Leader of new NSA Cybersecurity Directorate outlines threats, objectives

Ransomware, Russia, China, Iran and North Korea are the top cybersecurity threats that will be the focus of a new division within the National Security Agency (NSA), the Cybersecurity Directorate, which is set to be operational on October 1, according to NSA director of cybersecurity Anne Neuberger. She was tapped in July by Director General Paul Nakasone to head the group. The Directorate aims to bring the agency’s foreign intelligence and cyber operations together and “operationalize [its] threat intelligence, vulnerability assessments and cyber defense expertise,” the agency announced when launching the new division.

“NSA really had to up its game,” Neuberger said in a fireside chat with Niloofar Razi Howe, cybersecurity venture investor and executive at the Billington Cybersecurity Summit in Washington on September 4. “And that’s what drove this desire to stand up a directorate and frankly to set a pretty aggressive mission, which is to prevent and eradicate cyber actors from national security systems and critical infrastructure with a focus on the defense industrial base.”

In terms of the threats, “Clearly ransomware is the focus. We’ve seen there are roughly 4,000 ransomware attacks a day,” Neuberger said. “When we look at Russia, we see a country that uses influence operations, uses cyber [that is] really integrated and below the level of armed conflict. They also use entities who aren’t necessarily tied to the government, whether the Internet Research Agency for potential elections influence or mercenaries to fight military conflicts in Ukraine or Syria.”

Each nation-state threat is unique

China has its own unique approach to how the country uses cyber threats to achieve its national security and military objectives, Neuberger said. China’s cyber threats are exemplified by three different and wholly distinct types of operations: the 2015 theft of 21.5 million records from the Office of Personnel Management, the hacking campaign known as Cloud Hopper that targeted eight of the world’s biggest technology service providers, and ongoing theft of intellectual property such as when Chinese intelligence and business insiders sought to steal information related to a turbofan engine used in commercial airliners.

Iran is very volatile and uses destructive attacks in its own region primarily, Neuberger said. “North Korea always fascinates us as essentially a nation-state criminal, as a country under sanctions using creative ways of cyber, whether it’s crypto currency, whether it’s cryptomining to gain hard currency and essentially keep the regime afloat.”

Social media makes influence operations easier

Neuberger previously headed the agency’s “Russia Small Group,” a joint NSA-Cyber Command task force to combat Russian election interference and influence campaigns. The task force “was stood up out of a realization that something had dramatically changed and we had to reboot our approach as a US government,” Neuberger said.

“Now influence operations have been around since the days of Adam and Eve, but what really changed was the age of social media,” she said. Not only could an adversary send out broad messaging, but it could also target disinformation to particular ethnic groups, particular elements of a country, and do it in a “pretty cheap way…looking as if one is an American.”

“So, we realized that it took a more creative approach to protect our democracy. In the Russia Small Group, we worked closely with the DHS and FBI to ensure that from a cyber perspective they had all the threat information we had in a way that can be quickly actionable” Neuberger said. “We’re tremendously proud of the work we did between NSA, Cyber Command, DHS and the FBI to defend the integrity of our elections and ensure that every American know that their vote counted and their vote matters.,” referring to the Russia Small Group’s efforts to protect the 2018 midterm elections.

When it comes to warding off 2020 election threats, the Directorate will take the same approach the Russia Small Group applied in the 2018 elections. “Ensure there is threat intelligence, gain those insights, share that intelligence, and be prepared to impose costs on an adversary who may attempt to influence our elections,” Neuberger said. “We will do the same work that we did in 2018 looking to see who are the actors seeking to shake confidence in the integrity of our elections, and share that with the FBI.”

Ransomware could disrupt US elections

Ransomware has emerged as a bigger threat to the election infrastructure than it has before. The recent shift ransomware attackers have taken from targeting individuals to targeting entities is “certainly something that would make it be a key concern for the elections. The best protection is the same security advice we give: ensure one uses principles of least privilege [and] computers with admin access shouldn’t have access to the Internet at all times.”

NSA to partner with other agencies, private sector

Partnering with other government agencies and private sector companies and organizations will be a major focus of the Directorate. “Everything we do, we do in partnership with other agencies, with allies around the world and certainly the private sector plays a role,” Neuberger said, noting that she wants to unify all the various communities involved in cybersecurity to enhance collaboration and focus on the hardest cybersecurity problems.

“Partners are key; they are the root of everything we can accomplish,” she said. Among the partners the Directorate plans to include in its efforts are the Department of Defense, Cyber Command, DHS, the acquisition community, U.S. allies and certainly the private the sector. “The private sector is often the first indicator of a significant threat or a significant compromise.”

The goal is to push out as much unclassified information as possible and bring together all the elements that are needed to quickly identify and head off threats. “Ideally, we are sharing the threat information to prevent an attack, to prevent exploitation rather than being part of a team that helps with incident response,” Neuberger said.

Although the Directorate doesn’t have a “moonshot” objective as it begins operations, one goal is to address the “rampant abuse of Internet infrastructure,” Neuberger said, particularly protecting the Domain Name System (DNS), the naming system underlying the Internet which has been subject to increasing attacks and redirections by malicious actors.

“DNS is a key way that adversaries use for command and control for exploitation,” she said. Neuberger would like to see efforts such as the UK’s NCSC’s Protective Domain Name System, which was built to thwart the use of DNS for malware distribution and operation, more widely used. The Directorate can help by adding or contributing threat information to make those services even more effective.

The Directorate can serve to interconnect these efforts so they could communicate beyond internet transactions. “If we could achieve that, it would have even broader impact beyond cybersecurity.”