What the NSA has learned from a year of external cybersecurity collaboration

For more than a year, the National Security Agency has been sharing cybersecurity threat information with defense industrial base companies. The idea is to...

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

For more than a year, the National Security Agency has been sharing cybersecurity threat information with defense industrial base companies. The idea is to correlate NSA signal intelligence with malicious activity the companies see on their networks. Joining the Federal Drive with Tom Temin with an update, the director of the NSA’s Cybersecurity Collaboration Center, Morgan Adamski.

Interview transcript:

Tom Temin: Ms. Adamski, good to have you on.

Morgan Adamski: Yeah, happy to be here. Thanks so much for having me to talk about the Collaboration Center.

Tom Temin: And just before we get to what you’ve learned in the past year, just brief us on what the Collaboration Center exactly does.

Morgan Adamski: Absolutely. So when we stood up the cybersecurity director at NSA, we knew that one of the keys to our success was being able to directly engage with our industry counterparts in a way where we could share unique and timely information at speed. And to be able to do that we needed to ensure that we had a space that our partners could come to, we had collaboration on classified platforms to share information quickly. And so the Cybersecurity Collaboration Center is actually this very unique unclassified facility, outside of the fence line right off of 295, that our partners are able to come visit us, share what they’re seeing in real time, and we’re able to share our insights as well back and forth. So it’s a great way for us to share information.

Tom Temin: And what’s an example of the type of information they might share.

Morgan Adamski: So a lot of our industry partners, right, they see a lot of malicious activity on any given day. They see it, they have a lot of noise on their networks, they may not understand it, they may not know who’s responsible for it. And they have a part of the picture. And just like NSA, we have part of the picture as well, we’re really focusing on those foreign cyber threats. And so we bring those two pieces together. And we try to figure out and get a better understanding of what the comprehensive picture looks like. And so it’s really about drilling down into those threats, and being able to have a conversation.

Tom Temin: And they bring things like network logs, for example, they bring in a thumb drive or something with the activity they think is suspicious?

Morgan Adamski: Any type of network logs or IPs or various things that they think are indicators of compromise that we may be able to look at and say OK, like, we think this is malicious, we think this is coming from a nation state actor. Here’s the type of mitigation guidance that we would leverage that protect ourselves from this in the future. So it’s really a great conversation right now occurring,

Tom Temin: And how many companies participate in this?

Morgan Adamski: So we have a little over 100 partners that we work with on any given day. And that’s anyone in the defense industrial base and their service providers.

Tom Temin: Wow, 100 companies, that’s a pretty good number. And you mentioned they come to this unclassified facility off the BW Parkway, God bless them for hazarding that road. But do they need to come in physically in order to collaborate with you?

Morgan Adamski: No, that’s actually the unique part of the Cybersecurity Collaboration Center is we stood it up during a pandemic. So we had to figure out how to do collaboration without physically being able to be in the same room with our industry partners. So we do a lot of our collaboration virtually. Our partners are all over the U.S. And so we do things like chats and just say, hey, here’s what we’re seeing. It’s not typical for NSA to be in an open environment and collaborating at the unclassified level, this is really the dramatic change for us.

Tom Temin: And where does the NSA knowledge that you have, the center has come from?

Morgan Adamski: Years and years of NSA insights on nation foreign cyber threats, our signals intelligence mission, as well as our old information assurance, but our new and improved cybersecurity mission. So all of those insights over the years actually feed into these relationships.

Tom Temin: What about the issue of if they reveal something that’s happening on their network that they are absolved from? Oh, guess what, we have to arrest you or something of that nature?

Morgan Adamski: Yeah, so all of our relationships with our industry partners are cooperative. It’s a mutually beneficial relationship, which means that they bring information to us open and transparent. We do the same. So we do not act as a contractual arm, our oversight and compliance mechanism for the department or NSA. It’s really about that open, transparent collaboration.

Tom Temin: We’re speaking with Morgan Adamski, she is director of the Cybersecurity Collaboration Center at the National Security Agency, or we should say just outside the National Security Agency. And because I remember once a CEO, this is a number of years ago, of a very famous cybersecurity company had a breach, and it made headlines. And the first entity that he phoned was the National Security Agency because the implications of algorithms that shouldn’t have been cracked, were cracked, and it touched off a whole national security type of apparatus getting into action. We’re talking about something lower level than this, aren’t we?

