Archive for the ‘NSA’ Category

What to Expect from the NSA Hacker Turned White House Cyber … – GovTechWorks

The choice of Rob Joyce, former head of the National Security Agencys Tailored Access Operations unit as cyber security coordinator puts an experienced offensive cyber operator at the nexus of the nations cyber policy and strategy at a time when nation-state cyber interference is at the forefront of public consciousness.

Joyce succeeds Michael Daniel, who had a public policy, economist and finance background and spent nearly a decade in cyber policy at the Office of Management and Budget and the White House. Joyces background, by contrast, is as an operator in the cyber realm, bringing an intimate understanding of the threat to the forefront of national cyber policy.

As cyber coordinator, Joyce is not the federal chief information security officer (CISO). That post is largely focused on securing the federal enterprise; the cyber coordinator drives policy beyond the federal government. The cyber coordinator is also interested in cybersecurity across the entire digital ecosystem, including private industry, state and local governments and foreign governments, as well. So its a much broader role than what the federal CISO focuses on, says Daniel, who is now president of the Cyber Threat Alliance, a non-profit focused on cyber threat sharing across the industry. There is some degree of overlap and complementarity obviously the cybersecurity coordinator has to care about the security of federal networks but the cybersecurity coordinator has a broader mandate than that.

Little is publicly known about NSAs offensive cyber activities. But in a rare public appearance last August at the USENIX 2016 conference, Joyce described the five steps to a successful cyber intrusion initial exploitation, establish presence, install tools, move laterally and collect/ex-filtrate/exploit and then walked through the weaknesses he and his hackers came across and exploited each day.

If you really want to protect your network, he said then, you really have to know your network. You have to know the devices, the security technologies, and the things inside it. His clear message: His team often knew better than the networks managers. Indeed, while NSA hackers might not understand products and technologies as well as the people who design them, Joyce said they learn to understand the security aspects of those products and technologies better than the people who created them.

You know the technologies you intended to use in that network, he said. We know the technologies that are actually in use in that network. [Theres a] subtle difference. Youd be surprised at the things that are running on a network versus the things you think are supposed to be there.

Penetration-testing is essential, as is follow-up. Joyces OTA regularly conducted Red Team testing against government networks. Well inevitably find things that are misconfigured, things that shouldnt be set up within that network, holes and flaws, he said. The unit reported its findings, telling the network owner what to fix.

Then a few years later, it would be time to test that network again. It is not uncommon for us to find the same security flaws that were in the original report, Joyce said. Inexcusable, inconceivable, but returning a couple of years later, the same vulnerabilities continue to exist. Ive seen it in the corporate sector too. Ive seen it in our targets.

Laziness is a risk factor all its own. People tell you youre vulnerable in a space, close it down and lock it down, Joyce said, reflecting on the fact that network administrators frequently dont take all threats and risks seriously enough. Dont assume a crack is too small to be noted or too small to be exploited. Theres a reason its called advanced persistent threats: Because well poke and well poke and well wait and well wait and well wait, because were looking for that opportunity to [get in and] finish the mission.

As an offensive cyber practitioner, Joyce sought to identify and, when needed, exploit the seams in government and enemy networks. He focused on the sometimes amorphous boundaries where the crack in the security picture might come from getting inside a personal device, an unsecured piece of operational security, such as a security camera or a network-enabled air conditioning system, or even an application in the cloud. Cloud computing is really just another name for somebody elses computer, he said. If you have your data in the cloud, you are trusting your security protocols the physical security and all of the other elements of trust to an outside entity.

Most networks are well protected, at least on the surface. They have high castle walls and a hard crusty shell, he said. But inside theres a soft gooey core.

Figuring out how to protect that core from a national security and policy perspective will be Joyces new focus, and if Daniels experience is any indicator, it will be a challenge.

From his perspective, cybersecurity is only partly about technology. Adversaries tend to get into networks through known, fixable vulnerabilities, Daniel says. So the reason those vulnerabilities still exist is not a technical problem because we know how to fix it its an incentive problem an economics problem. That is, network owners either fail to recognize the full extent of the risks they face or, if they do, may be willing to accept those risks rather than invest in mitigating them.

The challenge, then, is formulating policy in an environment in which the true level of risk is not generally understood. In that sense, Joyces ability to communicate the extent to which hackers can exploit weaknesses could be valuable in elevating cyber awareness throughout the White House.

The NSC is about managing the policy process for the national security issues affecting the US government, Daniel explains. You dont have any direct formal authority over anyone. But you do have the power to convene. You have the power to raise issues to people in the White House. You have the ability to try to persuade and cajole. The background he brings will obviously color what he prioritizes and what he puts his time against. But the role itself will not be dramatically different. understanding how to get decisions keyed up in a way that you can actually get them approved.

Joyces background could affect how this administration views commercial technologies, such as cloud services, mobile technology and other advances that, while ubiquitous in our daily lives, are not yet standard across the federal government.

Trust boundaries now extended to partners, Joyce said a year ago. Personal devices youre trusting those on to the network. So what are you doing to really shore up the trust boundary around the things you absolutely must defend? That for me is what it comes down to: Do you really know what the keys to the kingdom are that you must defend?

National security cyber policy is not just defensive, however, and having a coordinator with a keen insiders understanding of offensive cyber capabilities could have a significant long-term impact on national cyber strategy.

Just as Daniel sees cybersecurity as an incentives, or economics problem, Kevin Mandia, chief executive at the cyber security firm FireEye and founder of Mandiant, its breach-prevention and mitigation arm, sees incentives and disincentives as playing a critical role for cyber criminals and nation-state attackers, alike. Simply put, he says, the risk-reward ratio tilts in their favor, because the consequences of an attack do not inflict enough pain.

Mandia agrees that the first priority for U.S. cyber policy should be self-defense. Every U.S. citizen believes the government has a responsibility to defend itself, he said at the FireEye Government Forum March 15. So first and foremost, our mission security folks must defend our networks. But the second thing the private sector wants is deterrence. We need deterrence for cyber activities.

And in order to develop an effective deterrence policy, he argues, the nation needs fast, reliable attribution the ability to unequivocally identify who is responsible for a cyber attack.

Id take nothing off the table to make sure we have positive attribution on every single cyber attack that happens against U.S. resources, Mandia says. Because you cant deter unless you know who did it. You have to have proportional response alternatives, and you have to know where to direct that proportionate response.

Where Joyce stands on deterrence and attribution is not yet clear, but what is clear is that sealing off the cracks in federal network security is sure to get more intense.

A lot of people think the nation states are running on this engine of zero-days, Joyce said a year ago, referring to unreported, unpatched vulnerabilities. Its not that. Take any large network and I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days. There are so many more vectors that are easier, less risky and quite often more productive than going down that route.

Closing off those vectors forces threat actors to assume more risk, expose zero-day exploits and operate with less cover. When that happens, the balance of cyber power could finally start to tilt away from the hackers.

Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.

Here is the original post:
What to Expect from the NSA Hacker Turned White House Cyber ... - GovTechWorks

Former CIA Analyst: Susan Rice’s NSA demasking denials don’t add up – Fox News

In an interview with Andrea Mitchell on MSNBC Tuesday, former National Security Adviser Susan Rice broke her silence over this weeks stunning reports that she requested the names of Trump campaign and transition officials be demasked from National Security Agency (NSA) intercepts.

It was an awkward interview. Rice confirmed that she requested the demasking of Americans while she was National Security Adviser. While Rice would not deny that she asked that names of Trump officials be demasked, she insisted the Obama administration did not spy on Mr. Trump or his staff for political purposes. She also offered some questionable explanations for the demasking process.

As a former CIA analyst who has handled requests for demasking the names of American citizens for a U.S. policymaker, I thought Rices claims in her interview did not add up.

The names of U.S. citizens incidentally mentioned in NSA reports are masked to preserve their identities because Americas intelligence agencies are barred from spying on American citizens except in extraordinary circumstances with court approval.

Rice correctly said in her interview that policymakers sometimes request to know the identities of Americans from NSA reports to understand these reports in certain circumstances. She also tried to dismiss this controversy by claiming NSA demasking requests are routine.

They actually are not routine and taken very seriously by NSA.

Rice also said there is an Intelligence Community process to review whether to approve demasking requests. This seemed to be an attempt by Rice to make her requests look legitimate because NSA carefully reviewed them.

In fact, this review is pro forma. If a senior official gives what appears to be a national security reason, demasking requests are almost always approved.

Rices interview came amid a growing controversy that the Obama administration abused U.S. intelligence to spy on the Trump campaign and leak intelligence to the press to hurt Trump. This included the illegal leaking of General Michael Flynns name from an NSA report and press reports that the Obama administration in its final weeks lowered the threshold for access to NSA information and spread intelligence about Russian interference in the election and alleged collusion between Russia and the Trump campaign throughout the government.

Also factor in House Intelligence Committee Chairman Devin Nuness disclosure in a March 22 press conference that the names of Trump campaign or transition officials were demasked from NSA reports that had nothing to do with Russia or alleged wrongdoing by the Trump campaign.

Bloomberg reporter Eli Lake confirmed this in a bombshell April 3 report in which he said the demasked reports contained valuable political information on the Trump transition. Lake also broke the story that Rice asked for the demaskings in this report.

An April 3 Daily Caller report that Rice ordered U.S. spy agencies to produce detailed spreadsheets of legal phone calls involving Donald Trump and his aides when he was running for president makes this story more interesting. Rice denied this allegation during her MSNBC interview.

Rices denials dont add up. It is hard to fathom how the demasking of multiple Trump campaign and transition officials was not politically motivated. While it was legal for her to do this, it was highly unethical and would be a huge scandal if a Republican senior official sought the names of Democratic political opponents from U.S. intelligence reports.

My guess is that Rices demasking requests were on behalf of the Obama National Security Council and were part of a broad campaign that began in early 2016 to abuse U.S. intelligence to hurt the Trump candidacy and then his presidency.

It wouldnt surprise me if former Deputy National Security Council Ben Rhodes was deeply involved in this campaign.

Despite determined efforts by the mainstream media to stamp out this story, the smoke of this scandal continues to grow.

Susan Rices interview Tuesday added more smoke.

Fred Fleitz is senior vice president for policy and programs with the Center for Security Policy, a Washington, DC national security think tank. He held U.S. government national security positions for 25 years with the CIA, DIA, and the House Intelligence Committee staff. Fleitz also served as Chief of Staff to John R. Bolton when he was Under Secretary of State for Arms Control and International Security in the George W. Bush administration. Fleitz specializes in the Iranian nuclear program, terrorism, and intelligence issues. He is the author of "Peacekeeping Fiascos of the 1990s: Causes, Solutions and U.S. Interests" (Praeger, May 30, 2002).

See more here:
Former CIA Analyst: Susan Rice's NSA demasking denials don't add up - Fox News

Yul Williams on fostering innovation at the NSA – Washington Post

Courtesy of NSA

Yul Williams is the technical director for the National Security Agency/Central Security Service, working with computer scientists, mathematicians and engineers to develop new technologies in the cybersecurity field that will assist the agency in its intelligence operations. In a conversation with Tom Fox, Williams described an NSA idea incubation technique that has led to many innovations. Fox is a guest writer for On Leadership and the vice president for leadership and innovation at the nonprofit, nonpartisan Partnership for Public Service. The conversation has been edited for length and clarity.

What is your main area of focus at the National Security Agency?

My work is centered on cybersecurity, and its mostly of a defensive nature. We are trying to gather ideas from the workforce that we can develop and implement to enhance our overall mission. Our CYBERx incubation model provides a venue where anyone in the workforce can present concepts to an audience of senior leaders that may have the potential to affect the manner in which we conduct business.

If I am an NSA employee and I have an idea, how do I get it to you?

We developed a crowdsourcing tool that is available to the NSA workforce. The workforce can look at the idea submitted and vote for or against it. They can leave comments saying why an idea is great or that it has been tried before. Afterward, a group known as the Innovators In Residence reviews the idea and decides how we can bring it into the incubation stage.

What happens next?

We guarantee the idea champion will have an audience within four weeks with the Innovators in Residence, which will make the determination whether the idea should move to the next stage. The group makes a list of all the good and bad things about the idea. The focus is mostly on the negative comments because they surface the institutional fears as to why the idea hasnt been implemented before. Our emphasis is on proving why those fears are unfounded. If the idea champion cannot overcome those concerns, the idea dies on the spot. We refer to this concept as a fast failure, and it limits the energy expanded on ideas with low mission potential. If the idea has merit, the group helps the idea champion develop a pitch that can be used to convince the organization of the value of the idea to the bottom line.

What happens if an idea passes that phase?

The idea champion is given an audience with the RIP or the Resource Investment Panel that is made up of NSA senior leaders who run organizations and have staff. Instead of giving funding for the first round of development, we ask the RIP to loan a resource to the project. For example, a resource may be an analyst who might have skill in microelectronics or optoelectronics. Once the RIP concurs, it provides resources to the idea champion who then has up to five months to conduct experiments. During that phase, the idea champion must periodically meet with the RIP and explain the experiments status. If all of the requirements are satisfied, the idea champion meets with the same panel, now called the Strategic Investment Panel or SIP. The SIP must come to a consensus about turning the idea into a product and deploying it.

How many ideas on average go through this process?

There are around 117 ideas percolating in the crowdsourcing process.

Can your approach be adopted by other agencies?

I would strongly encourage other federal agencies to adopt an incubation model. I am shocked at the amount of interest employees have in lending their ideas to make us a better agency. You should see the passion that people bring to the table and the pride they have when their idea makes it to the end of the incubation model or is even considered. We dont attribute failure of an idea as a personal failure. We celebrate that the person was willing to step away from what they do on a daily basis and take an idea through the process.

Tell me about your management philosophy or management style.

My leadership style is to respect the professionalism of the people I work with. I learned long ago that if youre working with low-skilled people, it is more direction-oriented. In this environment, we have very professional people, so you want to leverage what they have to offer and challenge them to do things that they did not believe were possible. I find that people always exceed their own expectations.

Have you learned any important leadership lessons during your time as a manager?

One of the lessons I learned is to always seek out others who have more experience in areas where you may be lacking so you can consider a wider range of ideas. It is important to confer with a diverse set of people who you can bounce ideas off of and those that help you to grow as a professional and as a person.

Read also:

A Harvard professor on the five questions to ask when facing tough decisions

Like On Leadership? Follow us on Facebook and Twitter, and subscribe to our podcast on iTunes.

Read the rest here:
Yul Williams on fostering innovation at the NSA - Washington Post

General: Cyber Command needs new platform before NSA split – FCW.com

Defense

Strategic Command chief Gen. John Hyten says that Cyber Command needs its own platform ahead of a planned split from NSA.

U.S. Cyber Command needs to be elevated to a full combatant command as soon as possible, but it should remain tied to the National Security Agency until it has its own cyber platform, according to the head of U.S. Strategic Command.

Air Force Gen. John Hyten told the Senate Armed Services Committee that he and Adm. Michael Rogers, head of the NSA and CyberCom, submitted their plan to the Trump administration calling for elevation of CyberCom "sooner rather than later."

He said that needed to happen "just to normalize that command and make sure that we can kind of develop normal command relationships between Cyber Command and all the combatant commanders including Strategic Command."

Later in the hearing, Hyten added that the end of the dual-hat leadership structure of the NSA and CyberCom will have to wait until CyberCom has an independent cyber platform from the NSA.

"There are acquisition programs of record being instituted to build those capabilities," said Hyten. "Once those capabilities are built, I would be supportive of separating the two. But I will not advocate separating the two until we have a separate platform in the services that Cyber Command can operate on."

Senators pressed Hyten on a number of cybersecurity topics, including the ramifications of modernizing the IT architecture that controls the U.S. nuclear arsenal.

Strategic Command currently oversees cyber, space and nuclear capabilities, and Hyten said they are linked in that a cyber threat that could affect command and control capabilities could undermine the U.S. nuclear deterrent, "and we have to make sure we never allow that to happen."

Hyten said Congress needs to demand that as the military services modernize nuclear command and control capabilities that they move from a 20th century architecture and not simply move from eight-and-a-half inch floppy discs to the five-inch variety.

"We will introduce cyber vulnerabilities as we walk into that, but if you work it right from the beginning, you can make sure that that threat is mitigated from the beginning," he said.

When asked whether the U.S. has the capacity to protect nuclear cyber systems, Hyten said in general he was happy with where the Cyber Mission Forces are going right now. But he warned that they do yet not have the capacity to meet all of the requirements the DOD has.

He said that currently cyber forces are specifically assigned to the combatant commands, and that DOD needs to look at cyber forces like special forces -- as a high-demand, low-density asset that needs to be centralized and allocated out based on mission priority.

"The demand signal is going to go nowhere but up and the capacity is not sufficient to meet all of the demand," he said.

Hyten also said the conversation on deterrence in cyberspace must move past the nuclear framework of the past, with its binary analysis.

"I think what's missing is a broader discussion of what 21st century deterrence really means," said Hyten. "That involves the nuclear capabilities as the backstop, but fundamentally space, cyber, conventional, all the other elements as well.""Now it's a multivariable analysis and each of those has to be put in context," he said. "And context has to be the fact that we're actually not deterring cyber, we're not deterring space. We're deterring an adversary that wants to operate and do damage in those domains."

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

See the original post:
General: Cyber Command needs new platform before NSA split - FCW.com

CIA, NSA Aren’t the Only Federal Agencies Violating Privacy – American Spectator

Wikileaks recent dump of classified information related to the CIAs secret hacking operations has once again sparked a conversation about privacy in the digital age. While similar secret surveillance programs like the NSAs PRISM have been in the public eye for years, other government agencies thatmishandle millions of Americans private information in the light of day are often left unchecked.

Take the U.S. Census Bureau, for example. Since 2005, Census has selected approximately three million Americans annually to complete the American Community Survey (ACS), collecting information on the nations demographic, social, economic, and housing characteristics. While theres no question that the ACS collects some valuable information, the intrusive nature of the survey and the poor security measures with which Census handles respondents personal information should be a cause for concern no less sothan any surveillance by the CIA or NSA.

The methods used by Census Bureau employees can vary in the degree to which they violate a persons privacy. Some may only receive letters in the mail, appealing to the persons sense of community, with a veiled threat if they do not comply. Others have received a personal visit from a Census employee, often resulting in pressure or downright intimidation to complete the survey.

Take Kimberly Hayes of Sapulpa, Oklahoma. After being threatened with a fine by mail for refusing to fill out the form because some of the questions made her uncomfortable, a man sent by Census visited her home unannounced in the hopes of getting her to complete the ACS. The man started walking around and was looking in windows, according to Hayes.

If this gentleman had been trying to conduct a survey on behalf of a companys marketing department, Hayes could have told him to get lost without fear of repercussions. She might even have been able to prosecute him for trespassing. So long as the ACS exists, however, the letter of the law is against people like Hayes. If our government treated its citizens with the respect that companies reserve for their customers, violations of privacy would be far less frequent.

Unfortunately, our government is more often a technological laggard than a pathbreaker. Census has been remarkably slow in following the private sectors civilizing example. Recipients who fail to fill out the online ACS are sent a paper copy that they are asked to return in the mail, chock-full of personal information that could be damaging in the wrong hands. Questions range from the embarrassing (e.g. Question 18b, Does this person have difficulty dressing or bathing?) to the dangerous (e.g. Question 33, What time did this person usually leave home to go to work last week?).

Furthermore, the Census database is vulnerable. It has already been hacked into as recently as 2015. While Census tried to reassure nervous Americans that survey information remains safe, secure and on an internal network, bureaucrats dont always follow internal safety protocols. In 2011, the State Department operated an internal network that broke federal standards and may have left sensitive material vulnerable to hackers according to the Associated Press.

Many ACS answers are already compromised by design. On the Bureaus microdata website, anyone can download data of anonymous individualized ACS responses for areas with as few as 600 people. The only defense against those who might use ACS data for nefarious purposes is the bolded command: Use it for GOOD never for EVIL.

There are better ways to acquire sensitive information while protecting the privacy of citizens. For instance, in Europe, there are many viable census models already in place that drastically reduce privacy violations, and are more cost effective to boot.

The Netherlands, Slovenia, and Austria are among eight European countries that obtain census data without employing costly survey employees to harass their constituents. These countries use models that only process data from what other government agencies have already collected, so there is no added risk of privacy violations from mandatory and redundant surveys. The monetary and psychological costs of harassment suggest that we should look for foreign alternatives, perhaps even outside any government solution.

If the destruction of the ACS does indeed leave a void in the market for knowledge, then a private company could fill this gap, while heeding a mandate to respect our privacy. The fact of the matter is that our government has rarely prioritized the right to privacy for American citizens, regardless of which party is in power.

The benefits of the ACS have been greatly exaggerated, especially when we consider viable alternatives. The monetary costs of the ACS, while excessive at over $1.3 billion per year, are nothing compared to the psychological damage done to three million Americans annually. Our right to privacy has been offered up by our government on the altar of the common good. Americans who love their liberty should support replacing the ACS with a more conscientious alternative.

Census collection c. 1940 (Wikimedia Commons)

See the article here:
CIA, NSA Aren't the Only Federal Agencies Violating Privacy - American Spectator