Archive for the ‘NSA’ Category

Yul Williams on fostering innovation at the NSA – Washington Post

Courtesy of NSA

Yul Williams is the technical director for the National Security Agency/Central Security Service, working with computer scientists, mathematicians and engineers to develop new technologies in the cybersecurity field that will assist the agency in its intelligence operations. In a conversation with Tom Fox, Williams described an NSA idea incubation technique that has led to many innovations. Fox is a guest writer for On Leadership and the vice president for leadership and innovation at the nonprofit, nonpartisan Partnership for Public Service. The conversation has been edited for length and clarity.

What is your main area of focus at the National Security Agency?

My work is centered on cybersecurity, and its mostly of a defensive nature. We are trying to gather ideas from the workforce that we can develop and implement to enhance our overall mission. Our CYBERx incubation model provides a venue where anyone in the workforce can present concepts to an audience of senior leaders that may have the potential to affect the manner in which we conduct business.

If I am an NSA employee and I have an idea, how do I get it to you?

We developed a crowdsourcing tool that is available to the NSA workforce. The workforce can look at the idea submitted and vote for or against it. They can leave comments saying why an idea is great or that it has been tried before. Afterward, a group known as the Innovators In Residence reviews the idea and decides how we can bring it into the incubation stage.

What happens next?

We guarantee the idea champion will have an audience within four weeks with the Innovators in Residence, which will make the determination whether the idea should move to the next stage. The group makes a list of all the good and bad things about the idea. The focus is mostly on the negative comments because they surface the institutional fears as to why the idea hasnt been implemented before. Our emphasis is on proving why those fears are unfounded. If the idea champion cannot overcome those concerns, the idea dies on the spot. We refer to this concept as a fast failure, and it limits the energy expanded on ideas with low mission potential. If the idea has merit, the group helps the idea champion develop a pitch that can be used to convince the organization of the value of the idea to the bottom line.

What happens if an idea passes that phase?

The idea champion is given an audience with the RIP or the Resource Investment Panel that is made up of NSA senior leaders who run organizations and have staff. Instead of giving funding for the first round of development, we ask the RIP to loan a resource to the project. For example, a resource may be an analyst who might have skill in microelectronics or optoelectronics. Once the RIP concurs, it provides resources to the idea champion who then has up to five months to conduct experiments. During that phase, the idea champion must periodically meet with the RIP and explain the experiments status. If all of the requirements are satisfied, the idea champion meets with the same panel, now called the Strategic Investment Panel or SIP. The SIP must come to a consensus about turning the idea into a product and deploying it.

How many ideas on average go through this process?

There are around 117 ideas percolating in the crowdsourcing process.

Can your approach be adopted by other agencies?

I would strongly encourage other federal agencies to adopt an incubation model. I am shocked at the amount of interest employees have in lending their ideas to make us a better agency. You should see the passion that people bring to the table and the pride they have when their idea makes it to the end of the incubation model or is even considered. We dont attribute failure of an idea as a personal failure. We celebrate that the person was willing to step away from what they do on a daily basis and take an idea through the process.

Tell me about your management philosophy or management style.

My leadership style is to respect the professionalism of the people I work with. I learned long ago that if youre working with low-skilled people, it is more direction-oriented. In this environment, we have very professional people, so you want to leverage what they have to offer and challenge them to do things that they did not believe were possible. I find that people always exceed their own expectations.

Have you learned any important leadership lessons during your time as a manager?

One of the lessons I learned is to always seek out others who have more experience in areas where you may be lacking so you can consider a wider range of ideas. It is important to confer with a diverse set of people who you can bounce ideas off of and those that help you to grow as a professional and as a person.

Read also:

A Harvard professor on the five questions to ask when facing tough decisions

Like On Leadership? Follow us on Facebook and Twitter, and subscribe to our podcast on iTunes.

Read the rest here:
Yul Williams on fostering innovation at the NSA - Washington Post

General: Cyber Command needs new platform before NSA split – FCW.com

Defense

Strategic Command chief Gen. John Hyten says that Cyber Command needs its own platform ahead of a planned split from NSA.

U.S. Cyber Command needs to be elevated to a full combatant command as soon as possible, but it should remain tied to the National Security Agency until it has its own cyber platform, according to the head of U.S. Strategic Command.

Air Force Gen. John Hyten told the Senate Armed Services Committee that he and Adm. Michael Rogers, head of the NSA and CyberCom, submitted their plan to the Trump administration calling for elevation of CyberCom "sooner rather than later."

He said that needed to happen "just to normalize that command and make sure that we can kind of develop normal command relationships between Cyber Command and all the combatant commanders including Strategic Command."

Later in the hearing, Hyten added that the end of the dual-hat leadership structure of the NSA and CyberCom will have to wait until CyberCom has an independent cyber platform from the NSA.

"There are acquisition programs of record being instituted to build those capabilities," said Hyten. "Once those capabilities are built, I would be supportive of separating the two. But I will not advocate separating the two until we have a separate platform in the services that Cyber Command can operate on."

Senators pressed Hyten on a number of cybersecurity topics, including the ramifications of modernizing the IT architecture that controls the U.S. nuclear arsenal.

Strategic Command currently oversees cyber, space and nuclear capabilities, and Hyten said they are linked in that a cyber threat that could affect command and control capabilities could undermine the U.S. nuclear deterrent, "and we have to make sure we never allow that to happen."

Hyten said Congress needs to demand that as the military services modernize nuclear command and control capabilities that they move from a 20th century architecture and not simply move from eight-and-a-half inch floppy discs to the five-inch variety.

"We will introduce cyber vulnerabilities as we walk into that, but if you work it right from the beginning, you can make sure that that threat is mitigated from the beginning," he said.

When asked whether the U.S. has the capacity to protect nuclear cyber systems, Hyten said in general he was happy with where the Cyber Mission Forces are going right now. But he warned that they do yet not have the capacity to meet all of the requirements the DOD has.

He said that currently cyber forces are specifically assigned to the combatant commands, and that DOD needs to look at cyber forces like special forces -- as a high-demand, low-density asset that needs to be centralized and allocated out based on mission priority.

"The demand signal is going to go nowhere but up and the capacity is not sufficient to meet all of the demand," he said.

Hyten also said the conversation on deterrence in cyberspace must move past the nuclear framework of the past, with its binary analysis.

"I think what's missing is a broader discussion of what 21st century deterrence really means," said Hyten. "That involves the nuclear capabilities as the backstop, but fundamentally space, cyber, conventional, all the other elements as well.""Now it's a multivariable analysis and each of those has to be put in context," he said. "And context has to be the fact that we're actually not deterring cyber, we're not deterring space. We're deterring an adversary that wants to operate and do damage in those domains."

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

See the original post:
General: Cyber Command needs new platform before NSA split - FCW.com

CIA, NSA Aren’t the Only Federal Agencies Violating Privacy – American Spectator

Wikileaks recent dump of classified information related to the CIAs secret hacking operations has once again sparked a conversation about privacy in the digital age. While similar secret surveillance programs like the NSAs PRISM have been in the public eye for years, other government agencies thatmishandle millions of Americans private information in the light of day are often left unchecked.

Take the U.S. Census Bureau, for example. Since 2005, Census has selected approximately three million Americans annually to complete the American Community Survey (ACS), collecting information on the nations demographic, social, economic, and housing characteristics. While theres no question that the ACS collects some valuable information, the intrusive nature of the survey and the poor security measures with which Census handles respondents personal information should be a cause for concern no less sothan any surveillance by the CIA or NSA.

The methods used by Census Bureau employees can vary in the degree to which they violate a persons privacy. Some may only receive letters in the mail, appealing to the persons sense of community, with a veiled threat if they do not comply. Others have received a personal visit from a Census employee, often resulting in pressure or downright intimidation to complete the survey.

Take Kimberly Hayes of Sapulpa, Oklahoma. After being threatened with a fine by mail for refusing to fill out the form because some of the questions made her uncomfortable, a man sent by Census visited her home unannounced in the hopes of getting her to complete the ACS. The man started walking around and was looking in windows, according to Hayes.

If this gentleman had been trying to conduct a survey on behalf of a companys marketing department, Hayes could have told him to get lost without fear of repercussions. She might even have been able to prosecute him for trespassing. So long as the ACS exists, however, the letter of the law is against people like Hayes. If our government treated its citizens with the respect that companies reserve for their customers, violations of privacy would be far less frequent.

Unfortunately, our government is more often a technological laggard than a pathbreaker. Census has been remarkably slow in following the private sectors civilizing example. Recipients who fail to fill out the online ACS are sent a paper copy that they are asked to return in the mail, chock-full of personal information that could be damaging in the wrong hands. Questions range from the embarrassing (e.g. Question 18b, Does this person have difficulty dressing or bathing?) to the dangerous (e.g. Question 33, What time did this person usually leave home to go to work last week?).

Furthermore, the Census database is vulnerable. It has already been hacked into as recently as 2015. While Census tried to reassure nervous Americans that survey information remains safe, secure and on an internal network, bureaucrats dont always follow internal safety protocols. In 2011, the State Department operated an internal network that broke federal standards and may have left sensitive material vulnerable to hackers according to the Associated Press.

Many ACS answers are already compromised by design. On the Bureaus microdata website, anyone can download data of anonymous individualized ACS responses for areas with as few as 600 people. The only defense against those who might use ACS data for nefarious purposes is the bolded command: Use it for GOOD never for EVIL.

There are better ways to acquire sensitive information while protecting the privacy of citizens. For instance, in Europe, there are many viable census models already in place that drastically reduce privacy violations, and are more cost effective to boot.

The Netherlands, Slovenia, and Austria are among eight European countries that obtain census data without employing costly survey employees to harass their constituents. These countries use models that only process data from what other government agencies have already collected, so there is no added risk of privacy violations from mandatory and redundant surveys. The monetary and psychological costs of harassment suggest that we should look for foreign alternatives, perhaps even outside any government solution.

If the destruction of the ACS does indeed leave a void in the market for knowledge, then a private company could fill this gap, while heeding a mandate to respect our privacy. The fact of the matter is that our government has rarely prioritized the right to privacy for American citizens, regardless of which party is in power.

The benefits of the ACS have been greatly exaggerated, especially when we consider viable alternatives. The monetary costs of the ACS, while excessive at over $1.3 billion per year, are nothing compared to the psychological damage done to three million Americans annually. Our right to privacy has been offered up by our government on the altar of the common good. Americans who love their liberty should support replacing the ACS with a more conscientious alternative.

Census collection c. 1940 (Wikimedia Commons)

See the article here:
CIA, NSA Aren't the Only Federal Agencies Violating Privacy - American Spectator

Oh My: Former Obama NSA Susan Rice Reportedly Directed Dubious ‘Unmasking’ of Trump Allies – Townhall

Yes, that would be the same Susan Rice who made herself famous fordelivering outright lies on national television about the Benghazi terrorist attack, the nature of which the Obama administration was eager to deliberately distort for political reasons in the thick of a campaign. It would also be the same Susan Rice described by Newsweek as President Obama's "right-hand woman" in 2014. As Isaid on air yesterday, this whole Russia meddling/wiretap saga has become so convoluted and bereft of verifiable facts that it's quite difficult to keep following the plot. Here's my stab at a succinct summation: Ourintelligence agencies and members of relevant committees onboth sides of the aisle all agree that Moscow tried to meddle in the 2016 election. Theirclearpreference was to help Donald Trump and damage Hillary Clinton, whom they assumed would win anyway. The Kremlin has also deployed their propaganda and subterfuge toundermine Republicans, too. Their overarching goal is to undercut faith in the American system. And while there isno factualbasis forPresident Trump's counter-claim that his predecessor ordered his phones to be tapped, there are real indications that some people within Trump's orbit were monitored in some way -- and the series of one-sided leaks on that front does look to many like a deliberate push within elements of the government to damage Trump's presidency. There is alsono evidence that the Trump campaign coordinated or colluded with the Russians.

One of the latest twists in all of this wasthe claim by House Intelligence Committee Chairman Devin Nunes, a Republican, that Trump-tied officials whose communications had been incidentally intercepted (they themselves hadnot been targeted) as a part of foreign surveillance operations had their redacted identities "unmasked" last year. Who did this, and why -- especially since the intercepted communications in question allegedly had nothing to do with Russia? Late last week,Fox News' Adam Housley added some meat onto those suspicious bones, citing unnamed sources:

And nowEli Lake's reporting at Bloomberg appears to confirm what the rumor mill has been buzzing about for days --Rice was at the center of this:

Lake writes that given what is known about what happened, both the incidental collection and the unmasking were likely conducted within the confines of the law, but the episode raises new questions about (a) why a senior Obama official was so keen to identify the US citizens mentioned or involved in these conversations, (b) whether those conversations had any genuine investigative value beyond political curiosity (Housley's sources say no), and (c) how the existence of some of these conversations ended up gettingmore widely disseminated, eventually leaking into the press. The piecealso reminds readers that Ms. Rice claimed ignorance on the entire subject when she was asked about it a few weeks ago:

Perhaps there's an innocent explanation for all of this, and perhaps Rice believed she was answering that question accurately. But for previously-alluded-to reasons, it's hardly a stretch to imagine Rice flat-out lying on television. One of the indications that Chairman Nunes really had exposed something significant came last week camewhen the ranking Democrat on the House Intelligence Committee, Adam Schiff-- who has beenloudly attacking his GOP counterpart and spreadingunfounded claims and conspiracies related to the Russia probe -- got a look at the same documents Nunes saw (which led to Nunes'subsequent briefing of both President Trump and the newsmedia). AsRed State points out, Schiff emerged from that session fixated on process, while remaining notably mumon anything pertaining to content. It's not unreasonable to hypothesize that he read the documents and realized that something damaging lies within. Maybe that something was Barack Obama's lightning-rod NSA repeatedly requesting the unmasking of Trump officials' communications for dubious reasons.

