Approaching its 60th birthday, the National Security Agency (NSA) has a staff some 35,000 strong worldwide, and an impressive building complex in Fort Meade, Md., where the walls are lined with copper mesh to prevent electronic eavesdropping. True to its origins dating back to breaking enemy code during World War II, the agency has two primary missions: signals Intelligence (SIGINT) and information assurance (IA).
Although the NSA is typically depicted as the most super-secret of federal agencies, it does post valuable reports on security best practices on its Web site. And Neal Ziring, the NSA's technical director of the Information Assurance Directorate (IAD), recently agreed to an in-depth interview.
What is information assurance for the NSA?
"Information Assurance for us is the ability for our customers, national security customers, to know that their information is only accessible to those who need it, is accessible to those who need it when they need it, that it has integrity - it hasn't been altered - and more recently, cyber defense.
"We have certain responsibilities under National Security Directive 42 and we provide cryptography for the community, certain types of defensive services, security guidance, security analysis, security architecture and engineering services, and we perform key management on the behalf of the community."
(According to NSA's web site, the agency's customers include the White House, the CIA, the State Department, the Chairman and Joint Chiefs of Staff [JCS], military combatant commanders and component commands, military departments, multinational forces, and U.S. allies, as well as those that use national security information systems, and government contractors.)
How do you reach the vast number of people who staff your customer offices?
"This was a big thing for us when we started publishing security configuration guides. We said, how on earth can we reach all of our customers? There are so many, they are so diverse; all the government all the military, and we eventually decided that the only way we could reach all of our customers was to simply publish it to the public. It's on our web site today. You'll see all these security guides and fact sheets because that is the best way to ensure (1) that we reach all of our customers and (2) that the taxpayers get maximum value out of the work that the NSA has done." (To view and download IA Fact Sheets, go to www.nsa.gov, select Information Assurance | Mitigation Guidance | Security Configuration Guides | Fact Sheets. )
From a security standpoint, what is it like to work at the NSA?
As you approach the security gate you must slow your car down to navigate a serpentine pattern of red-and-white caution-striped gates, orange traffic cones, a black SUV security vehicle, a freestanding guard, in order to reach a security gate where you present identification. In this approach a sign indicates FPCON BRAVO (Force Protection Condition, level Bravo), indicating "an increased or more predictable threat of terrorist activity exists". Watching from the other side of the gate are well-prepared guards.
When entering the building you again present your badge to security. And a third time at an electronic station. If you are the first one of your team in, you have to draw a key from a wall-mounted machine to get into your work area. Don't even think of bringing in your cell phone. Leave it in your car or check it into one of the little cubby-hole lockers at the front door. They are small; big enough for an iPhone, but not an iPad.
When at work is there any way for staff to access Skype, Facebook, GMail, LinkedIn, etc.?
[Laughter] The bulk of the staff work on the high-side network which is the internal, classified network where we have a social networking system that we use for collaboration. For example, I keep an internal blog, we have lots of internal Wikis, an internal system something like Twitter that allows sharing of short messages, an internal system that's Facebookish where you can post your profile and what you are working on.
Most of us have unclassified Internet access [on the low side network] at our desks because it's useful for looking up technical topics, or sending an email to your spouse to let her know you'll be late, all that sort of thing, but it's not really intended to be a system where you do a lot of personal stuff. It's for government use. The bulk of what I use it for is for corresponding with industry and academic partners with whom I am doing some sort of work.
Have you found any devices or processes that are particularly helpful in trapping security threats?
Awareness is key; having employees aware of the policies and practices that are enforced at a given point.
Ziring adds that the NSA has spent several years working with both industry partners and customers to develop effective whitelisting strategies (and whitelisting using Software Restriction Policies) and network access control, both generally considered awkward to implement and a nightmare to maintain in a world of constant updates and configuration changes.
We've been working on this very hard and it's been a big success. (Last November the SANS Institute awarded the IAD and their partner the Trusted Computing Group the 2011 National Cybersecurity Innovation Award. )
What worries the NSA?
Probably the biggest two worries for us right now are mobility and cloud computing because the government wants that functionality the way that business wants it, but looks to NSA to tell them how to be secure while doing it.
A big trend is the consumerization of IT; a lot of folks [outside of government] are bringing in personally owned devices and utilizing them for work functions. Recognizing both the benefits of such mobility and the dangers of rather powerful, connected devices managed by their owners instead of the office, the IAD released "Security Tips for Personally Managed Apple iPhones and iPads" and established the NSA Mobility Program which recently released v1.2 of the "Mobility Capability Package".
We aren't publishing much on cloud, we are letting NIST be that public face, but we are providing technical input into the things that they are writing. In fact NIST, the National Institute of Standards and Technology, has just released "Guidelines on Security and Privacy in Public Cloud Computing".
What are other areas are you focusing on?
Wireless is a big area that IAD is working on. How can you stand up secure enterprise wireless? How can it be protected from attacks? (An example of work done in this area is a 2011 report "DoD Bluetooth Peripheral Device Security Requirements" that specifies the requirements for the secure use of unclassified Bluetooth peripheral devices in the U.S. Department of Defense.)
Another big one on our challenges list is security operation visibility and response. This is huge both inside and outside government. As cyber threats accelerate our window for response is shortened
The No.1 thing, if I were a CIO, that I would not want to hear from my staff, is: There is this huge vulnerability announcement on product X. How much of product X do we have and what is our exposure?
If your staff looks at each other and says 'we don't know,' that's a problem. To raise the bar on visibility and response, the IAD released the "Manageable Network Plan" for CIOs and network admins based on the principle that an unmanageable network is insecure. The first half walks you through eight milestones to make your network manageable then the second half includes tasks that will increase reliability, security, and ease of effort going forward.
The information gets quite specific, for instance it states that if you are using legacy wireless technology (IEEE 802.11a/b/g), move to IEEE 802.11i/WPA2: the legacy technology has serious security flaws. It also suggests having hard copy backups of your network's documentation because online documents are really hard to read when the power goes out. A very handy "Quick Reference" on pages 27-28 lists every link in the paper, including 30 information sources and 16 tools.
When deploying technologies, You need to do it in ways that are adherent with industry and government standards for reducing risk.
What keeps you up at night?
There is a bunch. The evolution of cyber threats, especially for my clientele, nation-state cyber threats. The changes in IE or information environment and how we can continue to keep those environments secure as they evolve. How are we going to ensure that the people we have stay technically current? How are we going to bring in new people with new ideas who will be highly innovative and competent?
Network World: What about the fact that so much of our IT equipment is made in China and the worry about counterfeit chips being built in?
Internally we call that supply chain risk management (SCRM). Another branch of the national security community, NCIX, recently published a report about that (NCIX stands for National Counterintelligence Executive). In 2009, Joel Brenner (who was at NCIX at that time) said that we are ...seeing counterfeit routers and chips, and some of those chips have made their way into U.S. military fighter aircraft. You don't sneak counterfeit chips into another nation's aircraft to steal data. When it's done intentionally, it's done to degrade systems, or to have the ability to do so at a time of one's choosing.
Summing up: The roots of the NSA go back to the work of the Navy signals office in Hawaii during World World II. Back then at least we knew who the enemy was and we knew what types of weapons they had. Today, the NSA continues the fight, but this time around it's a cyber war against nation-states, terrorist groups, organized crime and private individuals using a constantly changing arsenal of cyber weapons.
Dirk Smith is a freelance writer. He can be reached at dirkADsmith@gmail.com