nsa-hq-1351553997WASHINGTON: The deputy director of the National Security Agency said today that the Intelligence Community should declassify the existence of more cyber attacks to improve the agency’s ability to mobilize the private sector and to get help when needed.

I asked Richard Ledgett at the end of a session at the Intelligence and National Security Summit here about a complaints I’ve heard from his own analysts: classifying most cyber attacks by foreign actors can make it very difficult for them to contain attacks, because other targets are not alerted and they can’t get help from the private sector — where some of the best cyberwarriors operate.

I asked Ledgett if the NSA needed to declassify the information more frequently so it could more effectively partner with industry. “When we can, we do,” he said. “We need to.”

NSA Deputy Director Ledgett

NSA Deputy Director Richard Ledgett

When US networks are attacked by foreign governments or people acting on their behalf, the Intelligence Community and Pentagon traditionally do not disclose the information.

The size of the unclassified threat is enormous, as a member of Ledgett’s panel made clear today.

Tom Cole, a VP at the cybersecurity firm FireEye, said his company tracks 1 million new websites a week loaded with malicious software and keeps its eyes on 300 active groups around the world, some of them countries, most of them non-state actors.

For most of the past 20 years, cyber attacks were highly classified as a matter of course. But when you classify something, it is very difficult to share that information with a wide range of people. That makes it harder to alert private companies or other government agencies to a threat. There are programs such as the Pentagon’s Defense Industrial Base effort to share cyber attack information with companies on a classified basis, but they leave out the vast majority of companies and individuals who do not have classified access, as well as smaller companies who cannot afford the rigorous compliance actions needed.

On a broader scale, the public and Congress are left unaware of the scope and frequency of attacks, leaving them without the context needed to judge the broader threat.