Former NSA official explains how the agency ran offensive operations – Business Insider

Philip Quade has simple advice for cybersecurity teams across the world: Move fast to avoid breaking things.

Quade, former special assistant for cyber to the director of the National Security Agency, believes most security teams undervalue speed as part of their day-to-day operations and could benefit by adopting the NSA's "pedal to the metal" approach.

Now the chief information security officer at the security firm Fortinet, Quade is aiming to impart his strategy on private sector players. He discussed the guiding principals behind his approach as well as common cybersecurity pitfalls during an online panel hosted by AT&T cybersecurity director Theresa Lanowitz on Wednesday.

"NSA put the pedal to the metal, meaning it did things strategically," Quade told Lanowitz. "It was all fundamentally built around the philosophy of doing things very, very quickly."

Quade's three decades of experience at NSA gives him a unique perspective: As the agency's top-ranking cybersecurity official during the Obama administration, Quade oversaw both defensive and offensive operations, gaining insight into both sides of cyberwarfare.

The NSA's adherence to moving quickly powered its intelligence-gathering operations during those years, Quade said. Most people became familiar with the details of those operations in 2013 when Edward Snowden, an NSA subcontractor, leaked documents showing that the agency was collecting millions of Americans' mobile phone call records in search of terrorists. A subsequent federal law discontinued the practice.

"Everything that NSA did was completely authorized by the President, the courts and the Congress ... and ultimately when some of those things became more widely known, it scared the public a little bit and in the courts and Congress and the White House kind of recalibrated to be consistent with public interests," Quade said Wednesday. "But one of the fundamental strategies of NSA was being able to do things at speed and scale."

Three problems have proven particularly hard to solve for most cybersecurity teams: authenticating people's identities online, training their organizations' staff on cybersecurity basics, and patching vulnerabilities. Prioritizing speed in all three areas can be a useful framework for improving defenses, Quade said.

"If we could have solved what has solved the authentication problem from the beginning, we wouldn't be in business today. And what I mean is that lack of trustworthy authentication is the root cause of nearly all cybersecurity problems," Quade said.

Fortinet CISO and former special assistant for cyber to the director of the NSA Phil Quade Fortinet

One way to build speedier authentication defenses is to protect against "known unknowns" by adopting tools that detect unusual behavior on their networks like an employee attempting to log in at an unusual time or unfamiliar location and automatically shutting down the attempt.

Quade added that organizations should update software as often as possible to throw off attackers, noting that software patches posed an obstacle to the NSA's offensive operations when he worked there.

"As a person who was authorized by our overseers to do offensive operations against others, it was relatively easy to find vulnerabilities and develop exploits," he said. "But what made it really, really hard was when the systems were patched or when the systems changed."

Quade and Lanowitz both predict that security teams will increasingly adopt a "zero trust" model that assumes any device or account on its networks could be compromised at any times and builds in security checks accordingly. Fortinet announced a new suite of zero trust capabilities for its cybersecurity software on Thursday.

"Your network would be perfect if it wasn't for these carbon-based lifeforms that have to live on top of it," Lanowitz said.

Companies are more likely to need to prioritize zero trust in their security systems now in the wake of the COVID-19 pandemic, Lanowitz added. Employees are working from their home networks, which often lack the protections of corporate systems.

Read more here:
Former NSA official explains how the agency ran offensive operations - Business Insider