‘No guns, no guards, no gates.’ NSA opens up to outsiders in fight for cybersecurity
Many of the National Security Agency’s most talented cyberthreat hunters have traded the beige corridors and heavily guarded security perimeter of Fort Meade for a surprisingly located new office — in an unsecured suburban office park in Maryland.
Officials say the pedestrian location is exactly the point: The NSA’s Cybersecurity Collaboration Center is designed to bring NSA cyber analysts closer to outside threat hunters.
By anchoring the center in a largely unclassified environment, NSA officials say they are trying to reduce bureaucratic barriers and make it easier for agency talent to work more closely with increasingly vital private sector security researchers.
“No guns, no guards, no gates,” Morgan Adamski, the director of the CCC, told CyberScoop in an interview. “We want to have a very friendly environment.”
CCC now works with more than 250 partner organizations, most of which are companies within the defense industrial base. NSA officials say they operate more than 200 virtual “collaboration channels” so that CCC analysts and outside threat researchers can communicate more easily. The agency shares insights gleaned from signals intelligence on the collaboration channels in real time. The center has facilitated more than 10,000 “analytic exchanges” between NSA and outside analysts so far this year, officials say.
“You’ve got cybersecurity companies on networks everywhere, worldwide, helping to defend against attacks,” Adamski said. “They have great apertures, capability and expertise. We have different capabilities and authorities. It’s really about bringing those two pieces together.”
About 75% of CCC’s 36,000-square-foot office is unclassified space, reflecting the decision to de-emphasize classified work at the center. When Adamski designed the space she picked a red, white and blue color scheme and chose modular furniture instead of the “NSA beige” that dominates the workspaces at Fort Meade. Unlike the nearby headquarters of the signals intelligence agency, outside researchers can come in to CCC for meetings with relative ease.
The CCC was conceived by White House cyber official Anne Neuberger when she was running the NSA’s Cybersecurity Directorate in 2019. Adamski, a longtime cyber threat analyst at the NSA and the Defense Intelligence Agency, was appointed to run the center in October 2020. A mother of two and a former elite college lacrosse player at the University of North Carolina at Chapel Hill, Adamski has an unpretentious, no nonsense air. So does her Twitter profile, which reads: “NSA’s CCC biggest fan. Mom. Lax Rat. Cyber Queen.”
Informal, quick exchanges between NSA staff and outside threat researchers can pay huge dividends, Adamski says. Before the center had physically opened its doors, its staffers helped discover a critical vulnerability in Microsoft Windows 10 that the NSA released publicly in January 2020. CCC work also led to the April 2020 public disclosure about vulnerabilities in the Microsoft Exchange email app.
“It doesn’t do anybody any good if we know a thing and don’t do something,” NSA Cybersecurity Director Rob Joyce said last month in reference to CCC. “Doing is really the focus in the cybersecurity area. And if you’ve got secrets and understanding and you don’t operationalize those, they don’t count.”
For private researchers and larger companies in the defense industrial base, the CCC has been a godsend. The center has impressive technical talent in house, setting it apart from other such efforts, said Juan Andres Guerrero-Saade, who is senior director of SentinelLabs, a threat intelligence research team at SentinelOne, and a frequent CCC collaborator.
Advanced persistent threat actors from adversarial nation-states will hit the Pentagon one day and a Fortune 500 company the next, and while the NSA has “amazing and unique” visibility into networks, Guerrero-Saade said, security firms such as SentinelOne have a unique understanding of endpoints. By putting the two together, Guerrero-Saade said, both he and the NSA benefit.
“It’s not a one-sided conversation. It’s not the usual government bullshit of, ‘Give us everything and go away, please,’” Guerrero-Saade said about working with Adamski and her team. “That’s why people didn’t want to deal with the government in the past — because you just got bled dry.”
Threat researchers are regularly in touch with CCC technical analysts, a kind of collaboration that security researchers have long sought because they recognize the need to fill gaps in their own work with government intelligence, Guerrero-Saade said.
“I can write to someone right now and just say, ‘Look, we’re working on this China thing’ or they will reach out and just say, ‘Hey, look, here’s indicators. Are you seeing anything?’” Guerrero-Saade said. “The beauty of it is they’ll put it out, we’ll send something back … and it’s like we’re cooking together.”
By combining data from critical infrastructure owners, elite private sector threat analysts, defense industrial base companies, the FBI and CISA and sharing its own cyber threat intelligence with these partners, the NSA ends up with a more complete picture of digital threats.
That the historically staid and insular NSA would be so focused on breaking down walls of a government body once dubbed “No Such Agency” is emblematic of a larger movement within the national security establishment to relax classification rules and allow officials to more openly and efficiently work with industry.
Threat researchers say the CCC represents a major improvement in the secretive agency’s efforts to share information, but smaller companies within the defense industrial base are still struggling to properly use that information. Many small and medium-sized defense industrial base companies are not “mature enough” to leverage the work of the CCC, according to Padraic O’Reilly, chief product officer and co-founder at the firm CyberSaint, which works with defense companies to enhance cybersecurity.
The CCC makes an effort to engage with these smaller players in the defense ecosystem, even if they lack the sophistication of larger players. More than 150 small and medium-sized defense companies participate in special free cybersecurity services the CCC provides.
According to O’Reilly, most companies in the defense industrial base rely on basic security techniques like log aggregation, but do not have the capacity to leverage the sophisticated threat intelligence produced by the NSA. “It’s an uphill battle because of maturity and getting our defense industrial base companies to the point where they can actively collaborate with the NSA,” O’Reilly said. “There’s still a ways to go.”
Updated Nov. 16, 2022: This story has been updated with details about Morgan Adamski’s professional background.