NSA’s Information Assurance Directorate at a crossroads

The National Security Agency is at a crossroads, and the key to its compass is the agency’s Information Assurance Directorate.

Although overshadowed by the bigger — and, for some, more intriguing — Signals Intelligence Directorate, IAD’s mission of protecting sensitive information on national security systems is more important than ever. There are not enough hours in the day and, some say, not enough hands on deck at IAD to deal with the incessant stream of vulnerabilities surfacing on government and private-sector networks.

In essence, IAD’s mission includes discovering software flaws, and part of the Signals Intelligence Directorate’s mission is exploiting them. NSA Director Adm. Michael Rogers is keen on forging closer interaction between the two directorates, which, despite years of inching toward each other, are still too far removed from each other for his taste.

“This traditional approach we had where we created these two amazing cylinders of excellence and then we built walls of granite between them really is not the way for us to do business,” he said at an Atlantic Council event in January.

“I don’t like these stovepipes that sit in IAD,” added Rogers, who also leads the military’s five-year-old Cyber Command. “I love the expertise and I love when we work together, but I want the integration to be at a much lower level, much more foundational.”

He is on the cusp of unveiling what he says is the biggest reorganization of NSA in more than 15 years. Details are still under wraps, but Rogers has made it clear that the agency must do better at blending signals intelligence and information assurance to reap a good harvest in the age of big data.

He is not the first NSA chief to push the two directorates closer together. Not long after becoming director in 1996, Lt. Gen. Kenneth Minihan decided to put information assurance resources in the agency’s signals intelligence hub, the National Security Operations Center, said Chris Inglis, who was then a senior operations officer at NSOC.

Minihan’s change “was a big deal” because it helped operationalize information assurance, said Inglis, who retired as deputy NSA director in 2014.

He said another turning point for the role of information assurance at NSA was Operation Buckshot Yankee, the Defense Department’s response to a 2008 breach of its classified systems. IAD specialists played a key role in detecting and mitigating the malicious code, Inglis added.

“That put information assurance on a very solid operational footing,” he told FCW.

Nonetheless, Rogers still sees a disconnect between the two directorates and believes that collaboration is starting too far up the chain.

“The way we do it right now, largely the director — Rogers — is kind of the master integrator, and I’ve told the team…that’s bad for us,” Rogers said. “We’ve got to be flat, we’ve got to be agile.”

The computer scientist in charge

IAD is led by computer scientist Curt Dukes. During a recent conversation in his office on the sprawling grounds of Fort Meade, Dukes described the daunting challenge his 3,000-person directorate has in training DOD’s future cybersecurity professionals and cleaning up major public- and private-sector hacks.

After the large-scale breach of Office of Personnel Management systems that exposed personal data on some 22 million people, Dukes said IAD provided eight to 10 specialists at any given time to help with forensics.

IAD staff also analyzed the hack of Sony Pictures Entertainment in November 2014, though Dukes said they were not actually on the film studio’s network. And IAD has recently instructed DOD and other federal agencies to swiftly patch the dangerous backdoor discovered in Juniper Networks firewalls, he added.

IAD analysts have been summoned for help in every big hack in the past 18 months, Dukes said, with varying degrees of involvement in the response. If that trend holds, “we will continue to have resource pressures from that.”

To conserve resources, IAD has sought to “train the trainers.” The directorate’s employees — about 80 percent of whom come from fields such as computer science, math and engineering — train Cyber Command personnel and bring those trainees up to what Dukes said is the “NSA standard for cyber defense.” Once the students have met that standard, Cyber Command does their own in-house training.

IAD trained a Cyber Command team that deployed to a U.S. military facility to analyze vulnerabilities in supervisory control and data acquisition systems there in response to growing concerns about vulnerabilities, according to Dukes. For nearly a decade, he said, IAD has been focused on weaknesses in industrial control systems (ICS) such as the SCADA systems that underpin the power grid. In the past year or so, U.S. officials’ concerns about those vulnerabilities have become more apparent.

In testimony to Congress in November 2014, Rogers predicted that a nation-state or rogue group would likely launch a major cyberattack on U.S. critical infrastructure networks before 2025. At the time, he said nation-states and other actors had done reconnaissance on U.S. critical infrastructure networks in preparation for a potential hack of control systems. That fear came to the fore recently when it was revealed that Iranian hackers had infiltrated a New York dam’s control system.

Given that a control system can stay in the field for years and develop vulnerabilities as it is outpaced by newer, more secure systems, Dukes said his specialists develop “wrappers,” or layers of encryption, that can be overlaid on ICS command and control links. But it would save IAD significant time and money if IT vendors built such security controls into their products from the start.

“It never scales for us to constantly have to go out and send cyber defense forces to actually do assessments,” Dukes said.

