Encryption, Cloud Security, Governance, Risk and Compliance, Zero trust, Asset Management, Cloud Security

NSA gains new cybersecurity authorities over national security systems

General Paul Nakasone, Director of the NSA and U.S. Cyber Command has laid out in recent days how the United States plans to support Ukraine in the cyber realm. Today’s columnist, Shmuel Gihon of Cyberint, offers insights into how companies can protect themselves against the threat of potential cyberattacks from Russia.
(Photo by Chip Somodevilla/G...

The White House issued a memo today that gives the National Security Agency (NSA) more authority over protecting national security systems and seeks to better position the Department of Defense (DoD) and intelligence agencies to handle a range of digital national security threats targeting cloud systems and outdated encryption standards.

The memo places the NSA in a role similar to the one the Cybersecurity and Infrastructure Security Agency (CISA) plays among federal civilian agencies. The agency will now have the authority to issue emergency and binding directives that require agencies to take discrete actions on cybersecurity problems or emerging threats.

While each agency will still ultimately be responsible for protecting their sensitive systems and data, it gives the director of the NSA wide latitude to designate what constitutes a national security system at other defense and intelligence agencies, examine systems for security controls and incident response and issue new requirements or activities meant to shore up cybersecurity.

It also establishes the NSA as the “focal point” for visibility over cybersecurity threats that affect military and intelligence systems. Within two months, the NSA will issue a directive ordering agencies to send relevant information for any and all “cross domain solutions” or systems that connect to other systems with different levels of classification. Agencies will send logs, IT asset inventories, patching history and other information to the NSA, who will serve as the principal advisor for all such actions.

The memo also puts responsibility on DoD, the FBI, the CIA and the Office of the Director of National Intelligence to flesh out a framework for conducting incident response activities on national security systems and requires any breach to be reported to the NSA.

The order lays out a number of timelines for military and intelligence agencies to follow.

By March, each agency with systems that handle sensitive or classified national security data must update their plans around zero trust and cloud adoption. By April, the Committee on National Security Systems must establish minimum security controls for national security IT systems that are migrated to the cloud. Agencies must also confirm that all national security system data are using multifactor authentication and encryption protocols for, both for data-at-rest and in transit, by July.

On the encryption side, the NSA has been at the forefront of implementing new encryption protocols that can withstand potential attacks from quantum computers in the future. The memo puts the NSA in the driver's seat of implementing similar transformations across the national security space, including contractors. Defense and intel agencies will have six months to map out any systems that are not-compliant or using NSA approved algorithms and establish timelines for replacing them.

A House report on the National Defense Authorization Act last September explicitly floated giving the NSA the authority to issue binding operational directives, saying that while current law allows the Joint Functional Headquarters-Department of Defense Information Network agencies “to direct required actions to the majority of the federal government, there appear to be impediments to a comparable authority over National Security Systems.”

At the time, one former NSA employee told SC Media that it would depend on the specifics but if granted, he expected such authorities to be used not only to defend U.S. government networks, but also enhance intelligence collection against the foreign adversaries targeting them.  

"No federal agency has ever said, ‘Please don’t give us an authority,’ and intelligence agencies are certainly no exception,” said Jake Williams, a former NSA hacker and chief technology officer at BreachQuest. "Intelligence agencies only operate within the authorities they’re granted and certainly any BODs given to NSA will be used to enhance the intelligence mission.”

Sen. Mark Warner, D-Va., praised the move in a statement and pointed to the requirement that agencies report hacks to the NSA, calling for Congress to pass legislation he authored imposing similar requirements on critical infrastructure. A bill to do so was stripped out of last year's NDAA, but sources in Congress have told SC Media that they are eyeing a number of possible legislative vehicles, including an upcoming government spending bill due in February and as a rider to the United States Innovation and Competition Act, to get it passed into law.

"Now it’s time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours," Warner said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.