Joel Brenner, Former NSA Inspector General, On Russian Hacking Effort

Today, news of a leaked top-secret National Security Agency document analyzing a Russian military intelligence cyberattack on a U.S. voting software company. The NSA's analysis was reported by the online news site the Intercept. And, there's also the simultaneous story that the alleged leaker, an NSA contractor, has been arrested.

Joel Brenner, former inspector general of the National Security Agency and head of U.S. Counterintelligence in the Office of the Director of National Intelligence, and currently a senior research fellow at the MIT Center for International Studies, which tweets @mit_cis.

On his reaction to The Intercept's reporting that NSA had analysis of Russian military intelligence targeting a U.S. voting software company.

"What we've seen [is] extraordinary naiveté as well as yet another example of the government employees' inability to keep secrets. Let me start with the last one.

We have a system now in which we clear tens of thousands of people at a very high level of clearance and have access to secret and top secret information. And we're putting that through a system that just wasn't built to handle that kind of volume — and it's breaking down. I don't want to speculate on why this particular contractor, who was had spent six years in the Air Force with high security clearances, why she did it ...

And I think this was the easiest counterintelligence investigation in the history of the republic. I mean, it must have taken them 15 minutes to figure out who did it."

On if we're letting too many contractors too close to top secret information

"... It's not a problem that's restricted to contractors ... And I think we're going to have to rethink not only what we classify but how we protect it ...

We have a clearance system that looks at people on the way in — you know, where they give you a clearance — and then nobody really does much to monitor behavior until you can maybe get a polygraph again five, or six, or seven years later. And our system is not realistic that way ...

There's so many people [working with the NSA] that we can't expect to have the same tight cadre of culture of secrecy when you expand it that fast. I mean it's one thing, you think of operations people at CIA, for example. We don't see leaks out of a place like that. Those are people who live and die and whose sources live and die by their ability to keep their mouths shut.

We now have thousands of military people who are in the service for a short period of time — they're not committed to the intelligence business, they're just supporting it ...

So I think part of what we're going to have to do is to build a system that looks at behavior during employment. And partly we're going to have to think about how to make this a tighter business, classifying less and being more intent on secrecy of what we do classify. That's to say we overclassify to some degree ... I don't say this was overclassified. I mean, the public doesn't need to know exactly how NSA figured out that the Russians had attacked our voting systems and they don't need to know when they learned it."

On the U.S.'s vulnerabilities

"I do not know a single qualified cybersecurity expert who thinks that electronic voting is secure. I'll say it again: it's not secure. And particularly insecure are a number of systems that do exist that do not even have paper backups for voting tallies. That's irresponsible."

On if we can trust U.S. elections

"Well, at this point I think there's been no reason to distrust the election results so far. I don't want to get carried away there. What I am saying is that it is possible to monkey with these systems in a number of ways.

One way is you can go out and buy one of these machines, understand how it works, and then thereby understand how to make it not work, how to make it break. You can get in to these systems through a phishing attack. Think about if you want to set out to corrupt an election what would we want to do? Well, we might want to change votes on voting days, but we might also want to change absentee ballots, which can be submitted in some places electronically. We might want to change registration rules. We might want to contest counts.

If we could, for example, steal the credentials of an election official. Think of what you could do from an official system not from a spoofed site but from the real site? You could issue polling changes on Election Day."

On if there's any reason to believe that the Russians attempted these type of attacks

"We have some indication that they tried to do perhaps, most of these things. They were certainly trying to get into machines in ways that would allow them to do these things, not only through phishing attacks, but from I think stolen credentials — which would be the real, I think, the brass ring to grab. If you have stolen credentials, my goodness, you don't have to do a phishing attack. If I have your credentials, I can get into your system and issue things as if they're coming from you. And they would be coming from your account. That's the ballgame here.

... Americans have to realize that convenience, seamless convenience, comes at a price. And the results of our elections federal, state, and local are what make our republic work. And to insist on seamless convenience as opposed to polling in the old-fashioned way just doesn't look smart to me."