For months, Democrats have insisted that the Russian meddling side of this story is the only thing thatmatters. While I agree that probes into those disquieting issues are justified and important, I've also taken the national security leak element of the controversy quite seriously. These new developments demand further inquiry and real answers. And today's introduction of an untrustworthy partisan actor within the previous president's inner-most circle into the mix all but guarantees that this story is about to become more politically explosive. I'll leave you withthis column by the Wall Street Journal's Kim Strassel:

Nuke 'Em: On Judicial Nominations, GOP Must Punish Democrats for Decades of Unprecedented Escalation

Read more:
Oh My: Former Obama NSA Susan Rice Reportedly Directed Dubious 'Unmasking' of Trump Allies - Townhall

Details emerge about 2014 Russian hack of State Department: It was ‘hand-to-hand combat’ – Chicago Tribune

Over a 24-hour period, top U.S. cyber defenders engaged in a pitched battle with Russian hackers who had breached the unclassified State Department computer system and displayed an unprecedented level of aggression that experts warn is likely to be turned against the private sector.

Whenever National Security Agency hackers cut the attackers' link between their command and control server and the malware in the U.S. system, the Russians set up a new one, current and former U.S. officials said.

The new details about the November 2014 incident emerged recently in the wake of a senior NSA official's warning that the heightened aggression has security implications for firms and organizations unable to fight back.

"It was hand-to-hand combat," said NSA Deputy Director Richard Ledgett, who described the incident at a recent cyber forum, but did not name the nation behind it. The culprit was identified by other current and former officials. Ledgett said the attackers' thrust-and-parry moves inside the network while defenders were trying to kick them out amounted to "a new level of interaction between a cyber attacker and a defender."

But Russia is not the only top-tier cyber power flexing its muscles in this way, said other current and former senior officials, speaking on condition of anonymity to discuss sensitive matters.

In recent years, China and to a lesser extent Iran have become more aggressive in their efforts to break into U.S. computer systems, giving fight to defenders from within the network and refusing to slink away when identified, the current and former officials said.

Ledgett, speaking at the Aspen Institute last month, placed the State Department incident in late 2015. But officials at the NSA, which defends the government's national security computer systems, clarified that it took place in 2014.

Fortunately, Ledgett said, the NSA, whose hackers penetrate foreign adversaries' systems to glean intelligence, was able to spy on the attackers' tools and tactics. "So we were able to see them teeing up new things to do," Ledgett said. "That's a really useful capability to have."

The State Department had to shut down its unclassified email system for a weekend, ostensibly for maintenance purposes. That was a "cover story," to avoid tipping off the Russians that the government was about to try to kick them out, said one former U.S. official.

The NSA defenders, aided by the FBI, prevailed over the intruders, who were working for a Russian spy agency. Private sector analysts have given the hacking group various names, including Cozy Bear, APT29 and The Dukes. That group also compromised unclassified systems at the White House and in Congress, current and former officials said.

The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians' computers, but also the surveillance cameras inside their workspace, according to the former officials. They monitored the hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said.

The Russians' heightened belligerence is aimed not just at collecting intelligence, but also confronting the United States, said one former senior administration official. "They're sending a message that we have capabilities and that you are not the only player in town," said the official.

The operation was also an attempt to probe U.S. capabilities, said a second former senior official. "If they can test you in an unclassified network, they can start to test you in a classified network," he said. "They want to see, is the U.S. government willing to escalate against us? It's all tactics and looking at responses - not just of an organization. It's what is the U.S. government willing to do?"

Ledgett said he is concerned that the private sector will not be able to defend itself without greater intelligence being shared from places like the NSA. "We need to figure out, how do we leverage the private sector in a way that equips them with information that we have to make that a fair fight between them and the attacker?" he said.

Michael Daniel, the former White House cybersecurity coordinator and now president of the Cyber Threat Alliance, a nonprofit group, said the issue also highlights how the government and private sector "are going to have to figure out some way to do triage, so that the federal government is focused on the highest threat actors against the highest threat assets."

Moscow's assertiveness in 2014 and 2015 reflected a general shift to become more aggressive in its use of cyber tools. In 2015 and 2016, Russian spy agencies hacked the Democratic National Committee's computers and launched an "active measures" campaign to disrupt the 2016 presidential election, according to U.S. intelligence officials.

China was also stepping up its hacking game in traditional espionage even as it was ratcheting back its operations in commercial cyber theft, the officials said. In September 2015, Chinese President Xi Jinping pledged at the White House that his government's hackers would not conduct hacking for commercial advantage. Senior U.S. officials have said Beijing appears to have diminished its activity in that realm.

However, as Ledgett noted in an interview at the NSA last month, the agreement applied only to cyber economic espionage. Hacking for political espionage continues. That is "legitimate foreign intelligence," said Ledgett - something that all countries do, including the United States.

See the original post here:
Details emerge about 2014 Russian hack of State Department: It was 'hand-to-hand combat' - Chicago Tribune