NSA seeks to reassure on merging cyber defense, offense
The NSA’s fabled Information Assurance Directorate may be going away in a major reorganization of the agency at the end of August, but “the mission will continue,” the directorate’s chief said this week.
IAD Director Curtis Dukes told a handful of reporters at a briefing in Washington that his staff would continue protecting the computer networks of the U.S. military and intelligence agencies, as well as working with the FBI, Homeland Security and private sector partners to keep hackers and spies at bay for the civilian government and key industries.
According to an NSA handout, the reorganization, dubbed NSA21, will reconfigure the huge sprawling agency into six directorates:
- Workforce & Support Activities;
- Business Management & Acquisition;
- Engagement & Policy, which the handout says will serve as the NSA’s “‘front door’ to ensure we speak with one voice in all external engagements;”
- Capabilities, responsible for “deploying personnel across the enterprise to support mission operations;” and
- Operations, which will merge the two largest existing directorates — signals intelligence and information assurance.
Crucially, that “operations” segment means, in cyber, offense and defense are playing together for the first time.
Signals intelligence is the foreign espionage mission of the NSA — spying on the nation’s adversaries. Information assurance is the defensive mission.
By presidential fiat, the NSA has direct responsibility for the security of the communications and IT networks of the U.S. military and intelligence agencies. But in recent years, in the face of a rising tide of foreign cyberattacks, its IAD cyber defenders have also increasingly been called upon to provide technical expertise and support to the Department of Homeland Security and Federal Bureau of Investigation — working to identify and kick out hackers who’ve penetrated civilian government or even private sector networks.
“Over the past 24 months, there has not been a single [major cyber] incident where we didn’t [at least] augment the incident response” said Dukes, listing the hacking of the Office of Personnel Management database, and the email compromises at the State Department, the Executive Office of the President and the Joint Chiefs of Staff.
During more than a decade, IAD has developed relationships with industry, Dukes said, highlighting the work done with Microsoft — over what he said was almost two years, 2012-14 — to help mitigate the so-called “Pass the Hash” vulnerability.
“Why do we work with them?” Dukes asked of IT providers. “We need their products for our [government] missions, but we need to make sure those products are as secure as possible … right out of the box.
“We used to do it separately” from the manufacturers, he said, “Now we do it in partnership” — for instance in the agency’s Commercial Solutions for Classified program, which provides guidance for government system managers on how to use commercial software securely on classified systems.
But some in industry now see those relationships as under threat in the merger with signals intelligence.
Offense and defense
Because computers are now the easiest way to spy on people, and because everyone — even U.S. adversaries — uses the same Internet, there has long been what officials like to call a “healthy” or “creative” tension between the foreign espionage mission and the information assurance mission of the NSA.
Crudely put, the IA’s cyber mission is to find security holes in Internet infrastructure and common software and patch them; the signals intelligence mission is to find the same holes and keep them open as long as possible so they can be used to spy on foreigners.
When the two directorates merge, some fear that the much larger and better funded signals intelligence mission will simply absorb the IA mission.
Such concerns are “fair and must be addressed,” former agency deputy director Chris Inglis said.
“In any merger … of course there’s the danger that a smaller component, especially if it’s dramatically smaller, will be overwhelmed by the larger component,” he said, urging the agency leadership “to take care to protect that kernel of strength, that depth of expertise that has been the hallmark of the IAD .. of its success.”
Currently, the signals intelligence directorate is about double the size of IAD, according to historian Matthew Aid, who has written extensively about the agency.
But Inglis said the merger was imperative, driven by the changing information territory on which the agency was fighting. “There’s no more ‘adversary networks’ and ‘friendly networks,'” he said, “there’s only one global network.”
Given that attackers and defenders are now competing on the same terrain, Inglis said, “the things that you learn from one mission should be used to improve the strength and resilience of the other mission.”
“it would be a shame, bordering on a mistake,” not to take advantage of that, he said.
NSA21: A big reorganization, done very quietly
The wholesale reorganization of the huge and sprawling agency, dubbed NSA21, was first flagged last year by the agency’s Director Adm. Michael Rogers, and details have eked out since. Curtis’s briefing this week, however, was the first time officials have publicly addressed questions about it — although his responses were off the record.
Aid said that, even for the notoriously secretive NSA, details of the reorganization have been “extremely closely held.”
“It’s very unusual,” he said, adding that, prior to the agency’s last major reorganization, undertaken by then-Director Gen. Michael Hayden, there had been “a huge roll out,” involving extensive briefings to congressional overseers and “months and months of staff work.”
Congressional sources said overseers had been briefed, but details weren’t available. In guarded public comments, leaders of the intelligence committees from both chambers and both parties have been generally supportive, but with “wait and see” caveats.
“I don’t get the sense that this got the kind of scrutiny you usually get before a major reorganization,” Aid said. “The biggest problem they have right now is that they are drowning in data … How does this help?”
In its handout, the agency says it surveyed 4,500 members of its workforce; conducted 120 focus groups; and interviewed 100 “internal and external stakeholders” while developing the plan.
A question of resources
“One of the thoughts behind this [reorganization] is to reduce costs, to reduce staffing levels,” Aid believes.
“NSA is a very large organization, and probably not the most cost efficient” in the U.S. government, he said.
The NSA budget is classified, but the no-longer secret top line of the nation’s spying spending reveals that U.S. intelligence agencies have in the last few years reached a plateau in their burgeoning budgets.
“Efficiency has got to be a part of any change,” said Inglis, “But first and foremost the leaders [of national security agencies] are accountable for effectiveness, they need to deliver on the expectations of the American people.”
“You have to maintain the distinctions in law and authority,” between the two missions, Inglis stressed, but he added that there were “clear synergies” between them.
When two tribes go to war
Aid, citing NSA staff he’s friendly with, says that the planned reorganization has caused “consternation” among some at the agency.
“They are almost like two different tribes,” he said of the signals intelligence and information assurance directorates. The one dominated by a military culture, the other growing out of the agency’s engagement with a group of rather un-military west coast cryptographers.
Former IAD Director Dickie George says that, despite that cultural divide, “on both offense and defense, it’s the same people, the same techniques and they’ve always talked.”
“As far as the deep technical work [goes] … Over the years, the offensive and defensive people, the technical people [on both sides] have worked hand-in-hand, sharing techniques, sharing technologies.”
He believes the real issue will lie elsewhere — in people’s perceptions about the merger.
“You do worry that there’s be a perception issue,” he said, but that was nothing new. “You always had to establish trust when working with people outside … There’s always a perception issue with the NSA. It’s something I had to deal with my whole career,” said George, a mathematician by training, who worked there from 1970 until his retirement in 2011.
Notwithstanding any perception problems, Aid predicted the merger “shouldn’t affect the relationships” IAD has with the private sector and civilian government. Officials “will continue to fulfill all the exact same functions” — they’ll go to the same meetings, do the same work.
“But it’s being demoted,” said Aid.
Inglis sees it differently, “Even though IA is the smaller of the two” missions, he said, “The strong bias has to be to defense as job one.”
He said those with concerns about the merger were looking through the wrong end of the telescope.
Because the new operations directorate was equally responsible for both missions, he said, “This truly is a clarion call to the signals intelligence organization that they’re now accountable for the success of the defensive mission as much as their own. They need to ensure through the application of their resources, the choices they make that they’re making a material contribution to the information assurance mission.”