kind of situation, if you're calling in close air support and it takes a while for systems to sync up, you've probably passed over the target or you're in a panic mode and calling in the support.

Richard: So it just didn't work very well for us. So most of the systems never got turned on. Everything was operated in the clear. And so that's what I went to NSA to, I didn't know COMSEC from communication security from anything else. I didn't know NSA from anything else. I just knew I was a young electrical engineer who wanted to go do exciting stuff. So it seemed like a good opportunity. And in retrospect it certainly was. I was never bored a day in my life at NSA and worked with some of the smartest people in the world.

Arika: Well and Dick, I imagined, did you say you spent, was it 37 years there at NSA?

 

 

Spending 37 Years in NSA

Richard: Yeah, I got there in 1975, and I left in 2010, and as it works out in the timing, it was about 36 years. And then I had time, as I was in college, I was working at Harry Diamond Laboratories designing proximity fuses for the army and others. So it was sort of a co-op program and that helped pay for the education along with the GI bill and gave me some design experience which carried well when I went to NSA.

Arika: Well, and I'm sure you just saw so many changes in terms of the areas of focus and evolution and just, I can only imagine. That's a long time to spend at such a critical agency like an NSA. What, especially in the space of the threat and attacks we've seen from adversaries, especially in the cyberspace world, what types of changes did you see throughout that, those 37 years. I'm sure it was quite different from when you started in what you were focused on to when you left, especially being the IAD director.

Richard: Well, if I break my career up into chunks at NSA, I spent the first 15 years of my career in the overhead business working high-speed encryption systems for some of the, what I refer to as the battle stars, some of the big intelligence platforms. And then I did tactical comms.

An Exciting Time: Running the National Security Operation Center from 2003 to 2006

Richard: I did nuclear command and control. I led the research organization for a while and also just prior to going back to the defensive side of the operation, I ran the National Security Operation Center from 2003 to 2006. And it was a great time. I helped integrate NSOC, the National Security Operation Center with, the NSA, CSS Threat Operations Center, NTOC and our counter terrorism center into a single coherent operational platform.

Richard: So an exciting time. But with respect to cyber, if you look at the big adversaries, nation states, those that we always considered to be the top threats, what I saw over the years were tools and techniques that were developed by the high-end actors, find their way down the chain to the lower level players. I spent some time on a defense science board where we created a six-tier adversarial threat model with tiers five and six being nation state actors, high capability adversaries, and then at tier six, those who could actually do it at scale.

So it's not doing a single operation. Those that would run multiple operations at a time. That threat model still in use today. But the tools and techniques used by those top tier players find their way down to the lower level. Think about the criminals and then the general hacker community.

 

 

The Possibility of Going Up Against United States

Richard: Anyone can go on the internet today and download a set of tools that will be remarkably effective against a very broad range of targets today, and targets whether that's a capital T, a high-value asset, or whether it's a small t, it could be ransomware used against a small town or a hospital or one of the entities where people are extorting funds from those entities using those ransomware tools today that are publicly available.

Eric: Dick, over the course of your career, I think, maybe confirm or deny here, but we've seen the enablement of those second, third, fourth tier adversaries where with cyber and globalization and IT communications coming online, is it not easier for a North Korea or a small country in Africa, really doesn't matter I guess, to actually attack our infrastructure or the United States or any country than it used to be in the old, more physical world?

Richard: Oh, absolutely. I don't think there's a nation in the world that would go up against the United States essentially mano a mano. From a kinetic standpoint, there isn't a more powerful military in the world. You don't need that today. Sort of the asymmetric threat environment that we talk about, you can use cyber to condition the battlefield, however one wants to define the battlefield, you can use cyber capabilities to condition the battlefield. That can be done by a teenager with a laptop or it can be done by a nation state adversary across the internet. And in some cases it's very difficult to tell one from the other.

A Highway for Malicious Behavior

Richard: No, I was just going to say I happened to be in the Pentagon in 1998 when two teenagers from California tied up the Department of Defense for six weeks. If you Google Solar Sunrise, you get the background on that. It looked like an attack coming from Iran, but it was two 16-year-olds from Cloverdale, California. So it-

Richard: Yeah, the internet, it's a powerful place for good. It's also a highway for malicious behavior by anyone with the right tools and techniques and the right access.

Eric: Yeah. And it's so easy. It's so easy to obfuscate your activities, the enablement piece is easy. I imagine in the beginning of your career, the early parts, you were focused on the Eastern block countries primarily. And as things evolved, I can only imagine what the job is like trying to understand how to attack against all these new access points, all these new adversaries or potential adversaries, including two kids in California.

Continue to Listen Next Week for Part Two of Our Interview With Dick Schaeffer

Richard: Yeah. It's an incredibly complex problem. I think the intelligence community including NSA does a remarkable job at attribution. So is it two teenagers located somewhere? Is it a nation state that's perpetrating an event that's maybe part of some larger operation? But there's so much noise in the channel today. They use a comms analogy. There's so much noise in the channel today that you have to weed through all that stuff to get at the true adversarial information. We do a much, much better job today than we did in the early days of the practice, but it's still a complex problem, and the ability to hop from location to location essentially virtually creates some pretty significant challenges.

Arika: Hi everyone, I hope you've been enjoying this great conversation with Dick Schaeffer. We are actually going to make this into two episodes because we just could not stop talking. So please continue to listen next week for part two of our interview with Dick Schaeffer. Thanks so much and please continue to tune in and listen to To The Point Cybersecurity.

About Our Guest

Richard C. Schaeffer, Jr. is a former Senior Executive with the National Security Agency (NSA), with over 40 years total U. S. Government service, including 15 years as a member of the Defense Intelligence Senior Executive Service. Positions held during his career include Director, Information and Infrastructure Assurance, in the Office of the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) at the Pentagon and NSA Deputy Chief of Staff.

Since retiring from the NSA in April 2010, Mr. Schaeffer has continued to pursue his passion for improving the security of U. S. interests in the Cyber domain. through his own consulting firm, Riverbank Associates, LLC.