Jekyll and Hyde

NSA, of course, wants to exploit ICS weaknesses in other countries, and the agency’s Jekyll and Hyde approach to software vulnerabilities is on display in what is known as the Vulnerabilities Equities Process. Officials use the interagency tool to decide which discovered vulnerabilities to disclose to the private sector and which to hoard for exploitation by NSA or Cyber Command.

Historically, NSA has revealed more than 91 percent of the vulnerabilities it has discovered, the agency said in a recent statement. But that still seems to leave many zero-day bugs unknown to Internet users.

Dukes is NSA’s representative in the zero-day disclosure process, which is led by Michael Daniel, President Barack Obama’s top cybersecurity adviser.

“It’s a thoughtful discussion, trying to understand offensive capability but also understand the risk to the government in not disclosing that vulnerability,” Dukes said.

IAD and the Signals Intelligence Directorate try to agree on which vulnerabilities to disclose, but if they can’t, Rogers makes the final decision, Dukes said. The process has grown more robust as more federal agencies have discovered vulnerabilities, he added.

In the midst of an ongoing lawsuit brought by the Electronic Frontier Foundation, NSA recently released documents with newly unredacted sections that confirm that zero-day vulnerabilities were stockpiled for use in domestic law enforcement, counterterrorism activities, espionage and intelligence gathering.

In January, Rogers said NSA would increasingly focus on bolstering the cyber defense of weapons systems in 2016, and that monumental task will fall to IAD.

Dukes, meanwhile, referred to an “incredibly long list” of weapons systems that DOD has given his directorate to review for vulnerabilities that need to be patched. The directorate will only get to a handful of those reviews in this fiscal year, he said. His goal is to automate the process of probing weapons systems for weak IT security, but “we’re just not resourced to do that at the moment.”

IAD’s website includes a list of top technology challenges for 2016, and they are defined as “things we don’t know how to do but need to.” Among them are predicting and measuring the impact of breaches on the ability of defense systems to continue operating. Dukes said his strategy involves mapping the life cycle of a hack and determining how well certain defensive measures can hold up under sustained cyber assaults.

Reconnecting with the private sector

Historically, IAD has had a fairly close relationship with the private sector, whose IT systems the directorate has helped fortify, according to Dukes. That relationship soured considerably after the scale of NSA’s surveillance programs were made public by former contractor Edward Snowden.

The revelations included evidence that NSA had subverted an encryption standard issued by the National Institute of Standards and Technology, an impartial government body that IT professionals rely on for guidance.

Dukes would not comment on “claims by outside cryptographers on whether we did or didn’t” have a hand in weakening the NIST standard. He only said the agency “does not intentionally weaken cryptographic standards” and added that his directorate has a “huge dependence” on such commercial standards.

He said the directorate has worked hard to repair its relationship with the private sector since Snowden’s revelations. “Industry sometimes can have a hard time” dissociating NSA’s signals intelligence and information assurance missions, he said, “so they tend to brand us as NSA.”

Nonetheless, IAD’s focus on creating strong “protection profiles,” or security recommendations for commercial products, has helped revitalize the relationship with the private sector, Dukes said.

All hands on deck

Dukes preferred not to talk about NSA’s pending reorganization and how it will affect his directorate because he did not want to preempt the agency’s public announcement. His prognosis for the future was more general as he talked about the next generation of IAD analysts.

Baby boomers like Dukes, a three-decade veteran of the agency, are becoming a rarer breed. Millennials are more likely to change jobs every few years, and the directorate must adapt to that, he said.

“I actually think it’s healthy for the country because those folks will be trained in cyber defense, and they rotate out to the private sector…and then actually apply what they learned here,” Dukes added.

Brendan Conlon, who worked in computer network operations at NSA for a decade, said IAD’s “blue team” network defenders are invaluable to the agency not only because of their technical expertise but also for their ability to work with other agencies and the private sector during breaches. Those specialists also happen to be the people most likely to leave NSA for lucrative jobs in the private sector, he added.

With regard to the IAD workforce, Inglis said, “The people they have are good; they don’t have enough of them.” Furthermore, IAD’s budget has not matched the importance of its mission in recent years because information assurance is a “harder sell” to lawmakers.

As NSA leaders prepare for the reorganization, it is clear to everyone that there must be “some professional intimacy” between the signals intelligence and information assurance missions, one that is reflected in career development and operations, Inglis said. And he argued that more tightly coupling the two directorates would not make the agency more inclined to withhold vulnerabilities for exploitation rather than patching them.

However the agency changes structurally, Dukes said his basic mission to protect sensitive government information would continue. Ongoing attempts by hackers to penetrate classified networks mean the demand for information assurance has never been greater.