Emerging technologies such as cloud computing and big data are putting unprecedented analytic power in the hands of U.S. defense and intelligence agencies. Nowhere is this more apparent than at the National Security Agency, the nation’s steward of digital intelligence gathering. According to NSA Capabilities Director and Chief Information Officer Greg Smithberger, the agency has built a “data fusion environment” enabling analysts to synthesize thousands of terabytes of data.
At the same time, after two catastrophic data breaches in the past five years, the NSA has raced to overhaul its internal safeguards, designed to wall off content for only the individuals authorized to access it. Smithberger sees these improvements as essential to protecting some of the nation’s most closely held secrets from theft, as well as protecting the privacy of all Americans.
Bloomberg Government federal market analyst Chris Cornillie recently corresponded with Smithberger by email. The responses have been edited lightly for clarity.
Q: How does NSA balance the need for analysts to have access to information to do their jobs, and the need to control access to that information and keep it secure?
A: At the National Security Agency, it is critically important both to strictly enforce “need to know” and to ensure that we are doing all we can to make connections between diverse data sets to maximize timely insights for both our foreign intelligence and cybersecurity missions. We have many layers of security to protect our information from outside threats, but we also need to ensure that particularly sensitive mission and personal privacy information is only accessed by essential, authorized personnel. NSA uses a combination of techniques to positively identify individuals, determine exactly what they are authorized to see, and ensure that individuals can only receive the data that they are authorized to see.
To maximize our ability to rapidly fuse data and bring the most relevant information to our analysts as quickly as possible, while still protecting need to know, we created a custom big data fusion environment, using a combination of NSA inventions and commercially developed technology. All of the data going into this environment is carefully tagged so that we know how sensitive it is; all people using this environment are specifically authorized to see only certain types of data; and the big data analytics fusing data across the entire data lake only deliver to any individual the subset of the results that individual is authorized to see. Although this system is a bit complicated, it allows us to strike the right balance between data fusion and need to know, while also ensuring that every type of data is handled in compliance with the appropriate U.S. laws and policies.
Although this custom data fusion environment was originally designed to address NSA’s complex missions, we’ve now made this technology available to the entire Intelligence Community as part of the Director of National Intelligence’s Intelligence Community Integrated Technology Enterprise, or IC ITE. NSA and the IC usually refer to this environment as the “IC GovCloud.” The same mechanisms that enforce need to know and compliance within NSA’s mission have also proven effective across IC agencies, even though the governing laws and policies differ across agencies.
Q: When did NSA recognize the need to shift from perimeter-based to identity-based security controls?
A: First of all, NSA has not given up perimeter-based defense; it is as important as ever. NSA has integrated boundary defenses, network layer defenses, host-based defenses, identity-based security controls, and data-centric attribute-based access controls into a comprehensive defense against both external and insider threats.
NSA’s Secure the Enterprise initiative is ensuring that all of these defense mechanisms are comprehensively utilized across all networks associated with NSA’s mission. Part of this initiative is doubling down on certain forms of boundary defense, while also layering in the other components of an active defense in depth.
Q: What were the prerequisites for implementing identity management (IDAM) at scale, both in terms of policies and skills and talent?
A: Implementing strong IDAM across the NSA enterprise has required many things.
First, the Director of NSA has empowered the NSA Chief Information Officer, and aligned the CIO role with the Chief Technology Officer role, or in our case, the NSA Capabilities Director, to accelerate implementation.
In addition, NSA deployed public key infrastructure universally across our complex enterprise to positively identify all people and non-person entities. We implemented strong authorization and entitlement systems to determine who is authorized to perform specific functions and to determine the need to know for each individual.
NSA has strong standards for the data labels that we use to tag specific data objects, so that we know how they must be handled, how sensitive they are, and how they can be shared. Policies and verification mechanisms ensuring that all of these pieces are integrated in the right way to ensure that NSA is operating within all applicable laws, policies, and procedures.
To do this well, we needed a combination of security experts, data modelers, service developers, test experts, database experts, policy and legal experts, compliance experts, system accreditors, and mission experts. Since NSA’s missions and systems are constantly evolving, we have a never-ending collaboration across all of these skill fields.
Q: What has NSA learned from this program that it could teach leaders from other agencies?
A: NSA has been sharing its lessons with the Intelligence Community, Department of Defense, and many other departments and agencies associated with U.S. national security. Part of NSA’s cybersecurity and information assurance mission is promulgating best defensive practices.
Our most important lesson is that cybersecurity needs to be considered at the design phase of every part of a network, in terms of boundaries, backbones, services, hosts, and applications, verified at all phases of implementation and sustainment, and constantly evolved to adapt to changing threats. It is much easier to design security in at the beginning than to try to retrofit it later.
Finally, we would stress that senior leadership commitment is critical. Without senior leadership commitment, it is too easy defer critical security investments in favor of adding new functionality. In the end, these deferred security investments put both the new and the old functionality, and the mission of the organization, at risk.