WASHINGTON: The head of the National Security Agency’s Cybersecurity Directorate said that one of his agency’s top priorities has become protecting US weapons systems from cyber threats, representing a shift in focus brought about by the rise of an increasingly multipolar world with highly capable cyber adversaries.
“We spent the past 20 years in Afghanistan, where our weapons systems were not targeted by the foe,” because it lacked the technical capability, NSA’s Rob Joyce told the annual Billington Cybersecurity Summit on Wednesday. “But near-peer adversaries have the capabilities to exploit us when we do things incorrectly,” Joyce continued, referring to China and Russia. Joyce also said Iran and North Korea remain a concern as increasingly capable cyber adversaries.
“In terms of weapons systems, we have computers on wings, at sea, and on land. We don’t think of [weapons systems] that way, but none of them work without computers,” Joyce observed.
Indeed, the Defense Department’s Joint All Domain Command and Control (JADC2), viewed by officials as a sort of holy grail for future warfare, is envisioned to be a large of network — or an interconnected network of service-specific networks — that will rely on many traditional information technologies. As such, allowing these networks and their components to be compromised would pose a grave threat to warfighters’ safety and their ability to conduct missions.
The threat is not theoretical nor is the risk abstract, as the military learned last October when it “failed” in a wargame against an “aggressive red team” meant to emulate China or Russia. That catastrophic exercise prompted the Joint Chiefs of Staff to redouble their focus on securing cyber and space networks, which knit disparate warfighting systems together.
Weapons systems fall under the umbrella of a special class of government information technology called National Security Systems (NSS), which have always been the predominant domestic purview of NSA’s cybersecurity efforts. So the shift in focus is not around the historical role and responsibility of NSA, but rather an acknowledgement that the US faces more technologically savvy cyber actors who could — and probably already are — looking for cyber vulnerabilities in these systems.
Joyce said one aspect of NSA’s focus on NSS entails getting to the defense industrial base “to view weapons systems end-to-end” for security while building them and to treat securing the systems not as a one-off task, but rather “knowing they will be under threat” constantly.
Despite their importance, there is no current authority that can issue cybersecurity directives for NSS. The House’s version of the 2022 National Defense Authorization Act requires NSA’s director, Gen. Paul Nakasone, to identify “impediments” to establishing an authority for issuing cyber directives for NSS.
Currently, the Department of Homeland Security, through the Cybersecurity and Infrastructure Security Agency, issues cyber directives for executive branch agencies. The Joint Functional Headquarters-Department of Defense Information Network issues directives for military and subordinate components. But no authority can currently issue cyber directives for the special class of NSS, which also include intelligence systems, classified networks, and networks that host NSA’s cryptologic activities. The need for such an authority is unclear, given that in practice, the NSA is adequately motivated and very likely ahead of other authorities on proactively mitigating cyber vulnerabilities in the NSS under its purview.
In addition to securing weapons’ systems from cyberattacks, Joyce said that NSA’s other top priorities include “understanding nation-states intentions” and developing next-generation cryptologic systems that will still protect secrets amid the widely predicted advent of quantum computing, particularly via post-quantum cryptography.
As for nation-states, Joyce said NSA’s goal is to get at foreign threat actors “at scale.” To do this, Joyce said NSA’s Cybersecurity Collaboration Center has formed fruitful partnerships with the private sector.
“Bringing in industry’s big data and combining it with what we know about foreign threats is kind of that chocolate and peanut butter moment,” Joyce said.
This includes, Joyce said, leveraging NSA’s signals intelligence (SIGINT) capabilities, which he called NSA’s “secret sauce” — a day after Nakasone called SIGINT NSA’s “superpower.”
Joyce also echoed his boss’s comments on Tuesday about ransomware. “Six months ago, ransomware was viewed [by NSA] primarily as a criminal issue,” Joyce said. Given recent events, he added, that’s no longer the case.