The NSA Braces For Perfect Storm Of Cyber Risks
The agency pursues capabilities to strike down the coming threat.
A lightning strike last year delivered a new way for Marianne Bailey, the National Security Agency’s new deputy national manager for national security systems, to illuminate the cybersecurity threat.
The bolt burned Bailey’s house, and the burglar alarm was one of the last items she replaced. “The poor burglar alarm guy was telling me about all this great capability where I can get this thing on my smartphone, and I can turn it on and turn it off,” she relates.
Her response: “I want the dumb one that’s not connected to Wi-Fi.”
The representative insisted that most customers appreciate the capability. “Everybody loves the convenience and the capability it gives them, but anybody else can also get in there and turn my alarm on and off,” she counters.
Bailey now uses the incident to make a point about the cybersecurity threat. “We’re in this perfect storm of a very sophisticated, much more pervasive threat and of adversary capabilities,” she says. “It’s impossible to not think you’re going to be had or to think the adversary is not in your network. We can’t get numb to that.”
Bailey, who was appointed to her position in July, has a twofold mission. The first element is internal to the National Security Agency (NSA). She has mission and resource oversight authority for what the agency formerly called the Information Assurance Directorate. The directorate was reorganized under the NSA21 initiative, launched early last year. Agency officials describe the reorganization as the most comprehensive in 15 years.
The second part of the mission is much broader. Bailey is charged with guarding national security systems across the entire government, including information systems used for intelligence collection, military command and control, and operation of major weapon systems. Responsibility for national security systems is delegated from the president to the secretary of defense to the NSA commander to Bailey’s office.
Bailey wants to dispel any notion that the agency is weak in the cyber arena, despite a series of embarrassing cybersecurity breaches. “I want everyone to know it is absolutely the opposite, and I just really want to make sure [the agency’s] alive and well and stronger than ever,” she says. “The adversaries are upping their game, so we need to up our game.”
Upping the game includes defending present and future systems against the pending threat posed by quantum computers, which will likely break modern encryption algorithms. “If somebody develops a cryptographically relevant quantum computer, many of the things we have today will not be secure. We absolutely believe our adversaries are going to develop a quantum computer,” she warns. “Everybody is working very hard on it across the globe.”
That is why one of her top goals is to develop and deploy quantum-resistant algorithms. She points out that many cryptographic algorithms deployed three, four or even five decades ago are still in use, even with major military weapons platforms. “A lot of those algorithms that we’re using we know are reaching end of life and would be susceptible. We’ve been looking a lot at quantum-resistant cryptography,” Bailey says.
The agency has identified the systems most at risk from quantum computers and has initiated “mechanisms and mitigations we can take to protect ourselves with an interim approach,” she reports. “And then we’re looking to develop a more holistic program.”
Another priority, Bailey says, is “enforcing cybersecurity engineering and architecture,” which boils down to protecting systems built without cybersecurity in mind and ensuring that new systems integrate cyber protections from the get-go. “That’s the whole intent of cybersecurity engineering and architecture. You have to design something to be secure, and then you constantly have to keep an eye on it and monitor it,” she asserts. “Our current weapon systems and our next-gen weapons are going to be our focus.”
Maximizing threat-driven activities is her third priority, and the NSA21 reorganization makes that task easier, she says. The plan essentially combined the offensive and defensive missions into one directorate. The signals intelligence (SIGINT) mission collects data on other nations, while the information assurance side protects U.S. systems to prevent intelligence gathering by other countries.
Following the reorganization, the two sides work more closely together. “The intent was to do an even stronger integration. We are using every bit of threat intelligence that comes to us from our SIGINT side of the house to make sure we’re bolstering our defenses,” Bailey reports.
She cites the benefits of a comprehensive review officially named with a cumbersome acronym pronounced the same as NASCAR. NSCSAR stands for Non-secure Internet Protocol Router Network (NIPRNET) and Secret Internet Protocol Router Network (SIPRNET) Cybersecurity Architecture Review.
“It’s the first time we ever did a detailed [map] of all of the defense-in-depth capabilities that we have across the entire department. And then we dumped on top of that all of the threat stuff that we’re seeing—every cyber attack that came in and how it was successful or how it wasn’t successful,” Bailey explains. “We took all of this and we looked at where we have gaps in this whole defense-in-depth architecture and where we should invest money.”
She touts innovative research and development as her fourth priority, stressing the need to partner with industry. “Cybersecurity is not just a Defense Department thing. Every single company is facing these same problems and issues that we are, so you get this great innovation and development from private industry,” Bailey says.
She also emphasizes the need to continue strengthening international relationships. “One of the areas I’m pushing on is common standards for security across all of our allies and NATO. I can’t underestimate the importance of that,” Bailey states. “We’ve always pushed for common standards. I’m just going to push much harder.”
Common standards, she indicates, will improve interoperability and information sharing among international partners and make doing business in multiple countries easier for industry. “We don’t want the commercial vendors to have to develop different levels of security in different countries because then it’s hard for us to know what we have when we’re partnering with other players,” Bailey explains.
She adds that if the United States and its allies do not establish common standards, then others might. “Our adversaries are pushing hard for common standards, but they want it to be their standards. That’s one of the reasons I want to push even harder,” Bailey offers.
Automation also is important for the NSA to take its cyber game to the next level, she indicates. “We’re working very hard, and so is industry, to do a lot of these things in an automated fashion. The faster we can roll out these automated cyber defense activities, the better off we’re going to be,” Bailey asserts.
One of the greatest challenges for the NSA and the rest of the cybersecurity community is a shortage of talent, she says. Bailey describes the difficulties the younger generation has working in a secured environment in which cellphones are not allowed. But it may not be the younger generation that forces change. “Bringing [cellphones] in causes so many security issues for us, but it’s something we’re looking at. We’re going to have to find a solution because now we have people whose pacemakers are online, and they need to be monitored by their doctor,” she notes.
Nonetheless, the NSA needs to continue focusing on protocols to stop dangerous insider threats, Bailey says. The agency has tightened network security, further restricted classified information, and implemented training and education programs. “We have taken on huge efforts at NSA to counter the insider threat, and we just have to keep pushing on it,” she says.
Although the overall threat has grown more sophisticated, the simple attacks still work all too often. Patches and password changes could have prevented some recent global cyber attacks. Up to 95 percent of cyber attacks are still based on the basics, Bailey asserts.
“What keeps me up at night is the thing we’re going to miss and how impactful that’s going to be. Or the person who didn’t know, didn’t understand. I don’t know that you can reach every single person all the time,” she says.
The threat, she continues, is wide and varied. “You see cyber attacks for all kinds of different reasons, whether it’s money with ransomware or whether it’s destruction or terrorism,” Bailey offers. “It’s a crazy world out there.”