NSA Cybersecurity Directorate’s Anne Neuberger on protecting the elections – CBS News

Posted: August 26, 2020 at 3:37 pm

In this episode of "Intelligence Matters," Anne Neuberger, Director of the National Security Agency's Cybersecurity Directorate, details her trajectory from the agency's Chief Risk Officer, to the lead on election security in 2018, to the head of the agency's newly revamped cybersecurity mission. She tells Morell what lessons were learned about deterring Russia during the 2018 midterm elections and how the Cybersecurity Directorate seeks to help the public and private sectors defend themselves against foreign cyber threats. She also explains why the NSA is looking to shed some of its secretive reputation, and adjust to a rapidly changing technological environment.

HIGHLIGHTS

Download, rate and subscribe here:iTunes,SpotifyandStitcher.

Intelligence Matters: Anne Neuberger

Producer: Olivia Gazis

MICHAEL MORELL: Anne, welcome to Intelligence Matters. It is great to have you on the show.

ANNE NEUBERGER: It's great to be here, thank you.

MICHAEL MORELL: So I think the place to start, Anne, is with your career. Before you joined the National Security Agency, you had a career in the private sector. Can you tell us about that and tell us what you did in the private sector and then what drew you into government service?

ANNE NEUBERGER: Sure, absolutely. So I was running technology at a at a financial services company, and during that time period when financial services companies really moved off mainframe environments to the Web and to client server technology. So that piece of both taking in operations and a mission, and its associated technology and people and culture, really shaped the way I approach a lot of those problems today.

And I was raised in in a family where my dad came as a refugee; all my grandparents came as refugees to the U.S., and they just constantly instilled in us how grateful we should be for the opportunity to be born in America and raised in America with its freedoms, with its ability to pursue one's dreams and and that we owed a debt for that.

And I was driving home from work in 2006. We had just done a large acquisition of a company, of a bank's custodian operations. And on the radio, they were talking about the bombing of a mosque, Samarra mosque in Samarra, Iraq, and just the soldiers dying, civilians dying and the troubles there. And I still don't know why, but I thought of my dad and thought to myself, 'Perhaps now's the time to repay a little bit of of that debt in some way.'

And, when I'd been a graduate student at Columbia, I had a I had a professor tell me about the White House Fellows program and encouraged me to apply. And I have to admit that, with a bit of the New Yorker, 'I can't leave New York, ever,' kind of put that aside. And for whatever reason, I just felt that calling at that moment, called him, and said, 'I'll apply.'

And, fast forward, I was assigned to the Pentagon with zero military background and, you know, learned a lot about the culture, felt very drawn to that shared commitment. And so I spent a year in the Pentagon and worked for the Navy and then came to the NSA a couple of years later.

MICHAEL MORELL: What did they have you doing at the Pentagon and the Navy?

ANNE NEUBERGER: I was the Deputy Chief Management Officer at the Navy. So, essentially the Navy had a number of broad enterprise-wide technology efforts, which they were working to again, bring that people-mission-technology triangle together.

And they asked me to help work on a couple working directly for the Secretary of the Navy figure out why a couple of them were struggling and then help them get on track. So I worked on that. And, you know, I often get asked by people, 'How did you end up at NSA?' It was a pretty funny story in that I had a seven- and six-year-old and I was commuting from Baltimore and the work-life balance was a bit tough.

And I met somebody and he asked me about how I was doing. And I commented that I really loved the work, but it was a little hard for me to do the juggle. And he said, 'I happen to know that the NSA is standing up the Director of NSA is standing up Cyber Command, and I know they need people with your kind of a background. So how about if I make a phone call there?'

And I went for an interview, my commute was 30 minutes. And it sounds so foolish, but that was pretty much what it took.

MICHAEL MORELL: Interesting. So the private sector and then the Department of Defense, which is, as you know, this huge enterprise, and then NSA and this is not an easy question, I know, but: the similarities and differences of those three different experiences?

ANNE NEUBERGER: It all begins with people. In every organization, missions have to adapt and change. They adapt and change in the private sector because perhaps you have a competitor, perhaps the customer space has adapted. Certainly financial services saw that, where the scale of data was just increasing, the scale of trades was increasing, and the traditional manual processes couldn't keep up. So we knew automation was needed to just reduce errors and help us keep on track with where trading was going. Technology could deliver on that, but the business of the organization had to change to fully take advantage of the technology. And the way people did that mission and use technology had to change along the way.

So I think in each of those organizations, it taught me that that triangle has to be kind of guided together to get to an outcome.

Mission, technology, and people. If you really want to be able to fully whether it's take advantage of a market or stay ahead of an adversary in our own mission here in the IC or DOD that triangle has to work together and you have to communicate those three planes together when talking about why the change is needed.

MICHAEL MORELL: So Anne, in your tenure at NSA, you've served as its first Chief Risk Officer, the Assistant Deputy Director of Operations, the head of the Russia Small Group, and now the head of the Cybersecurity Directorate. Can you take us through your trajectory there? How did your responsibilities differ from role to role?

ANNE NEUBERGER: Absolutely. So I came in to NSA on a small team, part of a small team that was standing up Cyber Command. The chief risk officer role was created after the media leaks period of 2013 where we learned that really appreciating risk meant looking at that in a holistic way, across partnership risk, operational risk, technology risk. And we learned that we needed to adapt the way we looked at risk and then change according to that.

So I think in each of those roles, either the adversary was changing around us, the threat was changing around us, or, internally, we wanted to take advantage fully of an opportunity. And I was responsible for taking the big-picture strategic goals and translating those to measurable outcomes and objectives, and communicate the why and then bringing a team of people along to get there.

And each of those efforts was a bit different, but in each of those we talked about the risk of doing and the risk of not-doing, weighing that appropriately. We talked about ensuring that, as we approached new missions, policy and technology move together. And certainly when we looked at the elections work in 2018, the Russia Small Group work, we saw where adversaries have used influence operations since the time of Adam and Eve, but perhaps what had changed was, again, the ability to use social media to both focus and direct it to have larger impact.

MICHAEL MORELL: So focusing on the Russia Small Group for just a second, Anne. What was that? What was the mission and what were your responsibilities with regard to the 2018 elections to the extent that you can talk about that?

ANNE NEUBERGER: Absolutely. So the mission was ensuring the integrity of the 2018 midterm elections: ensuring that we, first, understood the threat. Second, that we appropriately tipped all the information we had about that threat to key partners across the U.S. government, certainly the FBI, from a counter-influence perspective, DHS from a cybersecurity of elections infrastructure perspective, and then, finally, that we would support Cyber Command, if authorized, to impose costs, if there were attempts to disrupt the election.

MICHAEL MORELL: So after the 2018 elections, President Trump publicly confirmed that Cyber Command played a role in deterring the Russians in 2018. Are there important lessons from what happened in 2018 about how we as a country can defend ourselves against this insidious threat?

ANNE NEUBERGER: Yes. So, you know, across the government, we look at two key poles of election integrity. One is, attempts to malignly influence the population, whether that is to highlight social discord, to highlight issues that divide the population or to, you know, share information as part of shaping individuals' ideas.

And then the second is potentially interfering, hacking into elections infrastructure as part of efforts to change the vote.

And I think the first piece is the value of resiliency: the sense that, once trust is lost, it's very hard to regain. So the knowledge for the American public that there are hundreds of people across the U.S. government committed to and working to ensure the integrity of those elections, of our elections.

When it comes to counter-influence, though, the biggest resilience is each of us as Americans. When we're reading something, asking, 'Who might be trying to influence me, what is the source of that information? Am I fully confident in that source of that information?'

And then, finally, the role of technology and the role of public private partnership as part of elections integrity. So for us in the intelligence community, we're constantly watching for which adversaries may be seeking to shape a population's thinking, to shape an election and then rapidly to bring that to partners or to the private sector to ensure that they're both aware of techniques and are countering them on their platforms.

MICHAEL MORELL: So we've since learned, in fact, last week in updates from the DNI that the Russians continue to engage in election interference; the Chinese, the Iranians. And the punchline of all that for me is, it's really hard to deter foreign interference, right. And I'm wondering if it's something special about foreign interference or if it's more about cyber at the end of the day? And the difficulty of seeing cyber, attributing it if you see it. How do you think about that question?

ANNE NEUBERGER: Absolutely. I think it is more about cyber than about elections. From a cyber perspective, when we look at fully both protecting cyber infrastructure, and then to your second point about attribution, there's complexity in laying what we call 'the red' on top of that.

We may see threats that are talked about at a strategic perspective, and then we and partners across the US government are looking to see, 'Where does that present itself? Where are the given vulnerabilities in a given infrastructure?'

The power is when you can lay the two together and say, 'Here is a nation state that has intent to interfere' in whatever that is, in election critical infrastructure, IP theft and then translate that to the tactical level to say, that network scanning or that vulnerability in hardware or software that we see out there may well be used to achieve the objective putting that in place and then, most importantly, preventing it. Because at the end of the day, writing a report about a victim and notifying the victim is far less satisfying than being able to put that together and prevent the adversary achieving their objective.

MICHAEL MORELL: So we've already started to shift now into your new role, right, which was relaunched in October, I believe. It would be great if you could, Anne, if you could explain for our listeners first, what NSA's two main missions are SIGINT and then cybersecurity and the difference between them just to give some folks here a level set.

ANNE NEUBERGER: Absolutely. So, NSA is a foreign intelligence agency. We're responsible for understanding a broad range of threats presented by foreign governments to the United States.

One of those threats include our cyber threats: how nations may be using cyber to achieve their national objectives. As I said, that might be intellectual property theft, for example, to counter the Department of Defense's lethality by accelerating a foreign government's ability to actually productize particular R&D for a weapon; that may be targeting critical infrastructure of a country as part of threatening tat country or as part of putting pressure on a given country. So that is the threat information.

On the second side. NSA has a cybersecurity mission where it's less well known. We build the keys, codes and cryptography that's used to protect all of US government's most sensitive communications: thinking nuclear command and control weapon systems, the president's communications with allies. And we provide technical advice to mitigate those same threats that I talked about.

So the key integration of the two missions is where we think the magic is, where we can say 'Here's what we think adversaries are seeking to do, and here's how, from a cybersecurity perspective, we recommend you protect against that.'

MICHAEL MORELL: So what motivated, Anne, the relaunch of the directorate and has its mission changed at all?

ANNE NEUBERGER: Really good question. So we recognized that we were at a crossroad with national security as both technology and society shifts were happening. We saw all new kinds of technology that people wanted to use, from small satellites to Internet of Things. And each of those presents huge advancements, but they also present cyber security risk.

Along with that, we saw various nation-states to use new technologies think North Korea and cryptocurrency to get around sanctions to achieve their own objectives. And we said, 'We really need to up our game' to more quickly be understanding those threats and ensuring that we could both provide advice to build new technologies as securely as possible, but also to counter adversaries' use of those same technologies to achieve their national security goals.

MICHAEL MORELL: So, Anne, what are the primary areas of focus for your directorate? What kind of people work there? What's their skill set? And what kind of customers do you serve?

ANNE NEUBERGER: Yep, great question. So the first part is operationalizing intelligence: how do we ensure that, from the intelligence that we see, we tip anything that's unique, actionable and timely quickly so that we can prevent the victim? So that's the first piece of work.

Our areas of focus are both understanding that, giving guidance. Encryption. We believe encryption is a key protection, particularly in a telecommunications environment that, in many cases is untrusted. So both in building the government's special encryption, modernizing that, as well as providing advice and insights on how to best use encryption.

The types of people who work here are, like we see in many organizations, a broad gamut. We have intelligence analysts, we have country-specific experts, we have a broad swath of technical experts, encryption network technologies, hardware and software vulnerability analysts as well.

But the power is where that can be integrated, where you can say, 'How do you build on a road of trust all the way through to an end point?' How do you properly defend a network and take a step back and do a risk analysis to say, 'Where are the gaps in your resilience and where should your next dollar of investment be to close those gaps?'

MICHAEL MORELL: And then what about customers? Is it just the Department of Defense? Is that the U.S. government? Is it even broader than that? How do you think about who it is you're working for?

ANNE NEUBERGER: Yeah, great question. So there's a specific set of work we do for what we call national security systems, systems carrying classified information, national security information. The director of NSA is also the national manager for national security systems. So that's the authority under which, as I mentioned, we build the keys, codes and cryptography and we're responsible for distributing threat information as well. So those are across the U.S. government with a particular focus on DOD. weapons systems and related systems.

