Mediaboss Marketing

The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons the NSA/CYBERCOM dual-hat system (pursuant to which the Director of NSA/CSS and Commander of CYBERCOM are the same person). The report deserves attention, but also some criticism and context. Heres a bit of all three.

1. What is the dual-hat issue?

If you are new to the dual-hat issue, or in any event if youve not closely followed the developments of the past year, please read this recent post for an introduction and overview.

2. What was GAOs bottom line? Did they recommend keeping or abolishing the dual-hat?

Neither. The report does not purport to answer that question. It is, instead, no more no less than an attempt to convey the DOD perspective (and only the DOD perspective) on the pros and cons of keeping the dual-hat structure (as well as identifying some mitigation steps).

3. What method did GAO use to determine DODs perspective?

GAO did three things:

a. It reviewed documents previously generated by CYBERCOM and by the Joint Staff to educate their own leadership on the pros and cons.

b. It sent out questionnaires to various DOD components (with relevant responses received from CYBERCOM, 6 combatant commands, 4 combat support agencies, and 3 OSD offices, plus a collective response for DOD produced by DODs CIO); and

c. It conducted interviews with personnel from CYBERCOM, DOD CIO, and NSA/CSS.

4. Anything wrong with that methodology?

Not if your goal is to convey only DODs perspective. And to be fair, that was GAOs stated goal. But this approach is problematic.

One of the issues driving the dual-hat debate involves the tension that arises between intelligence-collection equities (which NSA would be inclined to favor) and disruption equities (which CYBERCOM would be inclined to favor), in the scenario in which access to enemy-controlled system could be used for either purpose. As a result, the Intelligence Community has a stake in this question. GAO should have reached out for input from ODNI in particular (and it also is odd that GAO only included NSA in one of the three methods mentioned above).

GAO might respond that its terms of reference were DOD-specific. Thats clearly true for certain other parts of the GAO report in question, dealing with other topics. Its less clearly the case with the dual-hat portion of the report. But even if it is, it does not follow that GAO could not include in its report any reference to possibly-competing perspectives from the IC. Indeed, I would go further and say it was a big mistake not to do so, for it was perfectly foreseeable that this report would be taken by many (especially the media) as conveying a general assessment of the dual-hat issue rather than just a DOD-specific summary of opinions, no matter how many caveats are given.

5. Fine, but it is what it is. So lets look at what GAO actually reported, starting with the three pros favoring preservation of the dual-hat arrangement. The first one asserts that the dual-hat promotes coordination and collaboration between NSA and CYBERCOM. Comments?

At bottom, this is a claim that having a common boss makes it relatively easy to collaborate when it comes to developing exploits and sorting out when and how they are used. That makes sense, and is consistent with conventional wisdom on the dual-hat situation.

6. The second pro is about how the dual-hat solves the deconfliction challenge mentioned above, but whats really interesting here is what the report implies about how that challenge would otherwise have to be managed.

As noted above, the need to deconflict when collection and disruption equities compete is a big part of this story. Here, GAO acknowledges that the status quo provides a ready-made solution. So far, so good. What is really interesting, though, is the comment GAO then makes regarding what would happen in such cases of tension in the absence of the dual-hat.

Tellingly, the report observes that, in that case, deconfliction issues would have to be taken to the Secretary of Defense and/or Director of National Intelligence for resolution (emphasis added). I love the use of and/or in that sentence. It perfectly captures a critical point: absent a dual-hat, there has to be a new deconfliction system, and yet the lead contenders for that role each have a dog in the fight. Let me expand on that a bit.

Assume we decide to end the dual-hat system, without first settling on a new deconfliction system. What then? In that case, CYBERCOM usually will win over NSA. Why? Think about it. NSA wants to use existing access to keep collecting, but CYBERCOM wants to use it to disrupt the platform. If NSA barrels ahead with its preference, nothing really changes; the target remains operational and the enemy is none the wiser, hopefully. But if CYBERCOM barrels ahead with its preference, in most instances that will shut down the target (or at least make it clear to the enemy that the target has been penetrated); no more collection at that point. NSA will lose such battles, except when DIRNSA manages to see the issue coming and gets someone over CYBERCOMs head to make them back off.

Sounds like we would need a formal system to replace the dual-hat for deconfliction then. But what would that look like? If the solution is to charge the DNI with making the call, CYBERCOM wont likely be happy. If the solution instead is to charge SecDef (or USD(I) or the like), NSA (and DNI) wont likely be happy. If the solution instead is to convene a committee of some kind with stakeholders from both sidesand that committee works by majority votethen the same problem arises (unless you find some third-party player, like the National Security Adviser, to ensure there is not a tie and that the IC and military have equal voting power).

The point being: this issue needs serious attention. I dont doubt a decent solution can be developed, but care must be taken lest we stumble into the default scenario mentioned above.

7. The third pro involves the efficient allocation of resources, but its really about the idea that NSA makes CYBERCOM possibleand that reminds us that the dual-hat isnt going away soon.

The third pro noted by GAO is that the dual-hat facilitates NSA and CYBERCOM sharing operational infrastructure (translated: hacking tools, accesses, staging servers, personnel, etc.), as well as the infrastructure for training. Of course, its pretty much a one-way street; this traditionally is all about NSA sharing its expertise with CYBERCOM as it has stood up. Legislation currently forbids separation of the dual hat until DOD can certify that CYBERCOM is truly ready to operate independently. Thats supposed to be the case by September next year, but of course its one thing to say it and quite another to achieve it.

8. Turning now to the cons, GAO introduces the idea that the dual-hat may give CYBERCOM an unfair advantage over other commands.

This one was phrased very carefully. Without saying that this problem already exists, GAO says that CYBERCOM thinks that other commands are worried that the dual-hat may in the future unduly favor CYBERCOM requests for NSA support over the requests that come from other military commands. This is an interesting twist on the more-familiar concern that military equities in general will trump collection equities. This is military-vs-military instead. At any rate, again note that it is framed as speculation rather than a current observation. That might be politeness, or it might really be purely speculative. You really cant tell from the GAO report (see my last point below, on whether any of the reports observations have strong evidentiary foundations).

9. The second con GAO lists is a bombshell: The dual-hat creates [i]ncreased potential for exposure of NSA/CSS tools and operations.

Wow. In an almost cavalier way, the GAO report links the dual-hat issue directly to the fierce, ongoing debate over the security of NSAs tools, a topic that goes to the very heart of NSAs mission. Because of the importance of that latter debate, GAOs assertion will constitute a heavy thumb on the scale in favor of separating the dual-hat, if it catches on. Time will tell if it will. For now, lets just take a closer look at the claim.

First, here is what GAO says on the subject:

The dual-hat command structure has led to a high-level of CYBERCOM dependence on NSA/CSS tools and infrastructure. According to NSA/CSS officials, the agency shares its tools and tactics for gaining access to networks with a number of U.S. government agencies, but CYBERCOMs dependence on and use of the tools and accesses is particularly prevalent. CYBERCOMs dependence on NSA/CSS tolls increases the potential that the tools could be exposed.

Lets parse the two claims here.

Does the dual-hat create CYBERCOM dependence on NSA, as the first sentence indicates? I think that has things backwards. As noted in the prior con, CYBERCOM badly needed NSA at first, and still needs it to no small extent. Thats not caused by the dual-hat. It is caused by lack of capacity. The dual-hat has been part of the solution to that need. Perhaps DOD meant to convey a different point: that keeping the status quo has become a crutch that prevents CYBERCOM from pressing faster to build its own capacities. That makes more sense.

Does CYBERCOM use of NSA tools and accesses (i.e., exploits and penetrations) increase the risk of their exposure? Put that way, the answer must be yes. Every instance of use of any exploit or access creates a new opportunity for others to discover it, and so the risk must go up each time (you might say each use increases the exposure surface). But note that weve just put the question in a non-nuanced way, without any attempt to quantify the degree of increase in the risk, let alone to place it in context with offsetting benefits or with reference to mitigation strategies for this problem. All that emerges from the GAO Report is the bottom line: CYBERCOM relies on NSA tools ostensibly because of the dual-hat, and therefore the dual-hat increases the risk of those tools getting loose. And any suggestion that a policy exacerbates that risk is bound to draw attention.

The possibility of loose NSA tools has become a flashpoint for debate, in a manner that threatens for better or worse to create new limits on the ability of NSA to develop or keep certain capacities (particularly knowledge of zero-day vulnerabilities). NSA received a substantial black eye when a Russian intelligence agency the mysterious entity identifying itself as the Shadowbrokers somehow acquired a cache of NSA-created exploits and then began dumping them publiclyespecially after one of those exploits was used in connection with WannaCry and NotPetya. Both WannaCry and NotPetya received a vast amount of media attention, much of it pinning the blame in large part on NSA. This fueled arguments to the effect that NSA should not be allowed to create or preserve such tools (or at least that current procedures for balancing the competing equities involved (building NSAs collection capacity, vs improving the security of commercially-available products) should be altered significantly so as to reduce NSAs capacities in this area).

That argument was out there before WannaCry and NotPetya broke, in fact, but once those stories broke it received a strong boost from Microsoft. As this June piece in the New York Times from Nicole Perlroth and David Sanger underscores, this perspective has gained considerable momentum with some in private industry, Congress, and foreign governments. Just this morning, former NSA Deputy Director Rick Ledgett wrote a post here at Lawfare fighting back against this argument, highlighting how important the issue is.

Whether you agree or disagree with this argument, you no doubt can appreciate how it has made the government acutely sensitive to questions about the security of NSAs tools. As a result, the argument that the dual-hat creates significant security risks for those tools has the potential to have an outsized impact on the dual-hat debate. Which is a good thing, if the argument is a persuasive one. Unfortunately, the GAO report does not come anywhere close to giving us enough information to judge the matter. And yet this part of the report grabbed headlines in some quarters (see this piece in NextGov, titled GAO: Keeping NSA and CyberCom Together Makes Hacking Tool Leaks More Likely).

10. The next con listed by GAO: NSA and CYBERCOM are too much for any one person to manage.

Thats a familiar and serious concern, and it is unsurprising that it arose here. It is entangled to some extent with the deconfliction issue, of course, but at the end of the day being Director of NSA and Commander of CYBERCOM both concern vastly more than deconfliction.

11. The next con on the list? Strangely, its the deconfliction issue, which we already discussed above as a pro for the dual-hat. What gives?

It is telling that the deconfliction issue pops up both as a pro and a con. As noted above, the dual-hat is a good thing for deconfliction insofar as one thinks there ought to be a single decision-maker who takes both collection and disruption equities seriously. But here we now see the flip-side of the argument, as GAO reports that personnel from both NSA and CYBERCOM (including a senior-level official) told GAO that the dual-hat leads to increased tension between NSA and CYBERCOM staffs, because their respective collection and disruption missions may not always be mutually achievable.

You know what Im going to say, I suspect. The tension is caused by the combination of incompatible missions and shared tools/accesses. Thats not the dual-hats fault. The dual-hat is one solution to resolving the tension. As I have noted here, there clearly is a view in some circles that the fix is in with the dual-hat, in favor of NSAs collection mission. Maybe thats right, maybe its not. But at any rate, listing the dual-hat as a con here seems to be a reflection of that perspective.

12. The last con on the list has to do with difficulties in tracking expenditures the NSA makes on behalf of CYBERCOM

This may well be a very important issue, but it seems to me the sort of thing to be addressed through improved procedures, and should not matter much in deciding whether to keep the dual-hat.

13. How strong is the evidence supporting the various pro and con claims?

I recommend caution. We get a description of GAOs methods, as noted above, but of course we do not also get the underlying documents, interview notes, etc. And the reports narrative on each point is exceedingly thin, no longer really than what Im providing here. Note, too, my earlier observation that GAO does not appear to have sought the views of ODNI, and only sought NSA views to a limited extent. None of which is to say that any of the observations are incorrect, of course.

Read the original here:
Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report - Lawfare (blog)

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

At the outdoor hacker camp and conference SHA2017, which is taking place in the Netherlands, NSA whistleblower William Binney gave the talk, How the NSA tracks you.

As a former insider, Binney knew about this long before Snowden dropped the documents to prove it is happening. Although he didnt say anything new, Binney is certainly no fan of the NSAs spying he calls the NSA the New Stasi Agency. If you are no fan of surveillance, then his perspective from the inside about the total invasion of the privacy rights of everybody on the planet will fuel your fury at the NSA all over again.

In todays cable program, according to Binney, the NSA uses corporations that run fiber lines to get taps on the lines. If that fails, they use foreign governments to get taps on the lines. And if that doesnt work, theyll tap the line anywhere that they can get to it meaning corporations or governments wont even know about the taps.

The companies are involved at the next step the PRISM program, which includes collection directly from the servers of U.S. service providers. However, Binney said PRISM is the minor program when compared to Upstream, which includes collecting data from the taps on fiber-optic cables in hundreds of places around the world. Thats where they are collecting off the fiber lines all the data and storing it.

PRISM was for show-and-tell purposes, to show Congress and courts what the NSA was doing and to say we have warrants and are abiding by the laws. Upstream was the one that allowed the NSA to take everything off the line.

Regarding worldwide SIGINT, CNE (computer network exploitation) was the big one. Implants in hardware or software, lets say switches or servers, make them do anything they want because the NSA pwned them.

That feeds the NSAs Treasure Map, which provides a map of the entire internet in near real-time; any device, anywhere, all the time every minute of every day. As Binney put it, So its not just collecting what youre saying encrypted or not but its also monitoring where you are when you do it.

Treasure Map is also how intelligence agencies use GPS from cell phones to target drone attack victims. Binney noted there are at least 1.2 million people on the drone hit list.

He also mentioned the programs that include the input of all phone data, fixed, mobile, satellite any kind of phone which both the FBI and CIA can directly access so that when they want to see who did what, they have an index, all, to everything they ever said in their database.

All the data is collected without warrants so its a basic violation of the rights of every human, Binney said.

He also covered how other agencies can directly access the NSAs data, Five Eyes, CIA, FBI, DEA and DIA. The police can access it via the FBIs system.

The NSA could choose to look at the right targets, but doesnt. The NSA may collect it all, but thats not the same as intelligence, as understanding all of what was collected. If you use one of the hot keywords in an email, for example, it will get flagged for review. But planned attacks happen because analysts are so buried beneath the data they cant see the attacks coming. Binney previously tried to convince the U.K. that bulk data kills people.

While all this data isnt helping to stop attacks, having all the data gives the intelligence community the power to manipulate anyone they want. Its like J. Edgar Hoover on super steroids all the collected data gives intelligence agencies the means to target anyone. Then parallel construction is used after the fact to go back and build a separate basis for an investigation to cover up the fact that the data was obtained unconstitutionally.

Before taking questions from conference attendees, Binney pointed out an icon on a slide as a teaser to his startup, which will advise on ways you can do privacy and security by design. He came to Europe, since they cant get anything done in the U.S. The U.S. and U.K. are too dense to realize it can be done it also goes against their agenda for more money, power and control.

Can we expect more NSA employees to blow the whistle? Perhaps, but the people in power there are corrupt, Binney said. During the portion of the talk when attendees could ask questions, he talked about how the NSA has employed a lot of introverts, people with ISTJ personalities, making them easy to threaten. Binney added that the See Something, Say Something (about your fellow workers) program inside the NSA is what the Stasi did. Theyre picking up all the techniques from the Stasi and the KGB and the Gestapo and the SS; they just arent getting violent yet that we know of internally in the U.S.; outside is another story.

Read the rest here:
NSA whistleblower discusses 'How the NSA tracks you' - CSO Online - CSO Online

On August 3, The American Conservative ran a lengthy piece of mine dealing with the whistleblower protection nightmare that is the Department of Defense. One of the subjects of that piece is now former NSA IG George Ellard, and because I had even more on his case than I could fit into the TAC piece, I wanted to share the rest of what I knowand dont knowabout the allegations against Ellard, the final disposition of the case, why the Obama administrations whistleblower retaliation fix is itself broken, and what might be done to actually provide meaningful protections for would-be national security whistleblowers in the Pentagon and elsewhere in the national security establishment.

Regarding what little we know about the specifics of Ellards case, I had this to say in the TAC piece:

As the Project on Government Oversight firstreportedin December 2016, a three-member interagency Inspector General External Review Panel concluded in May 2016 that the then-Inspector General of the National Security Agency (NSA), George Ellard, had, according to POGO, himself had previously retaliated against an NSA whistleblower[.] This apparently occurred during the very same period that Ellard hadclaimedthatSnowden could have come to me. The panel that reviewed Ellards case recommended he be fired, a decision affirmed by NSA Director Mike Rogers.

But there was a catch: the Secretary of Defense had the final word on Ellards fate. Outgoing Obama administration Defense Secretary Ash Carter, apparently indifferent to the magnitude of the Ellard case, left office without making a decision.

In the months after Donald Trump became president, rumors swirled inside Washington that Ellard had, in fact, escaped termination. One source, who requested anonymity, reported that Ellard had been seen recently on the NSA campus at Ft. Meade, Maryland. That report, it turns out, was accurate.

On July 21, in response to the authors inquiry, the Pentagon public affairs office provided the following statement:

NSA followed the appropriate procedures following a whistleblower retaliation claim against former NSA Inspector General George Ellard. Following thorough adjudication procedures, Mr. Ellard continues to be employed by NSA.

After Id finished the TAC piece, Ellards attorney, Terrence ODonnell of the Washington mega law firm of Williams & Connolly, sent me the following statement about his client, George Ellard:

The Office of the Assistant Secretary of Defense (ASD) examined and rejected an allegation that former NSA Inspector General, George Ellard, had retaliated against an NSA employee by not selecting that employee to fill a vacancy in the OIGs Office of Investigations.

In a lengthy, detailed, and well-reasoned memorandum, the ASD concluded that Dr. Ellard had not played a role in that personnel decision or, in the terms of the applicable laws and regulations the ASD cited, Dr. Ellard did not take, fail to take, or threaten to take or fail to take any action associated with the personnel decision.

This judgment echoes the conclusion reached by the Department of Defenses Office of the Inspector General. An External Review Panel (ERP) later came to the opposite conclusion, leading to the ASD review. The ASD concluded that the evidence cited in the ERP report as reflective of [Dr. Ellards] alleged retaliatory animus toward Complainant is of a character so circumstantial and speculative that it lacks probity.

In assessing Dr. Ellards credibility and in rendering its decision, the ASD also considered Dr. Ellards distinguished career of public service, spanning more than 21 years of service across the executive, legislative, and judicial branches, culminating in almost 10 years of service as the NSA IG. Dr. Ellard, the ASD noted, has been entrusted to address some of our nations most challenging national security issues; successive NSA Directors have consistently rated Dr. Ellards performance as Exceptional Results and Outstanding; and he has been commended by well-respected senior officials with whom [he has] worked closely over the years for [his] ability and integrity.

Dr. Ellard is serving as the NSA Chair on the faculty of the National War College, a position he held prior to the ERP review.

Quite a bit to unpack in that statement. Lets start with the ASDs decision to overrule the External Review Panel (ERP), a key component of the Obama-era PPD-19, the directive designed to prevent in all government departments or agencies the very kind of thing Ellard allegedly did. Here are the key paragraphs of PPD-19 with respect to ERP recommendations:

If the External Review Panel determines that the individual was the subject of a Personnel Action prohibited by Section A while an employee of a Covered Agency or an action affecting his or her Eligibility for Access to Classified Information prohibited by Section B, the panel may recommend that the agency head take corrective action to return the employee, as nearly aspracticable and reasonable, to the position such employee would have held had the reprisal not occurred and that the agency head reconsider the employees Eligibility for Access to Classified Information consistent with the national security and with Executive Order 12968. (emphasis added)

An agency head shall carefully consider the recommendation of the External Review Panel pursuant to the above paragraph and within 90 days, inform the panel and the DNI of what action he or she has taken. If the head of any agency fails to so inform the DNI, the DNI shall notify the President. (emphasis added)

Taking the ERPs recommendations is strictly optional.

Whats so significant about the ERP recommendation in Ellards case was that the ERP not only apparently believed that the whistleblower in question should be given a fair chance at getting the position he or she originally applied for within the IG itself, but that Ellards actions werein the view of three non-DoD IGs who examined the caseso severe that they recommended he be terminated.

ODonnell quoted from a Pentagon memo clearing Ellard that is not public. The ERPs findings, along with their record of investigation, are not public. Nor do we know how thoroughor cursorythe ASDs review of the Ellard case was prior to the decision to clear Ellard. Given all of that, who are we to believe?

There are some key facts we do know that lead me to believe that the ERPs recommendations were not only likely soundly based, but that the whistleblower retaliation problem inside the Pentagon is deeply entrenched.

ODonnells statement also claimed that the ASDs decision to reverse the ERP and clear Ellard of wrongdoing echoes the conclusion reached by the Department of Defenses Office of the Inspector General. But its the DoD IG itself, as an institution, that is also under a major cloud because of other whistleblower retaliation claims coming from former NSA or DoD IG employeesspecifically former NSA senior executive service member Thomas Drake and for DoD Assistant Inspector General John Crane. As Ive noted previously, the independent Office of Special Counsel found adequate evidence of whistleblower retaliation and document destruction to refer the matter to the Justice Departments own IG; Cranes case is getting a look from the Government Accountability Office (GAO), Congresss own executive branch watchdog.

The DoD and NSA IGs have clear conflicts of interest when employees from within their own ranks are implicated in potential criminal wrongdoing. PPD-19 was supposed to be the answer to such conflicts of interest, but its lack of teeth from an enforcement standpoint renders it a badly flawed remedy for an extremely serious integrity problem.

And what about Congress? PPD-19 speaks to that as well:

On an annual basis, the Inspector General of the Intelligence Community shall report the determinations and recommendations and department and agency head responses to the DNI and, as appropriate, to the relevant congressional committees.

But Congress doesnt need to wait for the IC IG to tell it what is already publicly known about the Ellard, Drake, and Crane cases. It has ample cause to not only investigate these cases, but to take action to replace PPD-19 with a whistleblower protection system that actually protects those reporting waste, fraud, abuse, or criminal conduct and punishes those who attempt to block such reporting. Two options that deserve consideration are 1) empowering OSC to examine these kinds of cases and issue unreviewable summary judgments itself or 2) revive the expired Independent Counsel statute, rewritten with a focus on whistleblower reprisal case investigations.

One thing is beyond dispute. The PPD-19 process is not the answer for protecting whistleblower and punishing those who retaliate against them. We need a credible system that will do both. The only question now is whether anybody in the House or Senate will step up to the task of building a new one.

More:
The Curious Case Of Ex-NSA Inspector General George Ellard - Cato Institute (blog)

A federal judge has sided with prosecutors in the case against former Fort Gordon contractor Reality Winner, finding that her defense team should be muzzled from speaking about any information deemed classified by the government, even if it has been widely reported in local, national and international media publications.

Winner has pleaded not guilty to a single count of violating a provision of the espionage act. She is accused of leaking a classified document to online media news publication, The Intercept.

That document was extensively reported on by The Intercept and numerous other news media organizations in stories on Winner, who is accused of leaking a national security document she allegedly obtained through her job with a NSA contractor on Fort Gordon.

The document is an analysis of the extent of Russias efforts to hack into state election boards. Russian meddling is the subject of U.S. Senate and House intelligence committees investigations and a special prosecutor who is looking into possible collusion between Trump supporters and the Russians during last years presidential campaign.

In his order released Thursday, Magistrate Judge Brian K. Epps wrote that determining what is classified information is a function of the executive branch of government, not the judicial branch.

Just because the defense team has expressed concern of accidentally mishandling classified information is no reason to relax the strict procedures required, Epps wrote. The defense is not prohibited in using classified information in Winners defense, but it must follow the strict procedures, he wrote.

Both sides have until Aug. 16 to weigh in on Epps proposed protective order that describes the closely guarded handling of materials in the case. A classified information security officer is in charge of ensuring such information is handled only by those on the defense team who have obtained security clearance, and only in a secured location.

The defense is to have free access to that location during regular business hours, although other times may be allotted with proper notice and consultation with the U.S. Marshals Service, according to the order.

Any notes or other papers the defense may create using classified information is not allowed outside of the security location. Any document filed with the court that contains or might contain classified information must be filed under seal. Only those portions deemed not classified by the classified information security officer will be unsealed for public review.

At the end of the case any such defense-prepared material will be destroyed by the classified information security officer. The confines of the protective order are a lifetime commitment and any violation is punishable not only by a finding of contempt but criminal prosecution.

The publication of any classified information does not change the classified status unless a member of the executive branch of government with the proper authorization declares the information to be declassified.

Winners trial is tentatively set to begin in October.

Reach Sandy Hodson at sandy.hodson@augustachronicle.com or (706) 823-3226

Continued here:
Judge sides with prosecution in Reality Winner NSA leak case | The ... - The Augusta Chronicle

(TNS) -- Further cementing its ambitions as a national powerhouse in cybersecurity education, Columbus State University announced Tuesday that it received a $174,000 grant from the National Security Agency to develop a new tool for rapid cybersecurity training and curriculum development.

The award makes CSU one of the top universities in the nation in providing technologies for cybersecurity workforce development to universities, government and private sector across the nation, said Shuangbao Wang, a professor in CSUs TSYS School of Computer Science in a press release.

The tool will be internet-based, allowing it to be accessed anywhere in the world. Wang expects it will eventually be used by global Department of Defense installations and other private and public organizations.

A key part of the tool will be the use of visual mapping, a technology developed by researchers at the university to assist in military decision making.

We are building a tool that people across the nation can use to develop cybersecurity training, which guarantees compliance with government and industry standards for cybersecurity workforce development, said Wang.

The grant is the latest in a string of awards the university has received for developing cybersecurity programs. Earlier this month, CSU announced that it had partnered with the Muscogee County School District to develop a yearlong cybersecurity course at Rothschild Leadership Academy with the help of a $50,000 grant from the NSA.

The university also hosted a weeklong cybersecurity summer camp in June with another NSA grant, this one for $28,000.

The investments may well pay off, with worldwide spending on cybersecurity estimated to reach more than $100 billion by 2020, according to research by the International Data Corporation. That spending is butting against an expected shortage of about two million jobs by 2019.

National cybersecurity workforce development is one of the key areas of this action plan, Wang said. Upon completion, universities, government, and private sector across the nation can use the tool to quickly develop training and curriculum that otherwise would not be possible due to lack of experts, knowledge and skills.

2017 the Columbus Ledger-Enquirer (Columbus, Ga.) Distributed by Tribune Content Agency, LLC.

Read the rest here:
Columbus State Awarded NSA Grant to Develop Cybersecurity Tool - Government Technology