29 August 2015

XCLUSIVE: Managing Cyber Risk In The Shadows -- A Q&A With NSA's Chief Risk Officer

By: French Caldwell, Chief Evangelist, MetricStream
08/26/2015

Perhaps the most crucial infrastructure in the US – and globally – is the country’s intelligence and security community, which ensures national security for the US and its allies, thus ensuring that global economic commerce operates in a stable and secure environment. But can risk management also play an effective role in the “shadow work” of the intelligence and security sector? In a question and answer session, Anne Neuberger, Chief Risk Officer at the National Security Agency (NSA), presents a strong case in support of this idea.

Neuberger serves as NSA’s first Chief Risk Officer and is a member of NSA’s Senior Leadership Team. As Chief Risk Officer, she is responsible for creating and maturing a methodology and processes to assess risk across NSA’s mission, and implementing an enterprise risk management process.

Prior to her assignment as Chief Risk Officer, she served as the director of NSA’s Commercial Solutions Center, responsible for NSA’s interface and partnerships with the private sector. Prior to that, she served as Special Assistant to the Director for the Enduring Security Framework (ESF), building a deep and effective partnership between leading companies, the Departments of Defense, Homeland Security, NIST and NSA on initiatives across a broad set of technical and policy areas. In this capacity, she led the Department of Defense’s Defense Industrial Base Pilot, defining the first policy and legal framework for government sharing of classified signatures and indicators with Internet Service Providers (ISPs). Prior to ESF, she served on the US Cyber Command Implementation Team which led the planning and standup of USCYBERCOM.

Prior to joining NSA, Anne served as the Navy’s Deputy Chief Management Officer and a Special Advisor to the Secretary of the Navy, with responsibility for guiding Navy enterprise IT programs.

Question: Getting back to first principles, what is the key risk that the NSA faces? Can your program of enterprise risk management help to reduce this exposure?

Neuberger: In many ways, the NSA is like any large enterprise; we have global communication networks we need to secure and a workforce we need to retain, but the key risk as a member of the national security environment is to protect this country -- the United States -- and prevent a national security incident while also retaining the trust and confidence of the American people.

The enterprise risk management framework is at the root of that. As we across the enterprise on the senior leadership team think about our risk appetite statement -- what is and is not acceptable risk -- we have been breaking down and trying to glean the principles from all those post-Snowden articles to understand how the American people think about their privacy. It is particularly challenging within the current threat environment, since many transnational threats -- counterterrorism, counter proliferation -- are using the same communications technologies that the average American is using. So, thinking through how we can balance that and clear risk appetite statements that can guide our work is really the crux of how we manage that core risk.

The concept of an enterprise-wide risk management [ERM] framework has been something that the NSA has been thinking about for a while, in terms of providing guidelines in determining what is acceptable and unacceptable risk. We’ve been breaking down and trying to glean the principles in terms of how the American people think about their privacy … how individuals think through this balance of risk versus privacy.

Technology at the NSA is critical, and establishing risk management guidelines is really the crux of how we manage this core risk. The technology side is really challenging from a risk management perspective, as we are using the same technology as the private sector and the average American, as well as other counter-terrorism agencies, and sometimes the very insurgents representing risk to the country.

Question: A lot of our customers are in financial services, and are the biggest investors in GRC. Government organizations are starting to come along now. but as you pointed out, there are many components of government that are in the business of risk management -- the NSA, other intelligence agencies, the Department of Defense, and so on -- and sometimes risk in those types of organizations can be a surprise, which can take on political ramifications that may magnify the risk beyond what the actual magnitude of the risks are. So it becomes important to avoid surprises – can risk management help in avoiding surprises or better preparing for them such that we don’t magnify the public perception of risk greater than what it actually is?

Neuberger: Absolutely. One of the risk appetite statements that we have been thinking about is: The agency will not put the life of an agency employee at risk with X approval or Y value determination. Those kinds of statements give a heads up within the NSA to employees who feel very strongly about the mission and who feel very strongly about their work, to say this is the way we as an enterprise value you and your work. Both defining those principles, defining across our enterprise a risk management framework, what drives the likelihood and severity of risk, and putting into place processes where we consistently assess and re-assess that, I believe will help prevent surprises. And we have started taking those steps.

Defining risk principles as part of our risk management process enables us to continually assess and reassess risk scenarios. I believe this risk management approach will help prevent surprises.

Question: One of the barriers is being able to listen to risk. I heard you talk about enabling or encouraging employees and individual analysts not to avoid the analysis of information to help identify the right risk. Is there anything you are doing on the willingness to listen side of it --people at the top being open to hearing this risk?

One of the barriers within private sector enterprises is the willingness of management to listen to potential risk associated with projects -- addressing this risk might kill a deal, etc. In terms of the NSA, what are you doing to overcome the barrier of “willing to listen” -- are the people at the top hearing this risk?

Neuberger: The NSA has a very interesting culture. I joined the agency about six years ago, and there’s a tremendous culture of compliance, which you might not expect from reading the press over the last couple of years. It’s ingrained in mandatory training; it’s ingrained into how individuals are sworn in on their first day on the job. The sense that as a foreign intelligence agency the protections afforded to US persons and those protections extended by the president more broadly around the world.

So, I think very much that sense of raising the flag for folks to say, “I am concerned about compliance risk,” is baked into the culture, and we are building on that [culture] by applying it to other risks, whether they be operational risks or disclosure risks. We are an intelligence agency and there are often sensitive sources and methods, so ensuring that is balanced in how individuals both feel empowered to raise risks but also think about how each individual can mitigate cross-agency risks in the way they behave and make decisions.

Question: Sharing risk is going to mean that sometimes those risk are going to end up being shared with other groups that may look at those and have some criticism or may be shared publicly. So, there have been criticisms in the past that the NSA has not been transparent enough. You’re in the business of secrecy, so how do you balance the need to be transparent about the risks the agency has to manage and being able to accomplish you mission, which depends on privacy?

Neuberger: You’ve hit the crux of a very difficult challenge for us. The President and the National Security Advisor have tasked the NSA -- and the broader Intelligence Community -- to be more transparent as part of that goal of retaining the trust and confidence of the American public. We’ve given significant attention to how you balance the fact that by definition an intelligence agency often operates in the shadows with the fact that in a democracy that same intelligence agency must retain the confidence of the people it serves.

In terms of the NSA, we have set a series of principles in place to determine the impact of the need for operational secrecy and the need to protect assets while taking into account the need for public transparency -- the mission value has to be commensurate with that risk.

For example, if we determine that an effort has potentially high severity in terms of highly sensitive sources and methods if disclosed, let’s reduce the number of people who potentially know that. Make sure individuals know about it, but also make sure we think about how to protect that information. On the other hand, if there is a particular effort that has a higher likelihood of disclosure or impacts a broader set of technologies, let’s potentially talk about it. Let’s explain the mission value and some of the things we are juggling, like the fact that many transnational threats use the same communications technologies as the average individual.

Question: Just to stick with the transparency issue for a moment, there’s a fear about being too open to the risk an enterprise faces. How can the principles of GRC and risk management overcome this internal inertia?

Neuberger: At the NSA we have a bottom-line, and that’s about protecting the country. Protecting resources is really secondary to protecting human resources, so ERM for us is about outlining principles and ensuring that we are looking at end-to-end risk associated with an operation.

Technology sometimes outpaces policy -- so we have to say in such circumstances, “how do we value this mission decision,” because in many cases the policy guidelines are not there. So, by establishing a risk management framework with risk-driven guidelines, we are able to provide direction where before there was none. As a result, we are seeing folks [NSA employees] saying, “Oh, I can see where this really helps us with ‘eyes wide open’ to take risk because it’s worth it.”

Question: In this day and age of cyber risks, organizations have to be quick in sharing information regarding technology network breaches and/or loss of data. Recently we’ve seen several bills introduced on the Hill relating to sharing of information between government agencies and the private sector. The question is what needs to be done in partnership between the government and the private sector in facilitating this rapid exchange of information to reduce cyber risk -- this really is the bottom-line.

Neuberger: Cybersecurity is a fascinating area because, from a national security perspective, the vast majority of critical infrastructure in the United States is privately owned. So the role the government can play in ensuring the stability of critical infrastructure in response to cyber threats is really fundamentally an enabling role where the government can enable the private sector to better protect its critical capabilities.

I’ve been involved in a number of areas where we try to manage the risk of sensitive threat information by thinking of creative ways to get it to the private sector as needed, most often in partnership with the Department of Homeland Security [DHS]. We have used creative approaches, like the Enhanced Cybersecurity Services Program, where, under DHS, sensitive information is shared with participating ISPs so that all of their customers can benefit from that intelligence. In that risk management program, we tried to control the number of recipients to manage the risk to that sensitive threat information but also try to find entities that had way to magnify that cyber security protection. ISPs were chosen because of their role in providing security services to private sector companies.

There have been other efforts as well. There are many opportunities for creative thinking. How does government think creatively about getting that threat information to the private sector in open and transparent ways?

From a national security perspective, the vast majority of critical infrastructure of the country is in the hands of the private sector. The role the government can play is ensuring the stability of this infrastructure in relation to cyber threats; but, really, measures in reducing this risk are in the hands of the private sector. The role the government can play is providing the means to enable the private sector’s capabilities in protecting this infrastructure.

We are looking at creative ways to share critical cyber-risk information with the private sector, mainly through DHS, so there are a lot of different creative approaches we are using. For instance, the Enhanced Cyber Security Program serves as a conduit in exchanging sensitive cyber threat intelligence with private sector organizations, such as ISPs, with the view that organizations such as these will provide a multiple effect in having services and software enhanced to protect the average American.

Question: We’ve talked about cybersecurity, a subject which is in the media headlines today. But, if you go back three years ago, and looked at the CEO corporate surveys that asked these leaders what were their top ten risk concerns, ironically cyber risk ranked number 11. Thanks to the Sony attacks, healthcare breaches, etc., it has moved way up. Subsequently, based on the number of disclosed cyber system hacking and data loss that has occurred mainly in the retail and healthcare sectors, the issue of cyber threats have moved way up the risk profile list of top executives.

My concern, however, is that CEOs are “chasing headlines,” in terms of reacting to an event rather than looking to stay ahead of the curve. To me, risk management should be about staying ahead, and looking for the next potential big risk and preparing the enterprise for that. Are there any things that you might be seeing as potential future risks that are not already in the headlines? Or for that matter, risk areas that people are not paying attention to?

Neuberger: You ask two interesting questions. The first: Is cybersecurity merely a headline? From where we sit, it is certainly not. Cyber risk is definitely not just a headline issue today, as more and more of enterprises’ core propriety information is shifted to and across cyber networks – the movement of this critical data represents increased risk exposure to both outside and inside system breaches. This is particularly the case for global enterprises.

The former NSA director said that offense is always easier than defense when it comes to protecting cyber networks. For enterprises, I would say that they need to understand what good risk indicators are in monitoring unique risk exposures. One enterprise-specific point that stuck home with me is understanding what good risk indicators are for your enterprise and monitoring them.

As for the NSA, we’ve been applying that lens to what potential risk exposure events are, and what the indicators are pointing to as the potential compromise of operations. We’re looking at all these issues, and really pulling these through so we can really think about the broader way to identify and look at risks that transcend across the agency.

French Caldwell is chief evangelist at MetricStream, and one of the foremost thought leaders in IT. Caldwell has been decisively shaping the GRC market for the last 12 years. He’s a former fellow and vice president at Gartner where he led their GRC research, including the influential Gartner Magic Quadrant on GRC, as well as research into disruptive technology. He also worked with the White House and US Naval War College in 2002 to develop the Digital Pearl Harbor war game, the first ever strategic assessment of cyber war strategies. In 2012, the game took on a very real form with the strategic attacks on oil and gas infrastructure in Saudi Arabia and Qatar. French is a retired naval officer and a nuclear submariner. Post-retirement, French served as a diplomatic liaison to NATO for the post-Cold War Congressional Commission on Roles and Missions of the Armed Forces.

As an academic, French served as a Federal Executive Fellow at the Brookings Institution, an adjunct fellow at the Center for Strategic and International Studies and an adjunct professor and graduate research advisor at the George Washington University School of Engineering Management. He has a PhD in Law and Policy, an MA in International Economics, Strategy and Diplomacy, and a BS in Oceanography.

No comments: