Official: you can still trust the NSA

NSA official says that despite a major reorganization to merge offensive and defensive cyber capabilities and missions, industry can still trust the guidance it receives from NSA.

NSA's Curtis Dukes

It might not be as momentous as knocking down the Berlin Wall, but tearing down the barriers between Signals Intelligence and Information Assurance inside the National Security Agency is revolutionary, an NSA official in the thick of those efforts contends.

The NSA is six weeks into "NSA21," which the agency calls the most substantial organizational reform in its 60-year history. Announced earlier this year, NSA21's primary change is flattening the organization and moving it from a mission-based construct to a functional model.

Curtis Dukes had been until recently the director of NSA's Information Assurance directorate. Now, he's deputy national manager of national security systems in charge of the IA portfolio of the new operations directorate.

"We have a 60-year history of having two missions separate and distinct with common leadership at the top," he said. "Both missions have been highly successful, but where we found difficulties was in sharing between those two missions."

Dukes said that the current reforms have been in the making for the last decade. He said that NSA director Adm. Mike Rogers had two primary objectives.

"One was to propel us for the next decade -- make sure that we're tightly integrated between the two missions -- and that also more importantly was that we're optimized when it comes to cyber, both from exploit as well as from the defense standpoint," he said.

Dukes said that by removing the separation between signals intelligence (offense) and IA (defense), the two groups can better share information about potential vulnerabilities and exploits to further each other's missions.

"What this new organization construct brings is that we can put the best athlete to help with incident response and mitigation," explained Dukes. "We also can have the best athlete help with building better architectures to help the defensive mission. I think that's what we're trying to strive for in that regard."

The reorganization is hardly without controversy, however, in no small part because of the inherent contradiction between the NSA's primary missions. The Signals Intelligence directorate has been responsible for spying and increasingly looking for cyber vulnerabilities to exploit in intelligence gathering.. The Information Assurance directorate has been responsible for protecting systems -- government, private sector and international partners -- from exploitation.

Some clients have often wondered if the NSA's guidance came with strings, or more specifically, back doors, to help the signals intelligence mission. And since the announcement of NSA21 there has been more grumbling from some in industry that the NSA cannot fully be trusted.

NSA's reputation in the information assurance business took a hit from leaks by former contractor Edward Snowden that included confirmation that an NSA-approved cryptographic algorithm was deliberately compromised. Still, Dukes said that there has been trust in the past, and that should continue under the new system.

"We understood how things would be attacked from an adversarial standpoint, again from the signals intelligence perspective, and then we would go engage with industry and with international partners and also produce security configuration guidance and best practices based on that information," he said. "We strongly believe in our configuration guidance and our best practices."

One risk Dukes acknowledges is the possibility of compromising aspects of the signals intelligence mission because other nations can use unclassified NSA information to improve their cybersecurity.

"I think there will always be that argument that, well, how do I know if I'm talking to NSA I'm talking to the information assurance mission or to the signals intelligence mission?" Dukes said. "The short answer is that we do wall that off internally here [so that] if we're engaging with industry to help them better secure the product we're doing it for all right and honorable reasons."

So, despite the wall being torn down, Dukes said there will continue to be some degree of internal separation, and the current practice of vetting the release of information about vulnerabilities will continue.

"Prior to NSA21, regardless who found the vulnerability, whether it was the signals intelligence or the information assurance missions, we kick that up to an issue resolution process where both missions debate and discuss the vulnerability," said Dukes. "If one mission said that 'you know we need to release' or another mission said that 'we need to restrict,' it's fiercely debated."

In the last three years, the NSA worked with the FBI and the White House to create the Vulnerabilities Equities Process (VEP) to evaluate whether vulnerability information should be shared with interested parties so they can protect their systems, or whether disclosure would compromise intelligence gathering. Dukes said these tensions, procedures and discussions will continue under NSA21.

"I'm the senior NSA officer that represents NSA in the VEP process, and I'm a fierce advocate for, you know, if I think the nation's at risk, I highlight that, I make that argument both to Admiral Rogers and to [White House cybersecurity advisor] Michael Daniel in that regard," he said. "But it is a vote and each member can have a say in that and ultimately Michael will make a decision whether to disseminate or to restrict."

Dukes said the U.S. needs to do some soul-searching over its cyber defense structures and protocols in general. NSA has authority for national security systems, but does not have the authority to support agencies like the Office of Personnel Management, State Department or Environmental Protection Agency.

"That's where we work closely with DHS and FBI and we use their authorities to go in and do incident response and mitigation," said Dukes. "I don't think we're fully optimized as a nation yet in that regard. I think there's always going to be a bit of a lag for us to then provide support as we work though the authorities issue with DHS and FBI."

Dukes said by the time bureaucratic priorities are sorted out, "you've lost valuable time in order to do defense at cyber speed in that regard, and I think that's what we need to relook at as a nation."

Dukes said he's a fan of the United Kingdom's new National Cyber Security Centre, which puts emphasis on offensive capabilities as well as active cyber defense in collaboration with industry. "I think it's a model that should be looked at from a U.S. perspective as well," said Dukes.

Dukes said that NSA21 is still very much in its early stages and it's too soon to tell if it's on the right track or needs tweaking. He said there will be an internal review in about 90 days to see how things are progressing. One of the biggest challenges will be merging the public-facing culture of IA with the secret culture of signals intelligence.

"Over 60 years those cultures get pretty rigid, so we can't expect that in six weeks that we've, you know, totally changed the culture in the agency," said Dukes.

"In the sort term you'll still see us kind of inching along," said Dukes. "But I think a year out, it will just be, 'hey, who's available?' Whether you're signals intelligence or information assurance on this mission, you go in to do support for the nation."

Correction: This article was updated Oct. 18 to correctly state Curtis Dukes' former title of director of NSA's Information Assurance directorate, and to clarify the White House role in establishing the Vulnerabilities Equities Process.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.