There’s good news and bad news when it comes to the cybersecurity threats the U.S. faces on a daily basis.
“The good news is that we have a better understanding, perhaps better than ever before, of threats to our systems,” said Debora Plunkett, director of the National Security Agency’s Information Assurance Directorate (IAD), in an exclusive interview with Federal News Radio’s Agency of the Month program. “We have a better understanding of the capabilities, the motivations and the intentions of adversaries. That’s the good news. The not-so-good news is that our nation’s systems really are not yet up to par with regards to being properly defended to protect against the myriad of threats and threat actors that we see on a daily basis.”
Threats that continue to grow in number and sophistication every day, she said.
“If you’re like me, there isn’t a day that goes by where you’re not reading about some malicious activity in the press. In our spaces, we see that from an intelligence perspective. What we see is an increase in the breadth and the depth of the threats against systems, against capabilities, against products. From our view, it’s a growing business,” Plunkett said.
Getting the nation’s networks to that next, higher level of security is multifold, but it starts with “hardening” the systems to make them more defensible.
“We use the term ‘harden’ to mean applying all of the necessary measures that we know of in order to provide the best possible security based on the threats and vulnerabilities that we’re aware of … The second part of that is, don’t assume that that’s going to work. So then, we have to actually be prepared to actually defend those networks and systems,” she said.
Plunkett said that means putting a proper infrastructure in place to monitor potential cyber threats and having the proper measures in place to take legal action when necessary.
But, Plunkett said, there are some challenges to this as technology and requirements change constantly.
“Those dynamics create for us the insertion of new opportunities for vulnerabilities that we would not have expected. So, that becomes one of our biggest challenges,” she said. “How do we ensure that the product we say is secure today, is secure tomorrow? Well, we can’t. But we can do our best to make sure that we are in an eyes-wide-open manner, fully disclosing and understanding the vulnerabilities as they exist. And then we have to be looking constantly. That gets to the defend piece.”
When it comes to how cyber legislation may help harden the nation’s systems, Plunkett said it’s important to remove the barriers that exist to sharing information between industry and government.
“I think that such legislation is really critical to addressing the cyber threat. As I’ve said before, the U.S. government and industry both have unique insights into the cyber threat. What we need is an ability to be able to enable that sharing in a robust and real-time way. It’s important that any legislation establish a clear framework for that sharing with robust and necessary safeguards for the privacy and civil liberties of our citizens.”
“We really can’t rely on voluntary efforts of private companies that own and operate this core critical infrastructure to defend them. The stakes really are just way too high,” Plunkett said. “At the same time, it’s really important to remember that the requirements have to be collaboratively developed with industry and they can’t be too burdensome. We can’t create an infrastructure that is so onerous that no one wants to play because we need everybody on the field in order to be able to win.”
Existing partnerships with industry also help to make information sharing a bit easier. Through the Defense Industrial Base pilot program launched in August, DoD is now sharing information about potential cyber attacks with 37 private companies. The agency plans to expand that to roughly 200 companies later this year.
The sharing involves both classified and unclassified data and lets information flow in both directions — private firms share information about the attacks they’re seeing with NSA and the government provides its own information about current threats to the companies in the program.
Cybersecurity is also a concern when it comes to mobile, an area in which NSA is focusing heavily.
“Mobile is, simply, how our constituency wants to operate,” Plunkett said. “They want to be able to move around within secure spaces and, as necessary, outside of secure spaces and be able to do so with the right equipment so that they can communicate as needed.”
Plunkett said her agency is currently involved in two mobile pilots. Approximately 100 NSA employees are testing the use of a secure, classified smartphone. Plunkett said the group can talk up to the top-secret level on the commercial device. NSA currently is working with the Defense Information Systems Agency on the operational deployment of the phones, which Plunkett believes will happen in the coming months.
“We are tremendously excited about the progress we’ve seen on it,” Plunkett said. “We have been our worst critics, rightfully so, so we’ve put our best and brightest individuals against determining what vulnerabilities might exist in that infrastructure that we’re testing. They’ve identified problems. We’ve then identified solutions for them in real time, just as we’d need to have in an operational capability.”
NSA also is currently testing the use of secure wireless laptops in some of its conference rooms.