Cybersecurity Drives Intelligence Agencies in From the ColdPost-Snowden Transparency, Incident Response Push by Western Allies Continue
Intelligence agencies and cybersecurity: What a long, strange trip it's been.
Flash back to 2000, when Richard C. Schaeffer, then the U.S. Defense Department's director of information assurance, showed up to Def Con to pitch the hacking community on government employment.
"The CIA is caucusing in the men's room."
"We've got some of the most sophisticated toys in the world if you'd like access to those toys," he told the Las Vegas audience.
Attending that Def Con as a reporter, I saw evidence of intelligence agency representatives interfacing with the information security community - not just when outed during the annual "spot the fed" challenge - as a colleague of mine captured at the time. We were waiting for a press conference to commence in the media room, which was being held on condition that we all removed the batteries from our cell phones. "We apologize for the delay," a Def Con press attaché told us, killing time. "The CIA is caucusing in the men's room."
Not so many months before Schaeffer's public appearance, the Echelon surveillance system first developed during the Cold War came to light, sparking furious public debate. Built as a Cold War tool by "Five Eyes" - the intelligence alliance formed in 1941 between Australia, Canada, New Zealand, the U.K. and the U.S. - Echelon had been updated to monitor modern communications. In 2015, Edward Snowden's leaks confirmed even more details about Echelon.
Intelligence Agencies Offer Help
In the wake of Snowden's leaks, there's been an unprecedented push by Western intelligence agencies to come in from the cold, at least where cybersecurity is concerned.
The intention appears largely aimed at helping organizations to better protect themselves.
At the 2018 RSA Conference in San Francisco, for example, David Hogue, the technical director of the National Security Agency's Cybersecurity Threat Operations Center - the security operations center in charge of defending unclassified DOD networks - delivered a session focused on the latest attacks CTOC had been seeing. Notably, Hogue said attackers weren't bothering to waste zero-day exploits; he hadn't seen one inbound in two years (see: NSA: The Silence of the Zero Days).
At the 2019 RSA Conference in March, Rob Joyce, cybersecurity adviser to the director of the NSA, delivered a presentation titled "Get Your Free NSA Reverse Engineering Tool." In an update on Schaeffer's message from 19 years ago, Joyce said part of the impetus for releasing the tool, called Ghidra, was to help educate more students and give the agency access to a bigger pool of potential recruits (see: NSA Pitches Free Reverse-Engineering Tool Called Ghidra).
Joyce appeared on stage again in April at CyberUK, an annual conference held by the U.K.'s National Cyber Security Center, which is the public-facing arm of intelligence agency GCHQ. NCSC was created to help British organizations conduct incident management in the wake of breaches as well as to improve the public's cybersecurity posture.
"We were set up to be technically expert," helping British organizations handle cyberattacks, cyber threats and incident management, Ciaran Martin, chief executive of the NCSC, told reporters at this year's CyberUK in Glasgow, Scotland.
Over the two-day conference, Martin fielded numerous questions on topics ranging from the health of the Five Eyes alliance in the wake of ongoing debate over Huawei, to British approaches to combating election interference and the "big four" nation-state attackers - China, Russia, Iran and North Korea.
British businesses don't appear to have hesitated to work with the NCSC, despite it being part of an intelligence agency. Paul Chichester, the NCSC's operations director, told me during a CyberUK press conference that the EU's General Data Protection Regulation bringing to light European data breaches for the first time has really driven uptake.
"I don't think it's dramatically changed the number or volume of breaches that we've been seeing," he told me. "What has massively changed is awareness. People are much more interested in preparing for breaches, and we have seen people preparing for what they want to do after a breach."
Canada Launches Cyber Security Center
It's not clear if such an approach would work in the U.S., given concerns over intelligence agencies monitoring private communications.
But some other countries are following suit, including Canada, which last year launched its own Center for Cyber Security.
"We saw the U.K. take. With the standup of the Canadian Center for Cyber Security, we're doing the same thing, speaking publicly, with a public face," Scott Jones, the center's director, told me in a one-on-one interview. "So for the first time, our senior officials are on our website, explaining what they do and what their roles are."
Jones told me that businesses are eager for help. "The response has been overwhelming - very supportive from industry and Canadian companies wanting to work with us. Both the smaller organizations that are wanting to work with us to solve certain cybersecurity challenges, up to the largest companies in Canada wanting to work with us to solve critical infrastructure challenges" - and more, he said.
Senior Officials Appear in Public
CyberUK was previously closed to the news media, except for last year's keynote, for which journalists were escorted in and then out. But this year, I was one of a group of journalists cleared to attend the full CyberUK, except for a handful of restricted sessions.
The conference offered numerous highlights. For the first time on British soil, representatives from each of the Five Eyes appeared together in public - on a panel at CyberUK - to discuss their efforts to better safeguard their respective nations (see: Intelligence Agencies Seek Fast Cyber Threat Dissemination).
GCHQ Director Jeremy Fleming, in a rare public appearance, delivered the conference's opening keynote speech. Fleming highlighted some of the many changes that have occurred since the U.K. created its first cybersecurity strategy in 2009, followed by launching a five-year National Cyber Security Strategy in 2015 - set to be renewed next year - that included launching the NCSC to be the public-facing, one-stop government shop for all things cyber.
"Since its formation, the NCSC has coordinated responses to some of the biggest cyber threats the country has faced. Our incident management team has worked on more than 1,500 significant cyber security incidents," he said. "And using automation, it has reduced the harm from thousands of attacks a month. And it has played a major role in dealing with the strategic threats we face from hostile states."
Forecast: More of Everything
Fleming predicted and promised more of everything. "We suffer attacks every day - and while we have not faced a Category 1 attack [the most damaging type of attack], we must continue to plan for when it happens," he said.
In addition, he said the 2020s will "bring an opportunity to fix our critical national infrastructure," in no small part by baking in "cybersecurity as new systems are brought in to replace aging legacy systems," and that "once again, security by design must be our aim."
Of course, there are limits to what intelligence agencies can - and should - do. "Contrary to popular belief, we're not omnipotent, we don't know every threat actor out there," NCSC's Chichester told reporters.
But with data breach notifications continuing to come fast and furious and organizations so often getting hacked and not knowing it, what NCSC and its ilk do know about is defense, detection, threat intelligence and response. And organizations today need their help with each of those more than ever.