HomeNews & FeaturesNews & StoriesArticle View

In Discussion with Curt Dukes (IAD) - Overview of NSA's Cyber Security Mission

PRINT  |  E-MAIL

What is NSA's role in cyber security?

For those of you that are less familiar with the NSA and IAD missions, let me share a little background.  NSA has had the responsibility for the execution of two missions in support of National objectives, Signals Intelligence and Information Assurance, for over six decades. And, while we're perhaps best known for our intelligence mission, I have the honor to lead the Information Assurance Directorate– an organization charged with protecting information critical to nation's security.

National Security Directive (NSD) 42, signed in 1990, authorizes NSA to secure National Security Systems, i.e. systems that handle classified information, or are otherwise critical to military and intelligence activities. This authority has been delegated to Information Assurance Directorate, who partners with government, industry, academia, and international partners to execute the information assurance mission.  Our job is to protect and defend the networks that carry our Nation's most critical, classified information.

You could say that through our work in the information assurance arena, we pioneered what is now called cybersecurity. As more of our world relies on connectivity, our history and deep subject matter expertise are constantly being called on by our partners across the Department of Defense and Intelligence Community. The cyber threat is real and always changing- adversaries approach our perimeter and test our defenses millions of times a day.  If you follow the news, you are aware of recent cyber incidents that demonstrate the extent of harm a successful cyberattack can cause. That is why we are here- to secure the nation's crucial security systems against those who wish to exploit them to cause harm to our citizens, our military, and our economy.

Can you provide some examples of how NSA/IAD protects national security networks?

At a high level, yes. Now that cyberspace is the primary arena in which we protect information, our goal is to lead the Community in designing state of the art information assurance and cybersecurity solutions to secure the nation's core mission environment against any and all evolving threats.

NSA/IAD provides our customers with flexible, timely, and risk-sensitive security solutions, as well as traditional information assurance engineering and field support. We analyze current and future Department of Defense, Intelligence Community, Federal, and commercial information assurance requirements and gaps to deliver innovative solutions to secure information that crosses security, or community-of-interest, networks.  We apply our unique expertise and capabilities to consume information from a variety of sources, characterize that information in a way that makes the data more understandable, and normalizing the data into concise mitigations, best practices, and strategies.

We also conduct 24x7 information assurance operations, proactively hunting for sophisticated cyber adversaries within national security networks. Sufficiently novel or unexpected adversarial acts will sometimes succeed, therefore, classified networks should therefore undergo intermittent "hunts."  These advanced operations try to smoke-out intrusions that slipped through the cracks.  Not only our these operations used to identify vulnerabilities, and then provide mitigation tactics, techniques and procedures to harden national security networks, but they can cause adversaries to temper their acts or even lose confidence in some techniques or other intrusions.

What is the most critical issue you see looming regarding cyber security?

The biggest challenge I see every day is the pervasive need to anticipate how the adversary will break through our defenses. The adversary is constantly evolving and changing, due to both advancements in technology, and as a reaction to response tactics that are unsuccessful. We don't have the luxury of simply reacting to cyber incidents, instead, we must find ways to predict and understand the behavior of the adversary and how they might attack our networks, then automate our defenses to fend off those attacks. Essentially, we must always be a step ahead of the adversary.

In order to stay ahead, we must ensure network owners understand their network landscape – we call this Cyber Situational Awareness (CSA). CSA presents network data in a visual way, allowing it to be correlated, analyzed and shared. This analysis is a very critical part because it leads to decision making that ensures and enables secure communications for the military and across the Federal government.  But in order to realize these capabilities, we will need to collect, parse and analyze petabytes of data in cyber-relevant time. To provide context, one perabyte of data is about five years' worth of data from NASA's Earth Observing System. Analyzing and responding to this amount of data can only be done if we have standardized feeds traversing standardized transport infrastructures and automated parsers that provide data from the sensors to the analytics in a structured format. What I'm trying to say is, it's a challenge, but one that we are addressing head-on.

What do you feel is the next innovation regarding cyber security?

Automating cyber security capabilities. Our networks and data are subject to continuous cyberattacks from a wide range of threats. Effective defenses against these adversaries include real-time, complex synchronization of thousands of endpoints and networks, multiple organizational processes, and the selection, de-confliction, and execution of complex response actions within and across diverse domains.

Today, synchronization is primarily a manual process that correlates multiple inputs and directs an array of responses.  This current process does not provide the speed, agility and control necessary to ensure operational mission success in the presence of sophisticated cyber threats.

Because of this, we have introduced an initiative we call Active Cyber Defense. Active Cyber Defense is an architecture which enables the integration, synchronization, and automation of cyber event detection and mitigation through the use of real-time sharing of indicators of compromise across all layers (tiers) of network defenses. Each layer of this architecture provides unique detection capabilities, and leverages the cloud for advanced analytics and fusion with multiple sources of threat intelligence. Deployed countermeasures are the result of analysis conducted locally on the sensor and via the cloud.  In either case, indicators and countermeasures are widely shared and deployed to provide a layered defense. Through forward-leaning initiatives like this, we can stay in front of the adversary.

How do you partner with academia to increase information assurance awareness and expertise?