A second set of key partners and customers are certainly DHS, FBI. DHS in its role supporting critical infrastructure and the sector-specific agencies. And like I said, the real magic of understanding the critical infrastructure, where its key gaps and vulnerabilities are and being able to marry that up with what a foreign government may be intending to do and providing focused insight.

Across the U.S. government, there is broad use of commercial technologies, particularly DOD and national security systems. So you may have seen, when we're issuing advisories, we're also issuing advice on how to secure and configure those commercial technologies well, because we see that those are used all across sensitive systems as well.

MICHAEL MORELL: So Anne, your directorate has issued, I think, a dozen or so advisories about cybersecurity threats. Can you talk about why you guys do that, what the criteria is for putting one of those out? And then, how do you think about the impact they have? Do you keep metrics on that? How do you think about advisories?

ANNE NEUBERGER: Absolutely. So our advisories we really do them for three reasons. One is, if we see a nation-state actor using a particular vulnerability against a system we care about, we find that it really drives urgency of action. People run faster when they're pursued. And if we can say, 'This nation state actor is using this vulnerability, here's the mitigation advice to protect yourself against that,' we see impact, and I'll talk about that, how we measure that impact at the end.

The second thing is, you know, there's a deep expertise here because we build and we break encryption. So encryption-related technologies like VPNs like, you may recall, the Windows 10 cryptographic vulnerability in January, those are areas we focus on because we know those are sometimes hard to understand, technically hard to implement. So if we can give very practical advice, then we'll issue those as well to help that be put in place.

And then the third would be where there is a timely need, and we're getting a lot of questions and we feel that putting out a product helps guide people in thinking about how to think about security. I'll give an example: As COVID pressed a lot of organizations across the U.S. government, particularly DOD as well, to move to telework, we started getting a lot of questions about secure collaboration and which commercial tools were safe to use. And our goal was teaching people how to evaluate what's safe to use. So we issued a product which laid out the different attributes. Like: Code is available for review, its end to end encrypted, and a few other such attributes. And then we rated different secure collaboration, publicly available tools, against them. And the cool part was, we had companies call and say, 'Well, you know, you didn't get something quite right,' or 'Can we be included as well?' And we said, 'Absolutely.' And we issued a second version. And then we have another one coming out next week, because our goal was making it as useful as possible and also helping teach people how to assess different products for security.

You asked the question about, how we measure impact? So there's three different measures we've been using.

The first is, do we see patch rates go up? Do we see, for vulnerabilities that we've talked about, here is a foreign actor that might be using a vulnerability to achieve an objective? Can we watch those patriots go up? And, you know, it was really cool to see, in a number of cases we've watched that increase.

The second piece is there is a very capable and active cybersecurity industry. Has the information shared enabled them to better protect sensitive U.S. government, national security systems, networks? And in the case of the Exim vulnerability that we issued, the advisory where we talked about the particular unit of Russian intelligence using the Exim mail vulnerability, it was really great to see five different cybersecurity entities using that to identify other Russian intelligence infrastructure and then take that down. So that was success for us, that we made it harder for that adversary to achieve its objectives.

And then the third one is really the feedback on the number of downloads and the feedback from network administrators saying, 'This was useful, this was unique, timely and actionable. I could act on it.'

MICHAEL MORELL: And then in in May, you guys took what I thought was an unprecedented step of actually openly attributing the exploitation of a vulnerability to the Russian GRU. And that seemed rare to me. And I'm wondering why you decided to actually name Russia in this instance.

ANNE NEUBERGER: So first, it is rare, because as you noted earlier, implicitly, attribution is hard. You may have seen a prior product where we highlighted one nation state using another country's infrastructure to achieve its objective and that highlighted just how hard attribution is. So when it's done it needs to be done with precision to be confident in that.

And we chose to do it because we see that it makes targeted network owners more quickly patched and secure and build the resilience of their systems. Network administrators have way more vulnerabilities to address than they have time for, or frankly, money for and way more alerts than they can act on. So if we can say, 'This particular vulnerability is being used by a nation-state intelligence service, we see network administrators moving quickly and addressing it. And that's our fundamental goal: our fundamental goal is improving cybersecurity.

