Making intelligence actionable.
The US National Security Agency's new Cybersecurity Directorate held a media roundtable at Fort Meade on October 10th, 2019. That the event was held at all is perhaps the most significant news to emerge from it. The Directorate, which achieved initial operating capability only on October 1st, says it's committed to public education, and the roundtable was part of that outreach.
The Cybersecurity Directorate's mission.
"NSA has always been in cyber." The Cybersecurity Directorate's mission was repeatedly characterized as "prevention" and "eradication" of cyber threats to National Security Systems and the Defense Industrial Base, or, as representatives put it, "keep 'em out and kick 'em out." Neil Ziring, the Directorate's Technical Director, stressed that, while the name is new, the mission is not. Much of that mission was inherited from the old Information Assurance Directorate (IAD), and such responsibilities as providing cryptographic keys are not going away. "Structurally, we're much more unified in the new Directorate," Ziring said. The principal difference between the new Directorate and its IAD predecessor lies in the Cybersecurity Directorate's integration with intelligence analysis.
A view of the threat landscape.
The organization and its mission are perhaps best understood against the background of the current threats. Ziring explained that nation-states used to attack nation-states, but this has changed. State actors now go after companies, universities, not-for-profits (including think tanks), state and local governments, and so forth. The opposition's expansion of its target set changes how NSA confronts the problem. Nation-states have different strategic and operational objectives, and intelligence about these usefully informs US defenses. Ziring and Anne Neuberger, the Cybersecurity Directorate's first Director, called out the familiar "big four" nation-state adversaries: Russia (with a comprehensive interest in disrupting American society, government, and power, notably through information operations), China (focused on developing a dominant economic position, and especially on ways in which intellectual property theft serves that development), Iran (an aggressive player in cyberspace willing to engage in destruction, particularly in the service of regional objectives), and North Korea (whose interests lie principally in redressing the financial shortfalls international sanctions have imposed on that country). These are "very capable" threat actors, Neuberger said, and understanding why they use the techniques they do against their chosen targets is important to preventing and eradicating threats.
The Directorate's customers.
NSA brings knowledge of threat actors to the nation's cyber defenses. "We realized," Neuberger said, "we needed to operationalize our intelligence." Doing so will require providing the customers with context for the intelligence they receive.
The opposition's target set is very heterogeneous, even when one considers only the Defense Industrial Base, and protecting a heterogeneous sector securing a highly diverse ecosystems, is very difficult. The Directorate is looking for different approaches that serve the distinct needs of very different organizations. NSA is committed to conducting more unclassified collaboration, especially with the Defense Industrial Base, and especially with other Government agencies, notably the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).
As a combat support agency (and Neuberger emphasized that this is what the Agency has been and remains), NSA has learned, Neuberger believes, some important lessons that have broader applicability. It's learned that intelligence must be actionable, and that to be actionable, it must be both timely and clearly addressed to the user's needs. This is true whether the intelligence is being provided to a tactical unit in a theater of operations or a small business that supplies sensitive technology.
So while NSA remains a combat support agency, it's committed to serving a much broader set of customers directly. Both Neuberger and Ziring several times cited the Directorate's public warning of October 7th concerning vulnerabilities in widely used commercial virtual private networks as an example of the sort of actionable intelligence it was committed to providing not only its traditional clientele, but the general public as well.
A look at the Integrated Cyber Center/Joint Operations Center.
NSA has certainly grown more accessible to the public over the past few years, but Fort Meade remains far from an open post. Thus it was interesting to visit the Integrated Cyber Center/Joint Operations Center where both the Cybersecurity Directorate and US Cyber Command stand watch. The Center is in a building that opened only in September 2018, and it very much still has its clean look and new-car scent. Our guide was US Air Force Colonel Stephen Landry, who observed that NSA's support for securing the 2018 elections was run from that center.
We were able to observe the Center's floor from the "battle bridge," a conference room whose large window afforded a view of the watch and the displays they used. Five teams succeed one another in continuous shifts that stand watch twenty-four hours a day, seven days a week. They provide, Colonel Landry explained:
- Discovery, analysis, and dissemination of cyber intelligence.
- Creation and sharing of situational awareness in real time.
- Defense against "counter-cyber" adversaries.
- Support to offensive cyber operations.
- Support for crises and contingencies.
- A command post for NSA/Cyber Command operations.
- And mission continuity.
The open-plan workspace could accommodate approximately two-hundred workers, a mix of Government civilian, military, and contractor personnel. Three large display screens dominate the space. They were, as Colonel Landry candidly said at the outset, prepared for the reporters' visit with unclassified material. The choice of unclassified material is worth mentioning: several commercial video news feeds (including one from RT: "we don't necessarily watch that one--it's up there for you"), a big Fortinet cyber attack map with a running display of apparent attack traffic pinging across the globe (mostly, in the US, hitting Washington, St. Louis, and San Francisco), and a Team Cymru Malicious Activity Map. So quick congratulations to Fortinet and Team Cymru: their stuff was chosen for the reporters' visit.
No such agency no more.
Director Neuberger summed up the roundtable as representing a departure from NSA's well-known "no-such agency" approach to public engagement. "Serving in silence" remains very much the core of NSA's culture, but, as she put it, a black box agency is unlikely to be trusted, and trust is more important than ever when an adversary like Russia is principally interested in eroding mutual trust. "It is a culture change. For us to be most effective, we have to be out there. It's not an option. If we're to be effective, we have to be out there and open."