‘Kicking out the adversary’ is part of new Cybersecurity Directorate’s mission, NSA says
The National Security Agency’s new Cybersecurity Directorate, charged with helping protect the defense industrial base and sensitive government computers by providing insights on foreign hackers, is now at initial operating capability, senior NSA officials informed reporters at a rare briefing Thursday at Fort Meade.
Just this week the fledgling directorate took one of its first public actions, issuing an unclassified alert about nation-state hacking groups actively exploiting vulnerabilities on virtual private networks. Beyond the usual job of such alerts — identifying the bugs and recommending mitigations — the directorate made a point to provide ways for organizations to check whether they have been victimized, something the directorate intends to continue in unclassified ways moving forward.
“We need to be sure that people who own networks that are vital to the national security systems and defense systems of this nation can figure out if adversaries have gained access into their networks,” NSA spokesperson Natalie Pittore said. “It’s about preventing but also kicking out the adversary.”
The focus on eradicating hackers from victimized organizations sets this new Cybersecurity Directorate apart from old defense-focused branches of the NSA, such as the Information Assurance Directorate (IAD), the Technical Director for the new directorate, Neal Ziring said Thursday.
“The old IAD … really focused mostly on prevention … not that we didn’t do any eradicating. But prevention was the bulk of the mission work. So now we’re trying to make sure we pay attention to both angles and let them work together,” said Ziring, who has an intimate knowledge of the technical details shared with industry as the former technical director for the IAD.
“I gave our agency a demanding challenge: prevent and eradicate cyberthreats to national security systems and critical infrastructure,” NSA Director Gen. Paul Nakasone said Wednesday during remarks at a summit hosted by FireEye.
The NSA has always had a cybersecurity mission, better known internally as information assurance, in addition to its job of gathering signals intelligence on foreign adversaries. But in recent years the agency’s focus on the cybersecurity mission had waned, as Nakasone has pointed out in previous remarks. One of the goals in creating the new directorate was to reenergize the NSA’s white-hat mission, which covers everything from generating the cryptographic keys for U.S. national security systems and U.S. government communications to protecting the nation’s nuclear command and control systems.
Defense industrial base cybersecurity
As a first order of business, Nakasone has directed the new organization to focus on the defense industrial base, weapons system security, and the infrastructure and capabilities behind them.
One of Nakasone’s concerns right now is that the defense sector needs to be better protected in particular against cyber-enabled intellectual property theft from foreign adversaries.
“China has stolen a staggering degree of intellectual property to build its economy and military with global ambitions,” Nakasone noted.
Ziring said the directorate is creating a unit to specifically examine the cybersecurity of the defense industrial base. He acknowledged that past efforts have shown that the new team will have a daunting task, given there is no one-size-fits-all solution.
“Protecting an ecosystem or a sector like the defense industrial base is very very difficult, because the sector is very heterogeneous,” Ziring said. “You have some very very large companies … defense prime contractors … and then you also have very small and specialized companies and sort of everything in between.”
NSA partnership with DHS
Protecting against specific technical capabilities of adversaries is no easy undertaking, particularly as they set their sights on areas that don’t necessarily fall under the NSA’s purview, such as universities, the officials said.
“You used to see a nation-state spent their time attacking a nation-state” entity like the Pentagon, Ziring said. “Now we’re seeing a broadening. … They’ll also go after companies, and universities, and nonprofits, and civilian government agencies, and state governments.”
The shift in targets, Ziring said, has meant the NSA needs to reassess its partnerships with the Department of Homeland Security and the FBI.
The Cybersecurity Directorate’s director, Anne Neuberger, told reporters that DHS, in turn, has pointed to national critical functions, such as generating and distributing electricity, supplying water or banking. Those areas have long been a priority for the department’s Cybersecurity and Infrastructure Security Agency, led by Chris Krebs.
“‘In a given sector what are the core cross sector vulnerabilities and how [do] you in the intel community understand those so that you’re looking for the threats that we ‘re most concerned about?’” Neuberger recalled Krebs telling her. “We each have pieces of those puzzles,” Neuberger said.
DHS has previously worked with entities in Fort Meade to share information about threats to the banking sector. Through a project internally known as “Project Indigo,” several banks shared information about nation-states hacking targeting them with Cyber Command, which is co-located with NSA, last year.
The DHS itself is seeking more visibility into vulnerabilities in other ways — CISA is currently seeking subpoena power in its efforts to understand which organizations are vulnerable to hacking.