Morgan Adamski: Yeah, so we’re having those conversations every day with our industry partners to understand the extent of the breach. We’re supporting whole of government efforts like things like SolarWinds and the Microsoft Exchange vulnerability, so we’re participating in those conversations. The unique thing about NSA in the cybersecurity directorate, is we’ve really brought together the power of understanding the foreign nation state cyber threats with understanding the defensive space. And when we bring together both the threat information with understanding vulnerabilities, you build this magical system of being able to put mitigation in place quicker.

Tom Temin: Got it and any examples of things you’ve sort of nipped in the bud maybe in the last year?

Morgan Adamski: we focused on a lot of things, one of the examples that you’ve likely seen, as we’ve supported, when we look and find vulnerabilities in critical software, such as Microsoft Exchange, we actually work with the vendor to say, hey, here’s a vulnerability that you have, let’s develop a patch or a mechanism to help better protect against active exploitation. And let’s roll it out to customers as quickly as possible. And so that was something that we facilitated here out of the Cybersecurity Collaboration Center.

Tom Temin: And everybody has Microsoft.

Morgan Adamski: A lot of people do, yes.

Tom Temin: And what about the Cybersecurity and Infrastructure Security Agency, CISA? They do similar type of work, do you collaborate with them? Or do you fight over the companies you’re going to deal with? Or how does that work?

Morgan Adamski: No, we have great collaboration with our CISA counterparts. Obviously, they have the mandate and mission to reduce the risk to the national and critical infrastructure, we have a fundamental understanding of the foreign cyber threats. And when you bring those two narratives together, what you’ve really created is scope, span and depth, being able to talk to our industry partners. So we talk with them almost daily.

Tom Temin: And I’ve come to think that the assumption on most operator’s parts is that the phishing schemes, the types of hacking that’s going on outside of phishing, but the old fashioned network hacking and rooting around is of foreign origin. But is that really the case? I mean, do you have any sense of how much originates just from bad people right here in the good old U.S.A. versus the foreigns?

Morgan Adamski: Sometimes it’s not about sophistication. It’s really about the easiest door to open. If you have very low level vulnerabilities in your system, adversaries are not going to have to use exquisite or sophisticated techniques to get in; they’re going to use whatever enables them to facilitate that access. And so, we can see nation state actors using the most sophisticated capabilities, or we can see them taking advantage of simple techniques. It’s really what enables them to get to what they want.

Tom Temin: But what I’m asking is, say out of every 100 threats or attacks, are 90% of them of foreign origin, or do we still get a good percentage of them coming from within the U.S.?

Morgan Adamski: Yeah, that would question would be easier to answer if I had a better understanding of all of the threats in aggregate. Unfortunately, we don’t. We see a significant amount of cyber threats originating every day from our foreign adversaries. That’s not to say that we see a full picture of all threats currently being directed at U.S. critical infrastructure, though.

Tom Temin: Got it. And also just a detail, you have a program called the Protective Domain Name System Pilot. What is that then what does it aim to do?

Morgan Adamski: It essentially is a service that verifies the domain that you’re trying to get to. And it prevents a user from phishing attempts, malware and blocking an adversary from gaining access to your system. Think of protected DNS as is you’re picking up the phone, we call it the phonebook of the internet. You dial a number you expect to get to the number, connect with the person you’re trying to reach. If in fact, unfortunately, our adversaries create a technique where they redirect you to a malicious domain or the phone number you don’t want to reach or the person you don’t want to talk to. We’re trying to ensure that doesn’t happen. So you’ll always get to where you’re trying to go.

Tom Temin: All right, and by the way, as an NSA employee, are you able, personally, to go inside the gate and maybe get a refresh from people on the inside as to what the latest things to look out for are?

Morgan Adamski: Oh, absolutely. So the Cybersecurity Collaboration Center really is the bridge between the classified environment and the unclassified environment. So I go in the fence line all the time, but I will tell you that the Cybersecurity Collaboration Center is a beautiful facility outside the fence line with beautiful parking, so I stay out here a lot. And then I communicate with my colleagues via classified means if need be.

Tom Temin: And you don’t have a little place cut in the fence where you can just slip in and out easily? Do you have to go all the way around by the tattoo parlors? Through the gate?

Morgan Adamski: Yeah, not if I want to get arrested by our security crew. I’m not going through any small holes in a fence.

Tom Temin: All right. Morgan Adamski is director of the Cybersecurity Collaboration Center at the National Security Agency. Thanks so much for joining me.

Morgan Adamski: Thanks for having me.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories