When Russia’s Foreign Intelligence Service staged a sweeping espionage campaign targeting hundreds of U.S. companies and federal government agencies last year, it was a private sector cybersecurity firm that first uncovered the operation, not the U.S. government.
Lawmakers have asked in recent weeks why the U.S. intelligence community appears to have gaps in its visibility into foreign hacking, and whether the National Security Agency needs new surveillance authorities. But the NSA’s cybersecurity director, Rob Joyce, suggested that that may not be the best solution.
“Inside the U.S. you would expect us to have the best tools and capabilities, but instead what we’re finding — in General Nakasone’s words — is we don’t even see the dots, let alone connect the dots,” Joyce said at CyberTalks, a summit presented by CyberScoop.
The NSA Cybersecurity Directorate, which Joyce leads, is responsible for preventing and eradicating threats from foreign hackers targeting U.S. entities.
The Russian spy agency hackers that the U.S. government blamed for the espionage campaign subverted the NSA’s watchful eye, however, by booby-trapping a software update from the federal contractor SolarWinds.
Intelligence officials have said spies launched their campaign with a significant amount of stealth, in part because they used domestic infrastructure to wage their campaign, skirting around the intelligence community’s visibility into their activities.
General Paul Nakasone, the NSA director, and FBI Director Christopher Wray, have acknowledged in testimony on Capitol Hill in recent months that the intelligence community doesn’t have full visibility into foreign hackers’ operations when they are within the country.
Even so, Joyce told CyberScoop he is not concerned about a loss of confidence in the NSA’s capabilities following this incident.
“I think we have some of the most incredible talent, capabilities, reach, and … proactive stance of anybody,” he added. “There’s a value seen when NSA comes to the table, whether it’s a corporate partner or other government agencies, I think they recognize we bring some really hefty opportunities when we’re involved.”
Joyce clarified that the conversations the NSA has been having with lawmakers are not about granting the spy agency more surveillance authorities.
There has been “some discussion about whether that was a big plea for domestic authorities for NSA — it was not,” Joyce said. “It was us asking to have the discussion [about how] the current system has some gaps and seams [and] what are we going to do?”
Joyce was adamant that the tone of the conversation not shift to expecting the U.S. government to function as a crisis and incident response unit for major hacks.
“I don’t want the federal government to be known for outstanding incident responses — that’s important after there’s an intrusion we’ve got to be good at figuring out what went wrong and working backwards,” Joyce said. “We need to be left of theft, we need to be in the job of preventing intrusions.”
Joyce noted that any proposal that will truly address the intelligence community’s difficulty tracking foreign hacking threats must weave together both signals intelligence the NSA gathers on foreign hacking threats with information the private sector collects.
“That takes intelligence, that takes some collaboration, and it’s also really … vital that it can’t be just a government solution, and it can’t just be an industry solution, because we both have parts and pieces that we’re not going to see ourselves,” Joyce said.
But as far as preventing the hacking goes, for now, Joyce suggested it doesn’t look like the NSA Cybersecurity Directorate is going to be getting many additional resources.
“I don’t think in this era of budgets we can expect a massive scale up,” Joyce said. “Nobody ever has enough to defend cyberspace … What we need to is work smarter with what we have.”