MICHAEL MORELL: So Anne, if you kind of step back and look at the big picture here, you know, maybe from a 35,000 foot level: How are we doing against the cyber threat? Are we barely keeping up? Or are we catching up? Are we getting ahead of the game or is it always going to be hard for the defender in this game because the guy on the offense can always come up with something new? How do you think about where we are in the history of the threat of cyber and the defense against it?

ANNE NEUBERGER: I think three points. Overall, technology is getting more secure. Technology is built more securely today. So the fundamental resilience is improving. When you have open source products, you have lots of eyes looking at a given technology and helping find vulnerabilities and address them.

That being said, we're an ever more connected economy and an ever more connected society. And as we build more connections, sometimes the systems that were not necessarily built for those kinds of connections, I think SCADA systems in that way, we bring in introduce new risks.

On the third pole, though, and on the positive side, there's far more awareness about those risks and how to approach addressing them, identifying what are the most important assets to protect and ensuring good practices are in place. And it's far easier than ever to put that in place.

So I think it's a mixed story. On the one hand, more and more technologies built more securely, and there are communities of individuals working together to ensure they're secure. On the other hand, far more technology, some of which is connected in ways that bring risk in ways that we always have to and, I guess the third part, which is where we started adversaries seeking to take advantage of those risks to achieve their objectives.

MICHAEL MORELL: So Anne, if you were standing in front of a large multinational board of directors and you were talking to them about cybersecurity, what's the one or two things that you would absolutely want them to take away from from your conversation?

ANNE NEUBERGER: What is the tangible thing you most want to protect and what's the intangible thing you most want to protect? So if you're a drug company, what is the intellectual property that's going to be your next potentially big drug, big driver of economic growth, big driver of healing?

And then second, what's the biggest intangible thing? Perhaps that's your reputation, the way you treat your employees, the prices that you charge and how much you mark that up. Make sure that you're protecting both carefully because, you make your your cybersecurity commensurate with the risk presented to you if you lose either one.

MICHAEL MORELL: Anne you mentioned SCADA systems, and I'm not sure that all my listeners know what those are. Could you just explain that? And then is there something is there something special about protecting a SCADA system from protecting a normal network?

ANNE NEUBERGER: Absolutely. So SCADA systems are essentially control systems for the core areas of infrastructure in a given country, ina given company. So think power systems, clean water, drug manufacturing and those are those are often complex systems. So what's unique about them is, those systems over the years were often built for reliability in the event of a bad storm, that a power system would come back online with confidence.

As more technologies got connected so, for example, the ability to measure the use of power, the ability to measure confidence in water and chemical levels some of those systems got connected to network systems that provide a way to access them. So there is risk in that.

One of the reasons that one of the joint products we recently issued between NSA and DHS was an ICS product because there had been some public articles about a given attack against SCADA systems in the Middle East. And we wanted to ensure that we, together with DHS, one of our closest partners, was providing technical advice to SCADA entities in the U.S. based on what we were learning about those attacks.

MICHAEL MORELL: So Anne, just a couple of more questions; you've been terrific with your time. There seems to be an effort on the part of NSA to kind of open up the black box and kind of shed the reputation of "No Such Agency," right. Your conversation with me, I think, is an example of that. Why is that a priority for the agency and for General Nakasone?

ANNE NEUBERGER: First, in the cybersecurity mission, fundamentally, if we're not trusted, we can't achieve our impact. People take advice from those they trust -- across the US government, Team USA works cyber. Each organization plays its position within that role. You know, my counterpart at DHS, Chris Krebs, often talks about them being the national risk managers. At NSA, we believe what we can bring uniquely is that integration of intelligence, what adversaries are seeking to do, what their capabilities are, what their infrastructure looks like, and how to defend against it, cybersecurity advice to counter that. And that's always continuing because technologies change, adversaries' goals change, and the resilience always has to be increased to meet that.

So if we want to be trusted to achieve what we believe we can uniquely contribute to Team USA on cyber, the first step to doing that is conveying who we are, conveying the culture that's here, the commitment to American values. And certainly, when a part of our mission is an intelligence mission in a in a democracy, we have an obligation to ensure that the Americans we serve feel they understand the values by which we live.

MICHAEL MORELL: So your former colleague and my really good friend, Glenn Gerstell, wrote an op-ed about a year ago about what he saw as the profound implications of the digital revolution on national security. And he raised a lot of concerns. And among those was the sheer pace and scale and volume of technological change, and data that's going to force intelligence agencies, including NSA, to fundamentally change how they do business.

How is NSA thinking big picture about those kinds of challenges? What are you trying to tackle first? What do the adjustments look like? How do you think about the challenge that Glenn laid out?

ANNE NEUBERGER: Absolutely. So first, from the perspective of large amounts of data and ensuring we can make sense of them, ensuring that we can do big data analysis to help triage the information we identify and determine what our people, our biggest assets, put their time on to determine key threats and how to act on that.

So, for example, we're looking at machine learning to classify malware to help us understand what's routine malware versus what's something new. And we're certainly looking at machine learning, potentially, to help us identify vulnerabilities at scale, particularly when we look at systems that represent 30 years of technology like weapon systems: How do you secure a weapons system that's been out there and represents each phase of technology and have confidence in its resilience and its command and control?

And then finally, we have an obligation to both bring those technologies to be on our mission and understand how adversaries might use that and manage that accordingly. So, for example, as we think about artificial intelligence and the potential to automatically direct a weapon. In the United States, we have strong values around how we would think about automation versus human control. In other countries around the world, there might be different ways that those kinds of decisions are approached.

So how do we ensure that we both bring that integration of values, compliance and technology to the way we pursue it, but also be aware of those gaps and keep an eye on the risks of those gaps?

MICHAEL MORELL: Anne, you mentioned people a couple of times. And just two questions about that. One is, given the competition that you face, right, with all of these cybersecurity firms and, you know, your folks must be very attractive to them and their skills are quite valuable in the private sector. How difficult is it for you to recruit and retain talent?

ANNE NEUBERGER: Really thoughtful question, because you asked two questions in there: recruit and retain. So from the recruit side, we get really great people. On the retain side, we have a really compelling mission. And what brings what keeps people here is the sense that they are contributing to something bigger than themselves that is challenging and fulfilling.

It's on us as organizational leaders to ensure that each person has that opportunity to contribute what they can uniquely bring to that mission. And one of the cool aspects of the cyber security stand-up has been people who have left to call in and say, 'Hey, I'd like to come back. I learned a lot in the private sector, the mission's calling me and I'd like to contribute again.' And, you know, we've hired a number of them back and continue to increase that.

And part of the message we have when people, if people do decide to leave, is to say, 'That is great. You will continue to contribute to the nation's security. You'll learn a lot in the private sector. And if you ever want to come back, the door is open.'

MICHAEL MORELL: Yeah. And then in a related question and last question, Anne, what do you want the American people to know about the women and men who work for you?

ANNE NEUBERGER: That they're committed to the values that this country was established for. That there are significant threats to the United States, our allies and to those values. And that not always can we talk about those threats because, by impact, sometimes the intelligence community, even the cyber security mission, has to operate in the shadows. So, trust our values. Trust that we are proud Americans. We swear an oath to the Constitution of the United States.

And if you do question it, or if you want to learn more, roll up your sleeves and come into the IC for a few years and get to know it yourself. Because each person has unique abilities and a unique ability to contribute to their country in whatever way they choose, whether that's in government or in the private sector. But if you ever doubt it, come on in and work here and raise your voice and be a part of it.

MICHAEL MORELL: It sort of takes you back to what your parents taught you, too.

ANNE NEUBERGER: It really does. My dad grew up in communist Hungary, and in the beginning when I came into government, he would call me on the phone sometimes and switch to a foreign language. And I realized that for him, growing up in another country, there never is that complete trust of government that I, American-born, had. That doesn't mean it's trust and not-verify. It's trust and verify. But there are things that I take for granted growing up in this society that I don't know if he ever will. So being able to look at things through his eyes and through mine make me realize how fortunate we are to be here, and how much we have an obligation to ensure it stays that way.

MICHAEL MORELL: Anne, thank you so much for joining us. And thank you for your service.

ANNE NEUBERGER: Thank you so much for your time.

Go here to read the rest:
NSA Cybersecurity Directorate's Anne Neuberger on protecting the elections - CBS News

Related Posts