Rapidly and proactively sharing intelligence on cyberthreats with industry and critical infrastructure providers “can really make a big and decisive difference,” Rob Joyce, director of the NSA Cybersecurity Directorate, said Wednesday.
It’s one of the key lessons his agency “took away personally” from the ongoing war in Ukraine, Joyce said at the Trellix Cybersecurity Summit in Washington.
“Over time, I’ve changed my view about what it is to protect sources and methods,” Joyce said, noting that in his 30-plus years at NSA “it’s in our DNA” to protect sources and methods to ensure the ability to “know secrets into the future.”
But “what we know is often not sensitive, it is how we know it,” Joyce said. “We can make available the insights about what we know without putting at risk how we know it. That’s really an inflection point that lets us get to more prolific, more extensive and more closely sharing for operational outcomes.”
Joyce added that “it doesn’t do anybody any good if we know a thing and don’t do something. Doing is really the focus in the cybersecurity area. And if you’ve got secrets and understanding and you don’t operationalize those, they don’t count.”
Joyce pointed to what he called the “maturation” of the NSA’s Cybersecurity Collaboration Center as the venue for “working with industry to operationalize those ideas.” Information is shared with technology providers, major infrastructure providers and others, “who can then take action at scale.”
A recent example of such information sharing came earlier this month when the NSA, the FBI and the Cybersecurity and Infrastructure Security Agency released a joint advisory warning of state-aligned hackers using Impacket, an open-source toolkit to aid in network compromise, and a custom data exfiltration tool known as CovalentStealer against an unnamed defense industrial base entity.
More broadly, the U.S. government has been more aggressive about sharing intelligence about Russian plans, both in the days before the Feb. 24 invasion and since, as part of an effort to disrupt Russian attacks on Ukraine.
“When we set up that protection, protecting us protects you,” he said.
There have been 8,500 “analytic exchanges” through the center this year, where analysts from NSA collaborate with analysts from private industry are “chasing a specific lead and following that through, back and forth in an iterative fashion where we both [come] to understand it much, much better than either of us is going to get to by ourselves.”