NSA Prepares Unclassified Threat Reports — From Home

ALBUQUERQUE: To better protect companies whose remote workforces have exploded during the COVID-19 pandemic, the NSA has begun publishing unclassified reports on network attacks and cybersecurity.

“In small ways we’re redefining who we are as an agency,” said Wendy Noble, executive directors of the NSA, before describing how the agency was taking advantage of teleworking to research and share unclassified material.

For most of its existence, of course, NSA did not share much information about anything with anyone unless they had clearances. And a threat assessment certainly wouldn’t have been shared with anyone outside of government with high clearance.

Now, with some of its own workforce remote and away from secure access to classified information, the NSA has seen the merits of working with unclassified information. The unclassified reports can be produced by remote workers, and still provide valuable insights to protect companies and government agencies from hostile cyber threats.

Noble’s remarks came at the end of the annual Billington CyberSecurity Summit. The gathering, usually held in person in Washington, was entirely virtual this year. The pandemic created a cybersecurity crisis of its own, as workers moved away from secure, centralized offices to a wide variety of home environments with many different types of connections.

That shift meant finding out what could be done securely on less-protected home networks, said Noble. Not all of the NSA’s reporting on cyber threats needed to be done behind the formal wall of secrecy, they decided. Noble praised the unclassified report as a success, not just in terms of the usefulness of the intelligence product, but as a way to recruit and retain a workforce.

In an earlier panel at Billington, Bryan Ware, assistant director for cybersecurity at the Department of Homeland Security, described how the shift to remote work allowed the Cybersecurity and Infrastructure Security Agency (CISA) to shift away from everyone working in one place with classified information. This provided an opportunity the agency to rethink and leverage commercial data, and opened space for, in the future, CISA to hire beyond the national capital region, and even hire without requiring that all employees have security clearances.

“We can track metrics on social media and in the press; we can track how it’s viewed,” said Noble. “It’s more important to track how it’s used.”

It is one thing for intelligence customers to read warnings, and another for those companies to act on the warnings. The NSA is working on developing metrics to track how well the information provided in these unclassified cybersecurity advisories is actually used by the organizations that receive them.

Creating unclassified reports on cyber and other threats is already part of how the space intelligence community works with the commercial space industry. Adding unclassified research and intelligence to its cybersecurity products allows NSA to keep pace with the present threat environment, and especially helps keep it on top of threats that target remote workers during the pandemic.

Allowing some of the NSA’s workforce to tackle threat monitoring in the unclassified space has freed up, well, space for those employees who handle classified information to return to socially distanced offices and keep up with highly classified intelligence products which cannot yet be accessed from home.

Noble suggested the success of unclassified cyber reports likely means they will continue into any post-pandemic future.

Noble spent time at the UK’s National Cyber Security Center, and sees that kind of fusion and centralization of military, intelligence, and cyber work as an inspiration for how the United States could tackle similar problems when it is safe to return full-time to offices.

The NSA’s unclassified reports will continue to serve as a useful way to get industry on board with up-to-date understanding of threats posed by criminal, nonstate or state actors. It serves as an important nexus between the public and private sector, and also as a way to keep those lines of communication open.

Part of how the UK center was able to establish itself in such a role is that it meant intelligence agencies, most especially GCHQ, were talking to the public directly for the first time, something that went against the old standards of the profession.

“Nothing more important than having robust communications,” said Noble, “People have to trust in what you’re telling them.”