NSA Collaboration Center Cuts Cybersecurity Chaos
Morgan Adamski, the director of the National Security Agency’s (NSA’s) Cybersecurity Collaboration Center, candidly indicates that cybersecurity can be messy. But by sharing information and working closely with companies large and small, her organization helps cut through the craziness.
The NSA established the collaboration center in December 2020 to work with industry, other U.S. agencies and international partners to protect the defense industrial base from foreign cyber activity. The industrial base is made of those companies working with the Defense Department on a variety of programs and technologies, such as cryptography, weapons and space, and nuclear command and control, along with major service providers.
The collaboration center offers free services to industry, including protective domain name services, attack surface management and threat intelligence collaboration.
In the very first year, according to an NSA article, the center disclosed a number of vulnerabilities, including a series of five critical vulnerabilities in Microsoft Exchange, to be patched by the vendor. The center worked across sectors with the Cybersecurity and Infrastructure Security Agency (CISA) exploring threats to 5G security, releasing a series of threat-informed papers, processing more than 3.8 billion queries, and blocking more than 6.5 million malicious domains, including known Russian spear-phishing, botnets and malware. It also participated in technical committees that developed 12 international standards in secure internet protocols, 5G security and enterprise IT security.
And things haven’t slowed since. “It’s been a crazy three years,” Adamski said during a recent interview with SIGNAL Media. Adamski estimates that the organization has had 30,000 analytical conversations with partners within the past year.
Asked what to expect from the collaboration center in the coming year, she explained why that would be hard to predict. “At the Cybersecurity Collaboration Center, what I will tell you is that every single day, we’re dealing with a different vulnerability. Malicious nation-state activity against the critical infrastructure is a constant crisis when we’re supporting things like Russia-Ukraine and Israel-Hamas. We’re involved in every single crisis and conflict the National Security Agency can contribute to,” she said. “My hope is that maybe we don’t have our typical cybersecurity year, but since I’ve been here, I think we’ve had SolarWinds, Log4j and MOVEit. We’ve had so many cybersecurity incidents that I’m sure we’re in for another year of just having to deal with the chaos.”
During the interview, Adamski gave the impression of someone who thoroughly enjoys the job, joking a few times and laughing as she mentioned the craziness and chaos but also speaking with conviction about the mission and the collaboration center’s successes. “Through all of those crises, we are constantly having successes with our industry partners, where they’re giving us lead information, or we’re enabling them for defensive measures.”
We’ve had so many cybersecurity incidents that I’m sure we’re in for another year of just having to deal with the chaos.
The collaboration center is a new way of doing business for the NSA. The center was built in an open business park outside of the NSA perimeter, deliberately eliminating barriers, physically and symbolically, between the agency and the outside world. “What we have found by establishing the collaboration center and the standup of the Cybersecurity Directorate is that the private sector has essentially drastically changed the way the NSA cybersecurity mission operates on a daily basis,” Adamski stated. “It has enabled us to get to attribution of specific incidents faster because we’ve been able to correlate what we know from our insights with what the private sector knows, and it’s given us the amplifying information to really make attribution as quickly as possible.”
She noted that the NSA used to share information with industry indirectly, but the collaboration center changed that. “We have a lot of insights. We’ve been doing cybersecurity for a number of decades. We really have followed and tracked the key nation-state adversaries, cyber actors that are looking to do espionage and various things against our most critical infrastructure. We typically have shared that information through our other interagency partners, which is great in certain circumstances. But for us, we wanted to be able to enable that real-time conversation between our subject matter experts and their net defenders. Because the conversation is really where the value is.”
The result is that information is being shared much more quickly. “And to give you an idea, we’re now sharing information within minutes and hours when it used to be weeks and months. And that change and how we are operationalizing intelligence to empower our partners is a huge cultural shift for the National Security Agency,” she said. “Taking information from a classified environment to an unclassified environment and getting it for someone so that they can do something with it from an actionable perspective is a risky decision, but we’re seeing that it’s well worth it.”
To share the information, NSA personnel determine who would be the best partners to share the information with based on their capabilities, insights and customer base. They then sanitize the information, meaning they decide which bits are “actionable,” get it to the lowest possible classification level and then share it via whichever of their 350 “collaboration channels” would be most relevant. “And that is all happening fairly quickly now in an almost automated fashion,” Adamski reported.
Collaboration channels are “just a reference to how we communicate in an unclassified environment with each one of these companies,” Adamski explained. The reason the agency needs 350 channels is that in some cases, it will share information one-on-one with a single company, but in other cases, it will share with many companies in an entire sector. “It really depends on the incident, the threat or the type of collaboration we’re trying to have. But the main goal is for us to remain as agile as possible to really meet what our private sector companies are most comfortable with.”
That includes whichever collaboration platforms the companies use, including Microsoft Teams, Slack and Amazon Chime. “You name it. If our partners use it, we find a way to be able to use it with them,” Adamski asserted. “We understand and appreciate the fact that not all partners can use certain platforms because of corporate policies, so we try to make sure we have a diversity in how we collaborate.”
In just over three years, the list of industry partners has grown from zero to about 850. More than 90% of companies enrolled in the agency’s desktop screen services are small to medium-sized businesses. Approximately 100 are large businesses, such as internet service providers and cloud providers.
One of Adamski’s priorities is to continue growing relationships with those large businesses. “Our first goal is to continue to build those robust relationships with the biggest and best cybersecurity companies who can protect the most customers at once. It’s not a one-to-one, that we’re protecting one big company. When we share critical threat intelligence with them, we empower them to protect all of their customers, which can be billions of endpoints worldwide.”
Sharing the center’s defense industrial base cybersecurity services with more small and medium-sized businesses is also a priority. “These cybersecurity services focus on the most common attack vectors that we know our adversaries are using today. If we can make it harder for our adversaries, that’s our ultimate goal. We want to continue to offer these free cybersecurity services to as many of them as possible, and it’s fairly easy to enroll,” Adamski offered.
A third major priority is working on cybersecurity standards bodies for technologies such as artificial intelligence and next-generation cellular, so-called 5G and 6G. “We’re trying to make sure that when we write standard proposals to secure that technology for the future, we’re doing it for the most critical things. It’s really about investing as much participation and active submissions into the standard development organizations as possible,” she elaborated.
In May of last year, the NSA, CISA, the FBI, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre and the United Kingdom National Cyber Security Centre issued a joint warning that a People’s Republic of China state-sponsored cyber actor known as Volt Typhoon was using so-called “living off the land” techniques to illegally infiltrate and move freely within critical networks.
Adamski touted the benefits of zero trust, network segmentation, multifactor authentication, identity access management and post-quantum encryption algorithms for protecting the defense industrial base. “We have to make it harder for them to not be able to move laterally within a network once they gain initial access. But when we have critical intelligence and things that the Chinese want, they’re going to constantly keep coming after it.”