We recognize that if we want to further reduce vulnerabilities in our national information infrastructure, we must promote higher education in information assurance and produce a growing number of professionals with information assurance expertise in various disciplines. 

One way we do this was by partnering with the Department of Homeland Security (DHS) to establish and expand the National Centers for Academic Excellence (CAE) program. Currently, we have 194 institutions designated as NSA/DHS CAEs in Information Assurance and Cyber Defense. This designation is based upon recently updated academic criteria for cybersecurity education, and allows each CAE institution the opportunity to distinguish its strengths in specific information assurance and cyber network defense focus areas. This program provides a mechanism that allows colleges and universities to engage with NSA to build strong curriculums and partnerships that will benefit our national security posture- both for NSA and for the private sector as well.

Other ways we partner with academia includes awarding grants towards Information Assurance and cybersecurity research, and offering various internship program opportunities to students. These student programs include initiatives and offerings for early education (K-12), as well as advanced internships and opportunities for students at the University level.

How do you partner with industry to meet national cyber security goals?

NSA/IAD has always had good relationships with industry, and over the past years we have seen the number of engagements with the private sector grow.  We know that these relationships are critical to the future of cyber defense— cyberspace is vastly interconnected, and no entity will be completely successful on its own. So we continue to transform our business model into one that allows us to team closely with public and private institutions to raise the information assurance level of commercial products, and to begin to build a future of common defense against growing threats.

Two of the most visible current partnerships with industry are our work on the Community Gold Standard and our Commercial Solutions for Classified initiative, also known as CSFC.

The Community Gold Standards are best practices from government and industry for a set of capabilities to help organizations increase their overall security posture.  These standards are being leveraged to protect our unclassified networks and require implementation of automated capabilities to maintain an inventory of authorized and unauthorized devices and software; and a process for eliminating identified unauthorized devices and software.  In addition, implementation of secure configuration for hardware and software on laptops, workstations, and servers and a process for continuous vulnerability assessment and remediation is encouraged. 

CSFC is an initiative where the government uses commercially available products in layered solutions to protect its networks and the information on it. The adoption of this program allows NSA to provide security solutions to our customers more rapidly.  We work closely with industry to ensure the products work as needed and expected. The enhanced security in many of the products we use has wide-ranging benefits to our partners, customers, and even citizens that use the products. CSfC requirements are specified in Capability Packages (CPs) at system level and Protection Profiles (PPs) at the component level and are available for anyone to use to strengthen their security posture. The idea is that we use commercial "off-the-shelf" products and services (COTS) components to meet or exceed security requirements.

What can a non-government entity do to make their systems and their cybersecurity more effective?

There are many things a non-government entity can do to make their systems and cybersecurity more robust and effective. First, they should take measures to understand the threat. The threat is advancing beyond traditional methods such as e-mail, Web pages, malicious web components, removable media, instant messaging, drive-by-downloads, insider manipulation, social engineering, and deception. Now, new modes of technology have emerged, to include mobile technologies, social networks, cloud services, retail point-of-sale and payment systems, third party or supply chain vulnerabilities, and the internet of things (IOT) - which includes everything from "wearables" that track health vital signs to critical infrastructure components. It's important that all entities understand the constantly evolving extent of the threat.

Secondly, they should understand the vulnerabilities.  Cybersecurity risks are not well understood by leaders, administrators, or consumers. Risks taken by a single individual or organization on a network are risks shared by all on the network.  The nature of networks and computer to computer connections are not often understood or monitored, which affords the adversary a chance to gain unfettered, undetected access to the network.  

Finally, they should take action to shift to a more proactive cybersecurity posture. Every business that conducts activity online should adopt essential Internet security practices (Published by Microsoft, NIST, SANS, CNSS, etc.) to reduce network and computer weaknesses and protect themselves against attacks. Due diligence requires CEOs to treat cybersecurity as a business risk rather than simply an IT issue by ensuring it is integrated with the organizations' wider business risk management processes. Senior leadership should invest in cybersecurity technology and training to provide their employees the tools and knowledge to protect their information, services, and businesses today, and to prepare for the cyber threats of tomorrow.

What should citizens do to protect themselves from cyber threats?

You can protect yourself by becoming educated on cyber threats and the cyber environment by browsing the resources offered on iad.gov/. Additionally, following some common sense guidelines and implementing a few simple mitigations on your home network will immediately increase your cyber security posture.

Attackers often exploit vulnerabilities in outdated software and operating systems, so start by migrating to a modern operating system and hardware platform. The latest version of any operation system inevitably contains security upgrades and features not found in the previous versions, and many times, the updated version's default features will mitigate vulnerabilities found in the previous version, and block attack vectors. So ensure any operating system running on your home computer or mobile device is up to date, and while you're at it, enable the auto-update feature for all applications running on your system. By doing this, you will be automatically notified when new patches or updates should be installed upon your system.

If you don't already have one, install a comprehensive security suite that provides layered defense via anti-virus, anti-phishing, safe browsing, host-based intrusion prevention, and firewall capabilities. Additionally, several suites from popular vendors provide access to a cloud-based reputation service for leveraging corporate malware knowledge and history for increased security.

For more information on how to protect yourself from cyber threats, including guidance on personal computing devices, home network configuration guidance, and internet behavior recommendations, please view our Best Practices for Keeping Your Home Network Secure brochure.