Intelligence

NSA’s Information Assurance Directorate at a crossroads

Although often overshadowed by the far bigger Signals Intelligence Directorate, IAD's mission of protecting sensitive information on government networks is more important than ever.

Curt Dukes, head of the NSA's Information Assurance Directorate, described the daunting challenge his 3,000-person directorate has in training DOD's future cybersecurity professionals and cleaning up major public- and private-sector hacks.

The National Security Agency is at a crossroads, and the key to its compass is the agency’s Information Assurance Directorate.

Although overshadowed by the bigger — and, for some, more intriguing — Signals Intelligence Directorate, IAD’s mission of protecting sensitive information on national security systems is more important than ever. There are not enough hours in the day and, some say, not enough hands on deck at IAD to deal with the incessant stream of vulnerabilities surfacing on government and private-sector networks.

In essence, IAD’s mission includes discovering software flaws, and part of the Signals Intelligence Directorate’s mission is exploiting them. NSA Director Adm. Michael Rogers is keen on forging closer interaction between the two directorates, which, despite years of inching toward each other, are still too far removed from each other for his taste.

“This traditional approach we had where we created these two amazing cylinders of excellence and then we built walls of granite between them really is not the way for us to do business,” he said at an Atlantic Council event in January.

“I don’t like these stovepipes that sit in IAD,” added Rogers, who also leads the military’s five-year-old Cyber Command. “I love the expertise and I love when we work together, but I want the integration to be at a much lower level, much more foundational.”

He is on the cusp of unveiling what he says is the biggest reorganization of NSA in more than 15 years. Details are still under wraps, but Rogers has made it clear that the agency must do better at blending signals intelligence and information assurance to reap a good harvest in the age of big data.

He is not the first NSA chief to push the two directorates closer together. Not long after becoming director in 1996, Lt. Gen. Kenneth Minihan decided to put information assurance resources in the agency’s signals intelligence hub, the National Security Operations Center, said Chris Inglis, who was then a senior operations officer at NSOC.

Minihan’s change “was a big deal” because it helped operationalize information assurance, said Inglis, who retired as deputy NSA director in 2014.

He said another turning point for the role of information assurance at NSA was Operation Buckshot Yankee, the Defense Department’s response to a 2008 breach of its classified systems. IAD specialists played a key role in detecting and mitigating the malicious code, Inglis added.

“That put information assurance on a very solid operational footing,” he told FCW.

Nonetheless, Rogers still sees a disconnect between the two directorates and believes that collaboration is starting too far up the chain.

“The way we do it right now, largely the director — Rogers — is kind of the master integrator, and I’ve told the team…that’s bad for us,” Rogers said. “We’ve got to be flat, we’ve got to be agile.”

The computer scientist in charge

IAD is led by computer scientist Curt Dukes. During a recent conversation in his office on the sprawling grounds of Fort Meade, Dukes described the daunting challenge his 3,000-person directorate has in training DOD’s future cybersecurity professionals and cleaning up major public- and private-sector hacks.

After the large-scale breach of Office of Personnel Management systems that exposed personal data on some 22 million people, Dukes said IAD provided eight to 10 specialists at any given time to help with forensics.

IAD staff also analyzed the hack of Sony Pictures Entertainment in November 2014, though Dukes said they were not actually on the film studio’s network. And IAD has recently instructed DOD and other federal agencies to swiftly patch the dangerous backdoor discovered in Juniper Networks firewalls, he added.

IAD analysts have been summoned for help in every big hack in the past 18 months, Dukes said, with varying degrees of involvement in the response. If that trend holds, “we will continue to have resource pressures from that.”

To conserve resources, IAD has sought to “train the trainers.” The directorate’s employees — about 80 percent of whom come from fields such as computer science, math and engineering — train Cyber Command personnel and bring those trainees up to what Dukes said is the “NSA standard for cyber defense.” Once the students have met that standard, Cyber Command does their own in-house training.

IAD trained a Cyber Command team that deployed to a U.S. military facility to analyze vulnerabilities in supervisory control and data acquisition systems there in response to growing concerns about vulnerabilities, according to Dukes. For nearly a decade, he said, IAD has been focused on weaknesses in industrial control systems (ICS) such as the SCADA systems that underpin the power grid. In the past year or so, U.S. officials’ concerns about those vulnerabilities have become more apparent.