NSA’s Information Assurance Directorate at a crossroads

Although often overshadowed by the far bigger Signals Intelligence Directorate, IAD’s mission of protecting sensitive information on government networks is more important than ever.

Curt Dukes, head of the NSA's Information Assurance Directorate, described the daunting challenge his 3,000-person directorate has in training DOD's future cybersecurity professionals and cleaning up major public- and private-sector hacks.

The National Security Agency is at a crossroads, and the key to its compass is the agency’s Information Assurance Directorate.

Although overshadowed by the bigger — and, for some, more intriguing — Signals Intelligence Directorate, IAD’s mission of protecting sensitive information on national security systems is more important than ever. There are not enough hours in the day and, some say, not enough hands on deck at IAD to deal with the incessant stream of vulnerabilities surfacing on government and private-sector networks.

In essence, IAD’s mission includes discovering software flaws, and part of the Signals Intelligence Directorate’s mission is exploiting them. NSA Director Adm. Michael Rogers is keen on forging closer interaction between the two directorates, which, despite years of inching toward each other, are still too far removed from each other for his taste.

“This traditional approach we had where we created these two amazing cylinders of excellence and then we built walls of granite between them really is not the way for us to do business,” he said at an Atlantic Council event in January.

“I don’t like these stovepipes that sit in IAD,” added Rogers, who also leads the military’s five-year-old Cyber Command. “I love the expertise and I love when we work together, but I want the integration to be at a much lower level, much more foundational.”

He is on the cusp of unveiling what he says is the biggest reorganization of NSA in more than 15 years. Details are still under wraps, but Rogers has made it clear that the agency must do better at blending signals intelligence and information assurance to reap a good harvest in the age of big data.

He is not the first NSA chief to push the two directorates closer together. Not long after becoming director in 1996, Lt. Gen. Kenneth Minihan decided to put information assurance resources in the agency’s signals intelligence hub, the National Security Operations Center, said Chris Inglis, who was then a senior operations officer at NSOC.

Minihan’s change “was a big deal” because it helped operationalize information assurance, said Inglis, who retired as deputy NSA director in 2014.

He said another turning point for the role of information assurance at NSA was Operation Buckshot Yankee, the Defense Department’s response to a 2008 breach of its classified systems. IAD specialists played a key role in detecting and mitigating the malicious code, Inglis added.

“That put information assurance on a very solid operational footing,” he told FCW.

Nonetheless, Rogers still sees a disconnect between the two directorates and believes that collaboration is starting too far up the chain.

“The way we do it right now, largely the director — Rogers — is kind of the master integrator, and I’ve told the team…that’s bad for us,” Rogers said. “We’ve got to be flat, we’ve got to be agile.”

The computer scientist in charge

IAD is led by computer scientist Curt Dukes. During a recent conversation in his office on the sprawling grounds of Fort Meade, Dukes described the daunting challenge his 3,000-person directorate has in training DOD’s future cybersecurity professionals and cleaning up major public- and private-sector hacks.

After the large-scale breach of Office of Personnel Management systems that exposed personal data on some 22 million people, Dukes said IAD provided eight to 10 specialists at any given time to help with forensics.

IAD staff also analyzed the hack of Sony Pictures Entertainment in November 2014, though Dukes said they were not actually on the film studio’s network. And IAD has recently instructed DOD and other federal agencies to swiftly patch the dangerous backdoor discovered in Juniper Networks firewalls, he added.

IAD analysts have been summoned for help in every big hack in the past 18 months, Dukes said, with varying degrees of involvement in the response. If that trend holds, “we will continue to have resource pressures from that.”

To conserve resources, IAD has sought to “train the trainers.” The directorate’s employees — about 80 percent of whom come from fields such as computer science, math and engineering — train Cyber Command personnel and bring those trainees up to what Dukes said is the “NSA standard for cyber defense.” Once the students have met that standard, Cyber Command does their own in-house training.

IAD trained a Cyber Command team that deployed to a U.S. military facility to analyze vulnerabilities in supervisory control and data acquisition systems there in response to growing concerns about vulnerabilities, according to Dukes. For nearly a decade, he said, IAD has been focused on weaknesses in industrial control systems (ICS) such as the SCADA systems that underpin the power grid. In the past year or so, U.S. officials’ concerns about those vulnerabilities have become more apparent.

In testimony to Congress in November 2014, Rogers predicted that a nation-state or rogue group would likely launch a major cyberattack on U.S. critical infrastructure networks before 2025. At the time, he said nation-states and other actors had done reconnaissance on U.S. critical infrastructure networks in preparation for a potential hack of control systems. That fear came to the fore recently when it was revealed that Iranian hackers had infiltrated a New York dam’s control system.

Given that a control system can stay in the field for years and develop vulnerabilities as it is outpaced by newer, more secure systems, Dukes said his specialists develop “wrappers,” or layers of encryption, that can be overlaid on ICS command and control links. But it would save IAD significant time and money if IT vendors built such security controls into their products from the start.

