As the intelligence agency tasked with deciphering coded communications and carrying out a range of other clandestine surveillance operations, the National Security Agency has been shrouded in secrecy since its inception. But in a series of steps taken over the last year, the NSA has changed its approach—at least a little—by being more forthcoming about its cybersecurity operations.
On Friday, the agency published a 20-page cybersecurity year-in-review, pulling up the curtain on some of its election security efforts, cybersecurity products, and plans for the future. The review—the first of its kind for the NSA—follows the agency’s decisions earlier this year to create an @NSAcyber Twitter account and proactively warn companies about vulnerabilities instead of staying quiet.
“This is the first cybersecurity year in review NSA has put out… Releasing it publicly is part of our efforts to continue to further transparency and trust,” Claudia Borovina, an NSA public affairs specialist told The Record.
While the review likely omits a large portion of the NSA’s cybersecurity activities (even basic details of the organization, including its employee count and budget, are officially classified), much of it is surprisingly frank.
“Eighteen months ago, several colleagues and I discussed the results of an internal study to examine the state of the cybersecurity mission at NSA. The findings were grim. As technology and the cyber threat had rapidly evolved, it was clear we had not always kept pace,” wrote Anne Neuberger, the NSA’s director of cybersecurity who earlier this week was tapped by president-elect Joe Biden to serve in a newly created role on the National Security Council.
“As we began our first year, we took a deliberate approach to building trust by sharing unclassified threat and cybersecurity advice. We forged deeper relationships with our U.S. government and industry partners to deliver better outcomes than any of us could achieve alone,” Neuberger added.
In some ways, the report can help inform cybersecurity professionals both in the public and private sectors about the emerging threats that the NSA is focused on.
For example, the agency highlighted how it has “embarked upon a broad effort to modernize the Department [of Defense’s] cryptography” by making it resistant to quantum computer attacks. Although cybersecurity experts say such a threat is likely several years away, they warn that the development of quantum computers would render much of today’s encryption obsolete—the computers are theoretically capable of quickly solving complex problems, like cracking an encryption algorithm.
Additionally, the NSA highlighted the 30 unique cybersecurity advisories and other products that it released in the last year, and explained that it quantifies the success of these advisories by measuring the increase in patching, the impact to adversary behaviors, and qualitative assessments of the value added to the cybersecurity community.
Last January, for example, Microsoft released a patch for a critical vulnerability in Windows 10 that was discovered and disclosed by NSA.
“The vulnerability affected millions of users around the world and, if it had been discovered by foreign adversaries, could have been used to undermine cryptographic trust across vast numbers of networks,” according to the report. “In a significant departure from past practice, NSA accepted public recognition for this discovery and disclosure.”
The NSA also highlighted what it sees as the three top foreign threats in 2021: Russia, China, and Iran. North Korea—the other nation state commonly seen as a cybersecurity threat—was not mentioned in the report.
The report warned that China is using “widespread intellectual property theft” to help Chinese companies and its military, while Russia is using disinformation and other cyber operations to destabilize regions. Iran has notably targeted critical infrastructure across the Middle East with cyberattacks.
“In response, NSA will relentlessly pursue our adversaries to keep them out of U.S. networks,” the report said. “We’re going to share our threat insights and technical expertise to the fullest extent possible so you can do the same.”