PHOENIX–The National Security Agency does not spend much time showing its work publicly. Indeed, the agency’s work depends on most people not knowing what’s going on inside Fort Meade. But recently, NSA has stepped up its efforts to work with cybersecurity analysts and researchers in the private sector, hoping to gain insights from outside practitioners while also lending context to the discoveries and research private companies produce.
The centerpiece of that effort is the NSA’s Cybersecurity Collaboration Center, a new group created about two years ago with the mission of building lasting, productive relationships with private sector partners that help defenders on both sides of the fence react more quickly and efficiently. The CCC is not meant to be another in the endless list of public-private partnerships or information-sharing silos that the federal government has created over the years. Instead, it is meant as a two-way street, with NSA giving as well as taking.
“We only know one part of the picture. The intelligence community has to be in that conversation. We need to bring our data and understanding of what’s happening to get ahead of it.” Morgan Adamski, director of the CCC, saud during a keynote at the LabsCon conference here Thursday.
“Operational collaboration is a conversation between us government defenders and you, sharing unique and timely info with context.”
That last word is the real crux of the effort. NSA and its partners in the signals intelligence community collect massive amounts of information on a daily basis and have insights into networks and environments that private organizations don’t. That gives the agency the ability to add context and color to discoveries that other organizations make, creating a more complete picture of a given threat or attacker’s activities. In the past, NSA and other government agencies typically have shared very limited information on attacks or vulnerabilities, and usually on a case by case basis. Adamski wants to change that.
“We were only helping one company at a time. Ninety percent of the time, when we share technical indicators, people already know them. What we were missing is real time sharing with context and actionable unique information. The intelligence community had to come to the table,” she said.
To underscore the spirit of cooperation and openness, the CCC itself is physically located outside the fence line on NSA’s Maryland campus and Adamski said much of the work the group does with outside partners is done on an unclassified level. The goal is to build a level of trust with the private sector that has not always been there in the past.
“We have to make sure we care about the same things. We need trust. If you don’t trust me with your data, things can break down pretty quickly, she said.
Though the CCC is meant to share information with outside organizations and help defenders protect their networks, the NSA is benefitting, as well.
“We’re learning a ton back about things we didn’t know. We’re moving faster. Attribution is coming faster because everyone is feeding data into ont place and we’re building a more complete picture,” Adamski said.
One recent example of that is the advisory that CISA published in April 2021 warning that state-sponsored attackers from China were targeting users of the Pulse Connect Secure VPN, including federal government employees. Adamski said NSA became aware of the attacks when a partner in the private sector alerted the agency, which then set off NSA’s own investigation.
“We saw significant targeting of VPN users after the shift to remote work. We were able to take the information from our partner and add context and color and put out the advisory,” she said.