One of the National Security Agency’s (NSA) top technology officials said the normally secretive agency finds itself in a non-stop cyber battle against a constellation of increasingly aggressive and sophisticated nation-state attackers.
Dave Hogue, the Technical Director of the NSA’s Cyber Security Threat Operations Center (NCTOC) sounded themes that network defenders in the private sector should find familiar.
“Cyber security is not an 8-to-5 job,” said Hogue, who spoke Tuesday at the RSA Conference in San Francisco, adding that the agency now employs “fully-fledged threat experts around the clock, 24 hours a day, seven days week.”
“We’re working every day to keep up with what our adversaries are doing,” he said.
On the surface, that job doesn’t sound that much different from what any organization’s Security Operations Center does – with one obvious difference: The massive size of the NSA’s secretive operations. Estimates vary but the NSA, which collects foreign intelligence from communications and information systems, is believed to employ between 30,000 and 40,000 people with an annual budget in excess of $10 billion.
Among its other responsibilities, Hogue said that NCTOC is responsible for defending a Department of Defense network that serves over 2.9 million users around the world. That puts a big bullseye on its back with a multitude of foreign adversaries seeking to find - and exploit -network vulnerabilities to disrupt its networks and steal data.
“This is the network that we use to send troops into battle,” Hogue said. “It has to be a mission-critical, no-fail network and we see quite a variety of threat actors trying to get in.”
Nation-State Attacks: The New Normal
So far, Hogue said, 2018 has been punctuated by months of “escalating attacks.” It also turns out that hackers are attacking NSA in much the same way that they have gone about trying to compromise other data-rich targets. Some 90% of the intrusion attempts at the NSA start with email – with some 85% being rejected by the network’s defenses. Another preferred mode of attack is for malicious actors to use known vulnerabilities and scan for unpatched networks.
“There’s been a fundamental shift in nation-state activity,” he said, adding that “geopolitical events have drastically altered the landscape.”
“The level of damage continues to increase, the level of sophistication needed to inflict damage continues to decrease and disruptive events are the new norm,” according to Hogue.
Indeed, he noted a report on Monday put out by the U.S. and British governments warning that Russia was behind a global campaign to compromise computer routers and firewalls to carry out espionage and possibly sabotage. That effort was said to include “primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.”
Russia’s cyber campaigns are bold and persistent, Hogue said. He also acknowledged their sophistication, confirming for the first time an earlier US allegation that Russia's military used a "false flag" operation when it hacked the 2018 Winter Olympic Games in South Korea and then tried to make it appear as if North Korea was responsible for the attack.
Hogue also pointed to the cyber warfare capability assembled by China. Since signing a 2016 cyber security agreement, China has scaled back its cyber espionage activities. Hogue said that despite the agreement, however, China continues to launch periodic cyber attacks against US interests but they are now “more surgical and targeted areas of intrusion.”
The NSA official also signaled out both Iran and North Korea as increasingly formidable cyber powers.
“Iran doesn’t dominate headlines like Russia and China but at any moment, they can use their destructive capabilities to inflict damage,” he said.
When it comes to North Korea, “don’t let outward appearances fool you. They have a cyber army in the thousands…and they are insistent about getting into [targeted] networks.”
Blocking and Tackling
Ultimately, Hogue said, the NSA’s success in stymying attacks rests on its ability to promote what he described as “a return to cyber defense basics.”
Indeed, he noted that 93% of the incidents suffered in 2017 were preventable had NSA employees followed best practices – an ostensibly easy solution that he acknowledged was a source of frustration for any network defender.
Hogue cited a survey that found 1 in 3 employees maintaining they were more likely to get hit with lightening than suffer a loss of data due to a cyber attack.
“We need a change in behavior,” he said, telling the audience members that their organizations might be targeted by nation-state adversaries tomorrow. “Technology alone won’t solve our problems…. your users hold the keys to the kingdom.”
The challenge, as any CISOs attending the presentation would agree, is finding a way to make that message stick with the rank-and-file.
Join Symantec at RSA Conference 2018 Booth #3901 North Expo Hall. Click Here for the schedule and follow @Symantec on Twitter for highlights.
You can also livestream or watch on demand the keynote at: https://www.rsaconference.com/events/us18/presentations/keynote-symantec
We encourage you to share your thoughts on your favorite social platform.