The Situation Report: The Driving Forces Behind NSA’s Reorganization

The National Security Agency has operated for decades under a well-defined mission: conduct foreign signals intelligence, support military operations, and defend national security systems from attacks. But major changes in the cyber threat landscape during the last few years have forced the agency to embrace a new reorganization strategy that officials argue is urgently needed to defend the nation from an onslaught of state-sponsored hacking attacks.

“We’re increasingly being called to defend the whole of government,” said Curtis W. Dukes, NSA’s information assurance director, during an invitation-only gathering Tuesday of reporters in Washington, D.C. The number of incidents requiring interagency support from NSA’s information assurance directorate—known inside the agency as a Request for Technical situation report logoServices—has increased significantly during the last two years, Dukes said.

“In the last 24 months, there has not been one incident where we did not augment or support” the Department of Homeland Security and Federal contractors doing incident response work, he said. The most notable incidents include the massive data breach at the Office of Personnel Management, the infiltration of the State Department’s email system, an intrusion into unclassified systems used by the Executive Office of the President, a spearphishing attack targeting the Pentagon’s Joint Staff, and the targeting of Sony Pictures Entertainment by North Korean government hackers.

But one of the most damaging attacks involved the likely theft of blueprints to the Pentagon’s newest high-tech jet fighter, the F-35 Joint Strike Fighter. According to Dukes, all indications lead to China, especially since the Chinese military has since fielded a new jet that looks almost identical to the F-35. “We believe [it’s similar] because they actually stole the blueprints,” Dukes said.

NSA21

Long known as the preeminent signals intelligence collection agency in the world, the NSA’s information assurance mission has grown considerably. The foundation of that mission remains blue teaming–defending national security systems; red teaming–hacking systems to find vulnerabilities before adversaries can take advantage of them; and actively hunting for adversaries on national security networks. Put another way, the information assurance mission is to protect, advise, and support.

NSA21-LogoThat mission is not changing, but the way NSA organizes and operates is. Announced in February by NSA Director Adm. Mike Rogers, NSA in the 21st Century (NSA21) is the agency’s first major reorganization in 15 years. The two-year reorganization will establish six new directorates under a centralized NSA operating framework. Those directorates include: Business Management and Acquisition; Engagement and Policy; Operations; Capabilities; Workforce and Support Activities; and Research.

The goal of the reorganization is better integration. The roughly 3,000 people who perform information assurance will be moved into the new Directorate of Operations alongside foreign signals intelligence and cyber defense forces. And Dukes has been given a new role as well: deputy national manager for national security systems.

NSA21 is not the first major reorganization for the once super-secret NSA. In 1999, a group of midlevel managers at NSA produced the New Enterprise Team report, which was highly critical of the agency’s leadership and intelligence failures. Michael Hayden, the NSA director at the time, described the group of 19 managers as “responsible anarchists,” and immediately set out on his “100 Days of Change” initiative. It was the NETeam assessment that led to the creation of the many post-9/11 global surveillance programs, which remain highly controversial.

But it has been the revelations of NSA’s global surveillance activities that has some privacy and civil liberties groups unhappy with the current reorganization plan. They argue that keeping information assurance closely allied with NSA’s foreign intelligence mission leaves open the possibility that the agency can insert vulnerabilities and back doors into systems and commercial products whenever it suits its needs.

Those concerns are not lost on NSA officials, but they insist that the intelligence mission is central to making information assurance more successful in a highly complex, global network environment where attributing attacks is extremely difficult. Dukes and other officials point to NSA’s continuing collaboration with industry giants, like Microsoft and the Linux community, to help improve operating system security, and their routine issuance of unclassified operational risk notifications to private owners of critical infrastructure as areas where the agency’s intelligence insight has been helpful.

This integration will become even more critical as the Internet of Things powers new attacks in an era when, as one official put it, “no network seems to be off limits.”