Inside the NSA: Companies Need To Follow the Basics


By Rob Sloan, cybersecurity research director, WSJ Pro

The National Security Agency, the primary U.S. intelligence agency for data-gathering and monitoring, recently provided me with a rare interview with three of its technical directors in the National Cryptographic Museum at the agency’s headquarters in Fort Meade, Md. The wide-ranging conversation covered the vulnerabilities of companies, the usefulness of standards and challenges faced by the agency in retaining staff. This is the second of four articles based on the interview.

When it comes to protecting networks from cyberattacks, the National Security Agency’s advice isn’t new–It comes down to deploying the right set of controls consistently.

But even if the advice isn’t new, that doesn’t mean it’s followed. “So often people are caught up in the mission or profit–they don’t pay it the attention it requires,” said Mike Thomas, technical director of the information assurance capabilities group at the NSA. Mr. Thomas’s team develops solutions to support the information assurance mission.

“Basic hygiene goes a really long way,” said Mr. Thomas. “Keeping systems patched, knowing what systems you have and that they are being taken care of, multi-factor authentication. It really raises the bar.”

Mr. Thomas has served with the NSA for 30 years and has a master’s degree in computer science from Johns Hopkins University.

Neal Ziring, technical director of NSA’s capabilities directorate, noted that deploying those control consistently can be the hardest part: “It’s important to have consistency because attackers will find the weak link and then exploit trust relationships to move around.”

Mr. Ziring said even having 98% of machines on a network fully patched “is not a good number”, though he added knowing where the 2% of remaining machines are so the risk can be managed certainly helps.

Other widely recommended basic risk mitigations include deploying anti-malware software, strict user access controls, securely configuring machines and devices on the network, and deploying boundary firewalls.

The NSA produces alerts and advisories to help mitigate the risk of vulnerabilities in software products and guidance for securing applications, operating systems and more. All of these are published online and freely available.

Ryan Agee, technical director of cybersecurity operations, said if the agency detects a threat during the course of its foreign intelligence collection mission, it will pass details to partners in the Federal Bureau of Investigation and Department of Homeland Security so the victim can be informed.

Mr. Agee said simply trying to prevent attacks is insufficient and organizations need to plan for every stage of an attack: “You need a lifecycle. You try to prevent, but if you can’t prevent, you detect, respond, and mitigate.” However, Mr. Agee added there must also be recognition that threat actors will get in: “You have to respond and recover quickly.”

Budget-conscious executives may seek to trim rising cybersecurity costs by cutting back on the basics, especially when the organization has invested in high-end solutions that promise to stop attacks, but Mr. Agee cautioned against this. Neglecting the basics can lead to an increased volume of alerts requiring investigation and further pressuring stretched human resources in the security team.

Mr. Thomas saw a particular challenge for smaller organizations whose core mission is not IT and that struggle to attract top talent and lack funds to buy advanced solutions. “In that case, the best bet might be to outsource to the professionals.”

Mr. Ziring said small businesses can take advantage of investments in security made by companies vying for federal contracts. For example, the Federal Risk and Authorization Management Program (FedRAMP), which ‘provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services’. FedRAMP aims to give federal government confidence in a specific authorized products and services and smaller businesses can choose authorized cloud service providers and reap the same benefits as government agencies.

Progress on Securing Government

All three technical directors were encouraged by progress in cybersecurity made across federal government over the last five years and highlighted Department of Defense networks as among those having improved the most. But Mr. Ziring acknowledged: “there is still a long way to go and variation among different parts of government is substantial.”

They said other initiatives such as the May 2017 executive order on cybersecurity holding heads of executive departments and agencies accountable “for managing cybersecurity risk to their enterprises” are likely to further improve and promote good cybersecurity risk management practices.

The NSA also has a role in responding to cyberattacks. Although the agency has no legal authority or responsibility to respond to attacks against the private sector, it can and does contribute resources and expertise, but only after a partner agency has requested its help and a legal threshold has been met.

As an example of its capability, the NSA assisted in the aftermath of the breach at the Office of Personnel Management following a request from the FBI. NSA provided engineering advice for the interim and long-term re-architecting of OPM’s network, as well as hands-on defensive operations and guidance on cryptography. Not all businesses will be able to rely on help from the NSA though and should have contingency plans in place to engage expertise following a major attack. Having contracts agreed ahead of an incident minimizes any administrative delays to getting experts on site should the worst happen.

To that end, NSA worked with other agencies to launch the National Security Cyber Assistance Program. Sixteen companies are certified to do incident response on national security systems and respond to the most complex incidents. Having certified responders means NSA can concentrate on the areas where it can add unique value.

(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors. For a two-week trial of the WSJ Pro Cybersecurity newsletter please visit: