The NSA’s Cybersecurity Collaboration Center opened its doors in December 2020, with the stated goal to improve partnerships between the Department of Defense and the private companies that supply it in order to improve collective cybersecurity defenses and protect sensitive systems.
Right around that same time, the U.S. government and private industry were learning the details of a lengthy and devastating espionage campaign secretly waged against them by Russian hackers in what would come to be known as the SolarWinds hack.
The full scope of the damage caused is still not public, but the timing for the center’s creation couldn’t be more apt.
The unveiling of the center marks a huge shift for an intelligence agency that was once so secret U.S. officials declined to even acknowledge its existence. Now, its leaders regularly engage with the public, appear on television or at industry conferences and provide commentary for cybersecurity news items of the day on platforms like Twitter.
Gen. Paul Nakasone, director of NSA and U.S. Cyber Command, said this week that the Collaboration Center was an outgrowth of the agency’s reorganization two years ago when it created a cybersecurity directorate.
Officials quickly realized that many of the biggest problems they faced were inextricably enmeshed with the private sector and other stakeholders, almost none of whom had the clearances to see what NSA could see. That necessitated a pivot to a more public-facing role and the creation of a center whose operations were designed to operate in the light of day.
“This is a culture change for the National Security Agency,” Nakasone said during a cybersecurity conference hosted by Palo Alto Networks this week. “We normally don’t operate off of anything that’s less than top secret … but if our partners are all operating within the confines of unclassified networks, why aren’t we there, too?”
The center’s work is split along three core missions: fostering collaborative partnerships with industry to protect U.S. national security and contractor systems; joint analysis with industry and academia on shared cybersecurity problems; and working to design and build better security into the commercial products that everyone — industry, the U.S. government and the rest of the world — relies on.
Expansion of cyber 'nerve centers'
In an interview with SC Media, Technical Director Matthew Seligman noted the center is both an organization within the NSA as well as a physical location. That second part is critical, as the agency believes many of the collective efforts and bi-directional information sharing the center is designed to work on require real-time, face-to-face interaction. These challenges include both the tactical, such as responding to the immediate fallout from large, damaging hacks with cross-sector impacts like the SolarWinds campaign, as well as longer-term strategic problems, like reducing the digital attack surface for the U.S. Defense Industrial Base and contributing to the Enduring Security Framework.
Of course, the center first opened its doors during the height of the COVID-19 pandemic, and some of those plans had to be temporarily shelved to shifted to remote interactions, but as the pandemic (hopefully) recedes, those in-person interactions will continue to be a feature of the organization’s work.
“We had to spend a lot of time understanding how to build the technology and the capabilities so that we could push out these robust collaborative relationships with industry,” said Seligman, later adding “We realized we needed to invite [them] into our space so that we could sit side-by-side, look at data, make conclusions and then push out those mitigations.”
They’re not alone.
There is no shortage of “nerve centers,” collaboration hubs, information sharing vehicles and other initiatives dedicated to solving shared cybersecurity threats between industry and government. For example, the Cybersecurity and Infrastructure Security Agency (CISA) just opened its own center, the Joint Cybersecurity Defense Collaborative, in August, while the Department of Energy recently dedicated $10 million to establish a network of regional cybersecurity research centers to partner with academia and industry and bolster the security and resilience of U.S. electrical power systems.
When asked how the Collaboration Center distinguishes its work and mission from others in government, Seligman said the NSA’s legal authorities — which largely restrict the agency to national security systems and contractors — help narrow the focus considerably. Within the contracting space, the bulk of the center’s work focuses on companies that work on or build capabilities for the most critical U.S. national security systems, including cryptographic systems, space, weapons and nuclear system and their largest supporting service providers.
Even here, NSA officials must tread carefully and keep their work in line with a vast and sometimes confusing web of legal requirements imposed on those same systems from the National Institute of Standards and Technology (NIST), the Cybersecurity Maturity Model Certification program, contract offices, the Defense Information Systems Agency (DISA) and others.
The other parts of the agency’s writ, defending against foreign threats and exploiting technologies, fit neatly into many traditional cybersecurity research and analysis efforts.
“I would say the things that NSA brings to the table are, one, our ability to understand the foreign threat, as that’s where our authorities derive from. The second thing is that we are one of the more technical agencies within the intelligence community and the Department of Defense,” said Seligman. “So in the development of analytic tradecraft, or understanding a very sophisticated adversary, NSA is uniquely positioned to bring subject matter expertise to understand the threat, to be able to characterize it and develop mitigations against it.”
These are, to be sure, massive and broad security problems that probably won’t ever be solved or eliminated no matter how much government and industry partner together. The sheer amount of IT hardware and software code needed to run the world today means there will always be another vulnerability, piece of malware or campaign that breaks through even the best-defended networks.
That stark reality can make it difficult for public-private efforts like the Collaboration Center to measure the true impact of their work and whether it moves the needle. Seligman said the center could point to instances where their interactions helped improve the baseline security of a commonly used technology product, or the number of cybersecurity guidance documents they push out to DoD and its partners.
But the real (and harder to quantify) metric he relies on is answering the question: “Have we caused the adversary to have a harder time achieving their goal?”
“We want to make sure that the adversary has the smallest attack surface available to them,” he said. “We want to make sure that our mitigations get out to customers who can take action on them [and] we want to make sure that we’re not just passing information for the sake of information.”