Leader of new NSA Cybersecurity Directorate outlines threats, objectives

Ransomware, Russia, China, Iran and North Korea are the top cybersecurity threats that will be the focus of a new division within the National Security Agency (NSA), the Cybersecurity Directorate, which is set to be operational on October 1, according to NSA director of cybersecurity Anne Neuberger. She was tapped in July by Director General Paul Nakasone to head the group. The Directorate aims to bring the agency’s foreign intelligence and cyber operations together and “operationalize [its] threat intelligence, vulnerability assessments and cyber defense expertise,” the agency announced when launching the new division.

“NSA really had to up its game,” Neuberger said in a fireside chat with Niloofar Razi Howe, cybersecurity venture investor and executive at the Billington Cybersecurity Summit in Washington on September 4. “And that’s what drove this desire to stand up a directorate and frankly to set a pretty aggressive mission, which is to prevent and eradicate cyber actors from national security systems and critical infrastructure with a focus on the defense industrial base.”

In terms of the threats, “Clearly ransomware is the focus. We’ve seen there are roughly 4,000 ransomware attacks a day,” Neuberger said. “When we look at Russia, we see a country that uses influence operations, uses cyber [that is] really integrated and below the level of armed conflict. They also use entities who aren’t necessarily tied to the government, whether the Internet Research Agency for potential elections influence or mercenaries to fight military conflicts in Ukraine or Syria.”

Each nation-state threat is unique

China has its own unique approach to how the country uses cyber threats to achieve its national security and military objectives, Neuberger said. China’s cyber threats are exemplified by three different and wholly distinct types of operations: the 2015 theft of 21.5 million records from the Office of Personnel Management, the hacking campaign known as Cloud Hopper that targeted eight of the world’s biggest technology service providers, and ongoing theft of intellectual property such as when Chinese intelligence and business insiders sought to steal information related to a turbofan engine used in commercial airliners.

Iran is very volatile and uses destructive attacks in its own region primarily, Neuberger said. “North Korea always fascinates us as essentially a nation-state criminal, as a country under sanctions using creative ways of cyber, whether it’s crypto currency, whether it’s cryptomining to gain hard currency and essentially keep the regime afloat.”

Social media makes influence operations easier

Neuberger previously headed the agency’s “Russia Small Group,” a joint NSA-Cyber Command task force to combat Russian election interference and influence campaigns. The task force “was stood up out of a realization that something had dramatically changed and we had to reboot our approach as a US government,” Neuberger said.

“Now influence operations have been around since the days of Adam and Eve, but what really changed was the age of social media,” she said. Not only could an adversary send out broad messaging, but it could also target disinformation to particular ethnic groups, particular elements of a country, and do it in a “pretty cheap way…looking as if one is an American.”

“So, we realized that it took a more creative approach to protect our democracy. In the Russia Small Group, we worked closely with the DHS and FBI to ensure that from a cyber perspective they had all the threat information we had in a way that can be quickly actionable” Neuberger said. “We’re tremendously proud of the work we did between NSA, Cyber Command, DHS and the FBI to defend the integrity of our elections and ensure that every American know that their vote counted and their vote matters.,” referring to the Russia Small Group’s efforts to protect the 2018 midterm elections.