The National Security Agency, once so secretive that its acronym NSA was jokingly referred to by intelligence insiders as “No Such Agency,” is out of the shadows.
NSA’s Cybersecurity Director Rob Joyce even appeared recently at New York City’s International Conference on Cyber Security to warn about the new dangers AI will raise as an enabler of increasingly sophisticated espionage, terrorist attacks and criminal activity.
Joyce and other NSA leaders now regularly speak in public, unclassified forums about the NSA’s offensive and defensive cyber missions. Organizationally, NSA now collaborates openly with other agencies in defense, law enforcement, and homeland security to openly discuss foreign efforts to infiltrate American and allied information networks, threaten our critical infrastructure, and disrupt our supply chains.
In the highly classified world of U.S. intelligence, it’s been eye-opening to us, as former intelligence officers, to witness this transformation as an agency once shrouded in secrecy becomes engaged as a public relations enterprise. Yet we recognize this level of transparency is precisely what American industrial leaders and the general public need-to-know to develop active whole-of-society defenses in an era of nation-state threats to our private sector.
Our most challenging adversaries – chiefly China and Russa – have broadened their cyber operations focus to encompass ever larger segments of the allied private sector beyond the traditional Defense Industrial Base (DIB), into multiple areas of critical infrastructure, financial services, law firms and academia where they can either steal proprietary information or secure vulnerabilities for future exploitation.
Early in our own careers, there were some little-known organizations in the NSA outbuildings that hid within the puzzle of acronym soup. One was dedicated to creating the cyber operations capabilities needed to combat terrorists and maintain allied geopolitical advantage, and another was focused on protecting American national secrets through information assurance. Even for officers with full Top Secret clearances, the prevailing mantra when it came to working with or for those organizations was “Don’t call them, they’ll call you.”
That kind of hiding in the shadows has changed dramatically in this past decade, as the NSA increasingly uses special functions to inform and collaborate with the public about threats.
Today’s NSA Cyber Directorate operates with a remarkably different approach. Its Cyber Collaboration Center, under the leadership of Morgan Adamski, provides advice and threat information to both cleared and uncleared cybersecurity professionals worldwide.
The breadth and depth of the Intelligence Community’s collaboration with the industry haves most recently been visible in its public messaging on VOLT TYPHOON, China’s operation to attempt to establish cyber footholds in privately-operated utility companies across the United States.
The gravitas of NSA lifting its veil of secrecy to collaborate with public-facing agencies like the Cybersecurity and Infrastructure Security Agency (CISA) has helped raise the trust across the public-private divide both interpersonally and at organizational levels. Furthermore, the women and men of the NSA Cyber Directorate have lent their deep expertise in cyber operations to co-author deep analyses of how VOLT TYPHOON actors are attempting to remain hidden within our infrastructure.
By providing systems integrators and other defense suppliers with the necessary tools to navigate necessarily Byzantine regulations such as the Cybersecurity Maturity Model Certification (CMMC) process and labyrinthine cybersecurity technology markets, NSA’s Defense Industrial Base Cybersecurity Services Program contributes to economic growth and the stability of the complex defense supply chain, while also ensuring that suppliers are protected by trusted and assured solutions.
These unprecedented degrees of sharing and collaboration, not only with impacted organizations, but also with the American public who rely on the infrastructure those organizations provide, can and must continue.
We believe collaboration to develop whole-of-society cybersecurity and cyber resilience is the only way to counter threat actors who strike at the services underpinning our national security and our economic prosperity.
As the range and agility of threats to the US continue to expand, we urge not only NSA but also the broader Intelligence Community to collaborate with threatened sectors and the security industry at large to develop holistic solutions for our most pressing security challenges. We propose three potential initiatives:
1. Expanding Government Partnerships with Industry.
The Intelligence Community should broaden its outreach efforts beyond critical infrastructure sectors to build a more robust security framework capable of preventing and responding to emerging threats, even in under-resourced industries. Outreach and sharing should include not only threat intelligence, but development of best practices and preventative architectures that make impacted sectors more resilient to any threats that may present themselves. As our adversaries become more agile, we believe that expanding both the number of sectors engaged and the topics for collaboration building on the good work of the Information Sharing and Analysis Centers (ISACs) established by CISA is critical to maintaining secure foundations and increasing trust between the government and private sector.
2. Collaborating on Forward-Looking Threat Assessments and Professionalized Open-Source Intelligence (OSINT).
As the volumes of publicly available information, and commercially available information, continue to grow exponentially, intelligence agencies and the private sector can collaborate to form a shared understanding of the threat landscape. This collaboration can both shed light on a hidden threat environment through shared insights and enhance both classified collection efforts and open-source intelligence (OSINT) collection while developing privacy standards that are needed by all participants to preserve government equities, protect proprietary business information, and preserve privacy rights of individuals. The need to balance ethical, policy, and legal considerations in OSINT is why we advocate for a professionalization of the discipline both in and out of government.
3. Creating and Engaging in Joint Technical Assurance Frameworks.
As the security of the technology ecosystem becomes increasingly crucial, the Intelligence Community should engage actively with CISA and the industry on assurance frameworks like CISA’s “Secure by Design” initiative. This focus should go beyond mere patch hygiene to encompass more robust preventive technologies. The Intelligence Community’s expertise in testing and ensuring the security of the world’s most secure networks can provide valuable insights and lessons learned for federal civilian agencies and commercial organizations seeking to apply assurance-level principles to their technology.
We welcome the newfound openness and transparency around previously secretive national instruments of power cultivated by the National Security Agency in recent months, and we look forward to continued collaboration with all of our government and commercial sector colleagues to enhance global security.
We, along with many of our anonymous colleagues who have transitioned between federal service and the private sector, remain committed to making a positive impact on American national security and supporting our country’s global allies in collaboration with agencies that must necessarily emerge from the shadows. In short, we look forward to the dance ahead.
Adam Maruyama is Field Chief Information Security Officer at Garrison Technology, a deep tech cybersecurity company. He is a former U.S. intelligence officer. Andrew Borene is Executive Director for Global Security at Flashpoint, an international threat intelligence firm. He is also a former U.S. intelligence officer.