One of the early tasks the National Security Agency’s new cybersecurity directorate will have is helping to secure the defense industrial base and defense weapons systems, the agency’s director said Oct. 9 at the FireEye Cyber Defense Summit in Washington.
Gen. Paul Nakasone, NSA director, said he gave the agency and the directorate, which opened last week, an initial task as it addresses the demanding challenge of preventing and eradicating cyberthreats to national security systems and critical infrastructure.
NSA's new cybersecurity directorate seeks to provide private sector with better unclassified intelligence.
“We must better protect our nation’s advantage and the defense sector from intellectual property theft,” he said. “This means working closely with the defense industries and those who provide cybersecurity solutions to them.”
Senior national security officials have said the United States finds itself in a strategic competition against actors such as Russia and China, and these nations have sought to exfiltrate the data of defense contractors, especially smaller companies at the lowest levels.
Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. Adversaries have realized they can target small to medium-sized manufacturing companies with crippling cyberattacks because, in many cases, these companies provide the Department of Defense with critical services but often are so small that they don’t have the wherewithal to institute enough cyber defenses against intrusions.
The 2018 Department of Defense cyber strategy notes that the department “must be prepared to defend non-DoD-owned Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) networks and systems.” The chief goal with respect to critical infrastructure is in “maintaining an ability to defend DCI to ensure the infrastructure’s continued functionality and ability to support DoD objectives in a contested cyber environment,” while the goal pertaining to the DIB is ensuring it is protected to avoid sensitive systems exposure resulting in the erosion of any potential advantages.
DoD is already working on a tiered cybersecurity framework, the Cybersecurity Maturity Model Certification, contractors will have to abide by depending on the sensitivity of systems they’re charged with protecting.
Forthcoming cybersecurity controls are designed to help the Department of Defense and small business work together to protect sensitive data based on tiers of systems.
Where NSA can help, Nakasone said, is offering its assistance in keys, codes and cryptographic materials that secure sensitive government data.
“The new cybersecurity directorate will improve this aspect of NSA’s unique mission with a threat-driven, forward-looking mindset. We’ll be able to harden our defenses, resolve vulnerabilities,” he said.
“Our patches will be informed by exquisite insight in adversary’s plans, intentions and capabilities. These are insights generated by NSA’s signals intelligence systems. These insights will help us to achieve the second part of the vision, the charge to eradicate cyberthreats.”