“It never scales for us to constantly have to go out and send cyber defense forces to actually do assessments,” Dukes said.

Jekyll and Hyde

NSA, of course, wants to exploit ICS weaknesses in other countries, and the agency’s Jekyll and Hyde approach to software vulnerabilities is on display in what is known as the Vulnerabilities Equities Process. Officials use the interagency tool to decide which discovered vulnerabilities to disclose to the private sector and which to hoard for exploitation by NSA or Cyber Command.

Historically, NSA has revealed more than 91 percent of the vulnerabilities it has discovered, the agency said in a recent statement. But that still seems to leave many zero-day bugs unknown to Internet users.

Dukes is NSA’s representative in the zero-day disclosure process, which is led by Michael Daniel, President Barack Obama’s top cybersecurity adviser.

“It’s a thoughtful discussion, trying to understand offensive capability but also understand the risk to the government in not disclosing that vulnerability,” Dukes said.

IAD and the Signals Intelligence Directorate try to agree on which vulnerabilities to disclose, but if they can’t, Rogers makes the final decision, Dukes said. The process has grown more robust as more federal agencies have discovered vulnerabilities, he added.

In the midst of an ongoing lawsuit brought by the Electronic Frontier Foundation, NSA recently released documents with newly unredacted sections that confirm that zero-day vulnerabilities were stockpiled for use in domestic law enforcement, counterterrorism activities, espionage and intelligence gathering.

In January, Rogers said NSA would increasingly focus on bolstering the cyber defense of weapons systems in 2016, and that monumental task will fall to IAD.

Dukes, meanwhile, referred to an “incredibly long list” of weapons systems that DOD has given his directorate to review for vulnerabilities that need to be patched. The directorate will only get to a handful of those reviews in this fiscal year, he said. His goal is to automate the process of probing weapons systems for weak IT security, but “we’re just not resourced to do that at the moment.”

IAD’s website includes a list of top technology challenges for 2016, and they are defined as “things we don’t know how to do but need to.” Among them are predicting and measuring the impact of breaches on the ability of defense systems to continue operating. Dukes said his strategy involves mapping the life cycle of a hack and determining how well certain defensive measures can hold up under sustained cyber assaults.

Reconnecting with the private sector

Historically, IAD has had a fairly close relationship with the private sector, whose IT systems the directorate has helped fortify, according to Dukes. That relationship soured considerably after the scale of NSA’s surveillance programs were made public by former contractor Edward Snowden.

The revelations included evidence that NSA had subverted an encryption standard issued by the National Institute of Standards and Technology, an impartial government body that IT professionals rely on for guidance.

Dukes would not comment on “claims by outside cryptographers on whether we did or didn’t” have a hand in weakening the NIST standard. He only said the agency “does not intentionally weaken cryptographic standards” and added that his directorate has a “huge dependence” on such commercial standards.

He said the directorate has worked hard to repair its relationship with the private sector since Snowden’s revelations. “Industry sometimes can have a hard time” dissociating NSA’s signals intelligence and information assurance missions, he said, “so they tend to brand us as NSA.”

Nonetheless, IAD’s focus on creating strong “protection profiles,” or security recommendations for commercial products, has helped revitalize the relationship with the private sector, Dukes said.

All hands on deck

Dukes preferred not to talk about NSA’s pending reorganization and how it will affect his directorate because he did not want to preempt the agency’s public announcement. His prognosis for the future was more general as he talked about the next generation of IAD analysts.

Baby boomers like Dukes, a three-decade veteran of the agency, are becoming a rarer breed. Millennials are more likely to change jobs every few years, and the directorate must adapt to that, he said.

“I actually think it’s healthy for the country because those folks will be trained in cyber defense, and they rotate out to the private sector…and then actually apply what they learned here,” Dukes added.

Brendan Conlon, who worked in computer network operations at NSA for a decade, said IAD’s “blue team” network defenders are invaluable to the agency not only because of their technical expertise but also for their ability to work with other agencies and the private sector during breaches. Those specialists also happen to be the people most likely to leave NSA for lucrative jobs in the private sector, he added.

With regard to the IAD workforce, Inglis said, “The people they have are good; they don’t have enough of them.” Furthermore, IAD’s budget has not matched the importance of its mission in recent years because information assurance is a “harder sell” to lawmakers.

As NSA leaders prepare for the reorganization, it is clear to everyone that there must be “some professional intimacy” between the signals intelligence and information assurance missions, one that is reflected in career development and operations, Inglis said. And he argued that more tightly coupling the two directorates would not make the agency more inclined to withhold vulnerabilities for exploitation rather than patching them.

However the agency changes structurally, Dukes said his basic mission to protect sensitive government information would continue. Ongoing attempts by hackers to penetrate classified networks mean the demand for information assurance has never been greater.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.