25 December 2016

Briefing Notes From Visit to NSA

A few weeks ago, I was part of a “National Thought Leaders” visit to the National Security Agency. Famously secretive and opaque (see, No Such Agency), the NSA started conducting this type of outreach after the Snowden disclosures in an attempt to correct what it saw as misunderstandings about its surveillance and intelligence roles. The day consisted of briefings from high level officials involved in NSA operations, information assurance, legal authorities, industry partnerships, and privacy and civil liberties oversight. We also spoke with Cyber Command officials. The briefings were conducted according to Chatham House rules, and below are some of my takeaways, unattributed to any one official. 

Loud cyber weapons. A senior official confirmed that sometimes Cyber Command wants an adversary to know it has conducted an operation and so in some instances it embeds the equivalent of “from U.S. Cyber Command” in the code. As Chris Bing reported in September, Cyber Command officials have been publicly discussing the need for capabilities that may help with attribution and deterrence and are distinct from NSA’s, which wants to remain ultra-stealthy. Unfortunately, there was no time to raise some of Herb Lin‘s excellent questions about how a loud cyber weapon might operate. 

Splitting NSA and Cyber Command. Admiral Michael Rogers is currently dual hatted as Director of the NSA and head of U.S. Cyber Command. The White House is reportedly planning on splitting the position, making a civilian director of NSA. The response inside of Fort Meade was generally supportive of the move, as long as investment in Cyber Command kept pace, especially since expectations were that it would be conducting more offensive operations in the future. 

Need for a new workforce model. The NSA has traditionally promoted from within, and retention remains high–96 percent across the agency as a whole. But the lure of higher wages has pushed attrition to 15 percent in some critical skill areas, and one of the unexpected outcomes of the Snowden revelations has been more aggressive recruiting from a private sector that now has better understanding of NSA operators’ skills. Former director Keith Alexander painted a more negative spin recently, saying that “people are increasingly leaving in large numbers and it is a combination of things that start with [morale] and there’s now much more money on the outside.” Officials believe the old model of employment for life is too static, and talked about more frequent flows between companies and the NSA. 

Private sector outreach. Although there was some worry that the convergence of information assurance and intelligence gathering under a single operations directorate would heighten suspicion and hamper cooperation with the private sector, officials said the mid-term impact has been minimal. Despite the bureaucratic reorganization, the two roles remain distinct, and the personal relations tying those in information assurance to the private sector continue to be strong. There are reports, however, that one of the sources of low morale in the NSA under Rogers is the decision to merge offense and defense together. 

Cyber force. One official, who supported the idea during Cyber Command’s early days, argued against creating a new cyber force to stand along the army, navy, airforce, and marines. This (civilian) official feared that one cyber force would mean the loss of the services’ distinct views and experiences, which have been critical in planning and conducting offensive operations.

No comments: