Good Defense is Good Offense: NSA Myths and the Merger

Over at Just Security, Ross Schulman opines that “When NSA Merges Its Offense and Defense, Encryption Loses.” Schulman argues that under NSA’s newly announced reorganization, the Information Assurance Directorate (IAD) “will be subsumed by the intelligence-gathering program” and “effectively cease to exist.”

Schulman is wrong, largely because his critique rehashes the same tired tropes—inaccurate and unexamined—about perceived tensions within NSA’s mission and the role and standing of IAD within the Agency.

Schulman is hardly alone in his assumptions. And while NSA’s ambitious restructuring certain warrants scrutiny, the plan also presents the opportunity to challenge pervasive myths about the work of “offensive and defensive” intelligence.

Let me begin by underscoring a disclosure—Until November 2015, I served as an attorney at NSA, including specifically a period advising IAD. Pursuant to my clearance obligations, this piece underwent prepublication review. The Agency neither requested nor received editorial changes. Likewise, my views should not be attributed to NSA.

The claim that IAD is set to be “subsumed by the intelligence-gathering program” is factually false. The reality is that under the new reorganization, both the Signals Intelligence Directorate (SID) and IAD cease to exist; they are both to be equally “subsumed” into a new Operations Directorate. In claiming this structure “effectively” eliminates IAD, Schulman adheres to an oft-repeated maxim that IAD has no stature within NSA. As Edward Snowden puts it, “When defense is an afterthought, it's not a National Security Agency. It's a National Spying Agency.”

But it is simply not the lived experience of most NSA employees—though certainly alternative viewpoints exist—that the culture or leadership of the Agency prioritizes offense over defense. Critiques like Schulman’s may have carried (slightly) more weight in the past, but the operational landscape and culture have long since evolved. IAD is an integral and respected element of NSA. Any agency head would be foolish to ignore the critical work of information assurance; Admiral Rogers does not neglect a full half of his job—and the President and Congress wouldn’t let him if he tried.

Still, the widespread notion that IAD constitutes a secondary organization within NSA persists. The belief stems, in part, from the comparably small staff in IAD, as well as an assumption that the defensive mission is somehow less cool—apparently, SID is where all the talent, money, and attention goes at Fort Meade.

But what is accepted as near-gospel among observers still comes as a surprise to NSA’s actual employees.

The Washington Post, illustrating the focus on staffing levels, writes that:

[s]ome advocates for the comparatively small Information Assurance Directorate, which has about 3,000 people, fear that its ability to work with industry on cybersecurity issues will be undermined if it is viewed as part of the much larger ‘sigint’ collection arm, which has about eight times as many personnel.

But this fails to appreciate that the number of employees in the directorate does not reflect the comparative importance of its mission, but rather the scope of the respective missions and the number of bodies required to accomplish them. Currently, there are serious strains on IAD resources as the Information Assurance mission grows ever more complex. Information Assurance needs more people and more money; if Congress is serious about supporting cybersecurity, it will commit both. But SID’s job is not getting easier either, and the relative staffs reflect the type, not priority, of work.

From an authorities standpoint, lots of entities can conduct information assurance, while very few are permitted to conduct Signals Intelligence. Executive Order 12333 exclusively commits signals intelligence to a limited set of Department of Defense entities, most notably the NSA. As a result, IA support is distributed throughout executive agencies—both independently and in coordination with NSA IAD—in a way SIGINT work simply cannot be distributed. Furthermore, IAD is able to employ individuals with multiple areas of computer security expertise, while SID requires specialized linguists and intelligence analysts who necessitate more billets. Bottom line: in context, the numbers are far less meaningful than they appear.

As to agency culture and leadership attention, consider the work of IAD. For example, Schulman calls for the creation of a “much-needed red team” that can “serve as a group of internal attackers whose role is to test for holes in federal computers and networks and report what they find.” But this pressing need may come as a surprise to the men and women of NSA’s Red Team, a group that has existed long enough to be interviewed nearly a decade ago. Ask the Red Team—whose job it to hack and outsmart the NSA’s most sophisticated defenses—whether they are struggling for talented recruits or status within the culture. They’re not. And believe it or not, high-level officials, both at NSA and across DOD and the executive branch, tend to take notice of the discovery of significant vulnerabilities in their systems.

Of course, misperceptions regarding IAD did not arise from nowhere. Schulman cites to the findings of the 2013 Presidential Review Board, which recommended that IAD be moved out of NSA to become part of DHS. He alleges that, through the reorganization plan, NSA “just roundly rejected that advice.” But actually military and intelligence experts—and indeed the Administration itself—soundly rejected the recommendation almost as soon as it was released.

And recent history has validated the wisdom of this decision. Following the OPM breach, there has been a rush to reexamine whether more systems should be classified as national security systems—bringing them under the protection of NSA and out of DHS’s jurisdiction. Independent review boards serve important functions. Their role, however, is to make recommendations—and there are often political realities underlying their conclusions. Their reports do not constitute some objective reality.

Review boards occasionally get it wrong. And here Review Group’s warnings were a bit glib. The group warned against “asymmetry within a bureaucracy between offense and defense—a successful offensive effort provides new intelligence that is visible to senior management, while the steady day-to-day efforts on defense offer fewer opportunities for dramatic success.” Yes, closing a hole before it is attacked is a less dramatic narrative than discovering a new source of intelligence. But seasoned intelligence leadership—all too familiar with the consequences of insufficient defense—recognize that getting “left of boom,” in the parlance, requires both.

It is also worthwhile to challenge assumptions that vesting responsibility for both missions in the same place harms, rather than helps, defense. In fact, the opposite may be true. Dividing functions among agencies necessarily heightens the adversarial equities by creating a system without internal balance. Where each agency represents only its own success, to the victor go the spoils, which incentivizes more extreme positions and outcomes. The National Security Agency is responsible for overall security, which includes both robustly defending networks and developing intelligence capabilities. One mechanism to ensure the correct balance is reached is to hold the same person accountable for both. Furthermore, to the extent one accepts that SID is a more powerful and influential voice within NSA, the new structure serves to strengthen—rather than subsume—IAD influence. Under the old system, at least in theory, the Director of NSA had two competing voices in his ear; the new structure creates the conditions by which the entire organization is accountable for getting the balance right.

And critics often overlook that the balancing of incentives will tend to strongly favor defense over offence, not the other way around. The value of a new intelligence capability is entirely prospective and speculative; one can only guess what it might yield. Defense risk equations, on the other hand, account for a threat multiplied by one’s vulnerability to that threat multiplied, in turn, by the consequences of that threat’s exploitation. And here the vulnerability is concrete and manifest the moment it is discovered. So the question becomes: how likely is someone to use it and how bad will the result be when someone does?

Because NSA is responsible for securing national security systems, the potential consequences of a breach tend to weigh heavily on officials. And where enormous parts of these networks—not to mention the rest of the government and private sector—use commercial-off-the-shelf products (known in the biz as COTS), both vulnerability and the consequences in those products are multiplied exponentially. Consequently, anyone advocating against disclosing a vulnerability must be extremely confident about the value that intelligence vector will yield.

Understanding, within the risk equation, the nature of the “threat” (the probability of successful exploitation) implicates two additional core misconceptions about the work of signals intelligence development. The first is that vulnerabilities used for SIGINT are just sitting out there to be stumbled upon. A former colleague describes this as the perception that such vulnerabilities are like “potholes in the road,” that NSA just happens to notice as they pass and then decides whether to exploit or disclose. In fact, valuable SIGINT development is the product of months, if not years, of work by some of the most elite computer scientists in the country. Discovering productive SIGINT vectors requires an enormous investment of resources and technical capabilities that few institutions in the world possess. While balancing analysis is nonetheless required, this is relevant to determining when and under what circumstances a given potential exploit constitutes a threat.

Second, there is a mistaken belief that it is not possible to both disclose and exploit a discovered vulnerability. Rob Joyce, head of NSA’s Tailored Access Operations, recently noted that, contrary to popular belief, it is generally more productive for NSA to exploit known vulnerabilities than zero-days. Wired reports:

‘[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days,’ he says. ‘There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.’ This includes, of course, known vulnerabilities for which a patch is available but the owner hasn’t installed it.

Put simply, it’s possible to go about getting your own house in order while taking advantage of the fact that others either cannot or don’t bother to do the same.

Indeed, the very notion that SID and IAD were previously two wholly separate organizations misses some foundational realities. After describing the SID mission, Schulman writes: “On the other side of the Ft. Meade complex is IAD. . . .”

In reality, there is no “other side of the complex” and never has been. Offices are distributed throughout many buildings at Fort Meade; down the same hallways are offices supporting SID or IAD teams, and plenty working on both. This seems like a minor point, but it actually is not. “Two sides of the house” is a geographical metaphor for NSA’s multiple roles, authorities, and missions; it is conflated by commentators who seem to believe that there are two literally separate organizations—with the new structure demolishing an existing wall.

But, in many respects, NSA functions more like two halves of the same brain. SID might gain information of critical importance to the defensive mission—say by intercepting the plans of a malicious actor against U.S. networks in advance. And IAD might discover evidence of techniques, tactics, or procedures of foreign actors attempting to harm U.S. systems that validates SIGINT information or supports the development of effective SID targeting.

This loop is perhaps nowhere as important as in cyber incident response—where the ability to predict and rapidly attribute incidents is bedrock to effective defensive response. The importance of this fusion is clearest in NSA’s Threat Operations Center (NTOC), where experts from both “sides of the house” work seamlessly.

This cohesion, however, should not be confused with the idea that there is a big pile of vulnerabilities, which the Director then allots to either IAD or SID. Prudential, legal, and even constitutional mechanisms often keep the considerations separate. NSA operates pursuant to specific authorities and assigned missions. When individuals in NSA work under “dual-authorities,” they import both sets of constraints and legal obligations and are required to keep tasks distinct. And Congress takes a substantial role in shaping Agency priorities; it funds specific programs through its constitutional appropriations power. If Congress exercises its power to fund an IA program that discovers vulnerabilities, only to hand them to SID, that effectively “re-appropriates” funding to a different activity. Likewise, if all SIGINT development resulted in a series of IA disclosures, this too would frustrate the will of Congress in a constitutionally-committed role.

Of course, there are times when precisely such reassignment is required. Schulman alleges that the reorganization could “interfere with the needed disclosure of software vulnerabilities.” But those determinations are accomplished through the Vulnerabilities Equities Process. White House cyber chief, Michael Daniel, has explained that this involves an interagency process—not internal to NSA—and that it considers the following factors:

• How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
• Does the vulnerability, if left unpatched, impose significant risk?
• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
• How likely is it that we would know if someone else was exploiting it?
• How badly do we need the intelligence we think we can get from exploiting the vulnerability?
• Are there other ways we can get it?
• Could we utilize the vulnerability for a short period of time before we disclose it?
• How likely is it that someone else will discover the vulnerability?
• Can the vulnerability be patched or otherwise mitigated?

The process is designed to capture the enormous complexities at play, and reach appropriate policy decisions. It is not a matter of a simple “conflict of interest”—those questions cannot be answered without both IA and SIGINT perspectives.

Schulman ultimately concludes with a non sequitur: his whole argument urges that in order to mitigate the new structure “subsuming defense into offense,” Congress should lift the obligation that NIST consult with NSA—among other agencies—in developing information systems standards and guidelines. The basic allegation is that now that NSA is all offense and no defense, NIST should no longer be required to consult with an agency that is only working to subvert cryptographic security. This misses a rather big policy shift at the agency. In February 2015, former NSA Director of Research Michael Wertheimer wrote about policy decisions to inject unprecedented transparency to the NIST-NSA relationship. NSA comments to NIST on standards will now be made in writing and made available for public review. This mechanism goes beyond “trust but verify”—the public is able to review and draw independent conclusions about what the agency is suggesting to the standard setters. Moreover, under 15 U.S.C. 278g—3, NIST is only required to consult and is not obligated to accept the recommendation of any agency and the obligation is to “improve information security.” Understanding the current law, makes it difficult to see any need for—or merit in—Schulman’s proposed legislative change.

Only time will tell if NSA’s reorganization actually makes it leaner, faster, and more responsive; perhaps it’s merely the bureaucratic shuffling of deck chairs. There is certainly a healthy and robust debate over the appropriate scope of intelligence community authorities. But it is through such laws that federal agencies are appropriately limited, not by demands they adhere to inefficient structures. Integration of operational elements has clear and demonstrated benefits, and many of the objections to the reorganization are based on pervasive but inaccurate beliefs about what the agency does and how it does it.