Cybersecurity

Official: you can still trust the NSA

NSA's Curtis Dukes

It might not be as momentous as knocking down the Berlin Wall, but tearing down the barriers between Signals Intelligence and Information Assurance inside the National Security Agency is revolutionary, an NSA official in the thick of those efforts contends.

The NSA is six weeks into "NSA21," which the agency calls the most substantial organizational reform in its 60-year history. Announced earlier this year, NSA21's primary change is flattening the organization and moving it from a mission-based construct to a functional model.

Curtis Dukes had been until recently the director of NSA's Information Assurance directorate. Now, he's deputy national manager of national security systems in charge of the IA portfolio of the new operations directorate.

"We have a 60-year history of having two missions separate and distinct with common leadership at the top," he said. "Both missions have been highly successful, but where we found difficulties was in sharing between those two missions."

Dukes said that the current reforms have been in the making for the last decade. He said that NSA director Adm. Mike Rogers had two primary objectives.

"One was to propel us for the next decade -- make sure that we're tightly integrated between the two missions -- and that also more importantly was that we're optimized when it comes to cyber, both from exploit as well as from the defense standpoint," he said.

Dukes said that by removing the separation between signals intelligence (offense) and IA (defense), the two groups can better share information about potential vulnerabilities and exploits to further each other's missions.

"What this new organization construct brings is that we can put the best athlete to help with incident response and mitigation," explained Dukes. "We also can have the best athlete help with building better architectures to help the defensive mission. I think that's what we're trying to strive for in that regard."

The reorganization is hardly without controversy, however, in no small part because of the inherent contradiction between the NSA's primary missions. The Signals Intelligence directorate has been responsible for spying and increasingly looking for cyber vulnerabilities to exploit in intelligence gathering.. The Information Assurance directorate has been responsible for protecting systems -- government, private sector and international partners -- from exploitation.

Some clients have often wondered if the NSA's guidance came with strings, or more specifically, back doors, to help the signals intelligence mission. And since the announcement of NSA21 there has been more grumbling from some in industry that the NSA cannot fully be trusted.

NSA's reputation in the information assurance business took a hit from leaks by former contractor Edward Snowden that included confirmation that an NSA-approved cryptographic algorithm was deliberately compromised. Still, Dukes said that there has been trust in the past, and that should continue under the new system.

"We understood how things would be attacked from an adversarial standpoint, again from the signals intelligence perspective, and then we would go engage with industry and with international partners and also produce security configuration guidance and best practices based on that information," he said. "We strongly believe in our configuration guidance and our best practices."

One risk Dukes acknowledges is the possibility of compromising aspects of the signals intelligence mission because other nations can use unclassified NSA information to improve their cybersecurity.

"I think there will always be that argument that, well, how do I know if I'm talking to NSA I'm talking to the information assurance mission or to the signals intelligence mission?" Dukes said. "The short answer is that we do wall that off internally here [so that] if we're engaging with industry to help them better secure the product we're doing it for all right and honorable reasons."

So, despite the wall being torn down, Dukes said there will continue to be some degree of internal separation, and the current practice of vetting the release of information about vulnerabilities will continue.

"Prior to NSA21, regardless who found the vulnerability, whether it was the signals intelligence or the information assurance missions, we kick that up to an issue resolution process where both missions debate and discuss the vulnerability," said Dukes. "If one mission said that 'you know we need to release' or another mission said that 'we need to restrict,' it's fiercely debated."

In the last three years, the NSA worked with the FBI and the White House to create the Vulnerabilities Equities Process (VEP) to evaluate whether vulnerability information should be shared with interested parties so they can protect their systems, or whether disclosure would compromise intelligence gathering. Dukes said these tensions, procedures and discussions will continue under NSA21.

"I'm the senior NSA officer that represents NSA in the VEP process, and I'm a fierce advocate for, you know, if I think the nation's at risk, I highlight that, I make that argument both to Admiral Rogers and to [White House cybersecurity advisor] Michael Daniel in that regard," he said. "But it is a vote and each member can have a say in that and ultimately Michael will make a decision whether to disseminate or to restrict."

Dukes said the U.S. needs to do some soul-searching over its cyber defense structures and protocols in general. NSA has authority for national security systems, but does not have the authority to support agencies like the Office of Personnel Management, State Department or Environmental Protection Agency.

"That's where we work closely with DHS and FBI and we use their authorities to go in and do incident response and mitigation," said Dukes. "I don't think we're fully optimized as a nation yet in that regard. I think there's always going to be a bit of a lag for us to then provide support as we work though the authorities issue with DHS and FBI."

Dukes said by the time bureaucratic priorities are sorted out, "you've lost valuable time in order to do defense at cyber speed in that regard, and I think that's what we need to relook at as a nation."

Dukes said he's a fan of the United Kingdom's new National Cyber Security Centre, which puts emphasis on offensive capabilities as well as active cyber defense in collaboration with industry. "I think it's a model that should be looked at from a U.S. perspective as well," said Dukes.

Dukes said that NSA21 is still very much in its early stages and it's too soon to tell if it's on the right track or needs tweaking. He said there will be an internal review in about 90 days to see how things are progressing. One of the biggest challenges will be merging the public-facing culture of IA with the secret culture of signals intelligence.

"Over 60 years those cultures get pretty rigid, so we can't expect that in six weeks that we've, you know, totally changed the culture in the agency," said Dukes.

"In the sort term you'll still see us kind of inching along," said Dukes. "But I think a year out, it will just be, 'hey, who's available?' Whether you're signals intelligence or information assurance on this mission, you go in to do support for the nation."

Correction: This article was updated Oct. 18 to correctly state Curtis Dukes' former title of director of NSA's Information Assurance directorate, and to clarify the White House role in establishing the Vulnerabilities Equities Process.