Page 21 - FCW, February 2016
P. 21

statement. But that still seems to leave many zero-day bugs unknown to Internet users.
Dukes is NSA’s representative in the zero-day disclosure process, which is led by Michael Daniel, President Barack Obama’s top cybersecurity adviser.
“It’s a thoughtful discussion, trying to understand offensive capability but also understand the risk to the government in not disclosing that vulnerability,” Dukes said.
IAD and the Signals Intelligence Directorate try to agree on which vulnerabilities to disclose, but if they can’t, Rog- ers makes the final decision, Dukes said. The process has grown more robust as more federal agencies have discovered vulnerabilities, he added.
In the midst of an ongoing lawsuit brought by the Elec- tronic Frontier Foundation, NSA recently released docu- ments with newly unredacted sections that confirm that zero-day vulnerabilities were stockpiled for use in domestic law enforcement, counterterrorism activities, espionage and intelligence gathering.
In January, Rogers said NSA would increasingly focus on bolstering the cyber defense of weapons systems in 2016, and that monumental task will fall to IAD.
Dukes, meanwhile, referred to an “incredibly long list” of weapons systems that DOD has given his directorate to review for vulnerabilities that need to be patched. The direc- torate will only get to a handful of those reviews in this fiscal year, he said. His goal is to automate the process of probing weapons systems for weak IT security, but “we’re just not resourced to do that at the moment.”
IAD’s website includes a list of top technology challenges for 2016, and they are defined as “things we don’t know how to do but need to.” Among them are predicting and measuring the impact of breaches on the ability of defense systems to continue operating. Dukes said his strategy involves map- ping the life cycle of a hack and determining how well cer- tain defensive measures can hold up under sustained cyber assaults.
Reconnecting with the private sector
Historically, IAD has had a fairly close relationship with the private sector, whose IT systems the directorate has helped fortify, according to Dukes. That relationship soured consid- erably after the scale of NSA’s surveillance programs were made public by former contractor Edward Snowden.
The revelations included evidence that NSA had subverted an encryption standard issued by the National Institute of Standards and Technology, an impartial government body that IT professionals rely on for guidance.
Dukes would not comment on “claims by outside cryptog- raphers on whether we did or didn’t” have a hand in weak- ening the NIST standard. He only said the agency “does not intentionally weaken cryptographic standards” and added
that his directorate has a “huge dependence” on such com- mercial standards.
He said the directorate has worked hard to repair its rela- tionship with the private sector since Snowden’s revelations. “Industry sometimes can have a hard time” dissociating NSA’s signals intelligence and information assurance missions, he said, “so they tend to brand us as NSA.”
Nonetheless, IAD’s focus on creating strong “protection profiles,” or security recommendations for commercial prod- ucts, has helped revitalize the relationship with the private sector, Dukes said.
All hands on deck
Dukes preferred not to talk about NSA’s pending reorgani- zation and how it will affect his directorate because he did not want to preempt the agency’s public announcement. His prognosis for the future was more general as he talked about the next generation of IAD analysts.
Baby boomers like Dukes, a three-decade veteran of the agency, are becoming a rarer breed. Millennials are more likely to change jobs every few years, and the directorate must adapt to that, he said.
“I actually think it’s healthy for the country because those folks will be trained in cyber defense, and they rotate out to the private sector...and then actually apply what they learned here,” Dukes added.
Brendan Conlon, who worked in computer network operations at NSA for a decade, said IAD’s “blue team” network defenders are invaluable to the agency not only because of their technical expertise but also for their ability to work with other agencies and the private sector during breaches. Those specialists also happen to be the people most likely to leave NSA for lucrative jobs in the private sector, he added.
With regard to the IAD workforce, Inglis said, “The people they have are good; they don’t have enough of them.” Fur- thermore, IAD’s budget has not matched the importance of its mission in recent years because information assurance is a “harder sell” to lawmakers.
As NSA leaders prepare for the reorganization, it is clear to everyone that there must be “some professional intimacy” between the signals intelligence and information assurance missions, one that is reflected in career development and operations, Inglis said. And he argued that more tightly cou- pling the two directorates would not make the agency more inclined to withhold vulnerabilities for exploitation rather than patching them.
However the agency changes structurally, Dukes said his basic mission to protect sensitive government information would continue. Ongoing attempts by hackers to penetrate classified networks mean the demand for information assur- ance has never been greater. n
February 2016 FCW.COM 21

   19   20   21   22   23