NSA cyberdefense chief: ‘I have never been more busy’
This report first appeared on CyberScoop.
The man responsible for leading the National Security Agency’s defensive mission says his team is fielding more calls than ever from agencies across the government.
Dangerous, highly capable hackers and a desire by agencies to adopt cloud technology have increased the workload for Information Assurance chief Paul Pitelli and his office, which he says is “sort of like the Geek Squad for defense” in government.
Pitelli is a career professional who has served in the NSA for more than 20 years as the secretive spy agency transformed into what it is today — a highly sophisticated technology behemoth with an array of federal responsibilities, including both signals intelligence and protecting sensitive government systems. With the recent retirement of former Information Assurance Directorate head Curtis Dukes, a renown computer scientist and intelligence community icon, Pitelli took on an increased role in an ever important effort to ensure that the Defense Department and broader government aren’t hacked.
“We’ll get a wide range of calls from ‘Hey we’re trying to set up a whole new [information technology] environment’ — and that could be the White House calling,” Pitelli said.
A big focus in recents years for Information Assurance, according to Pitelli, has been helping a variety of different federal agencies establish secure cloud data storage processes.
“I have never been more busy,” Pitelli told CyberScoop in an interview Thursday after he spoke at the McAfee Security Through Innovation Summit. “We are getting calls because they all need help. Everyone wants to take advantage of cloud services, that’s sort of one thing we’re getting called for, but it’s also traditional issues because our nation is being constantly attacked. We’re one of the few agencies that get to see when and how the adversary starts operating.”
Federal lawmakers have increasingly encouraged agencies in recent years to adopt cloud data storage technologies as a way to both save costs and phase out old on-premise servers.
“Because of the economics of cloud services there’s so much incentive [for agencies] to migrate many of their capabilities,” Pitelli said. “A lot of people in government want the NSA’s help.”
Nobody in government wants to be the next to suffer a hack like the 2015 data breach that exposed federal employee information held by the Office of Personnel Management, he said.
“So we’re getting a lot of calls where it’s basically, ‘Hey we want to make this move, but how do we do it well?’” Pitelli said.
Turnover at the White House also adds to the Information Assurance division’s current workload.
“With a change of administration, you know, they typically take a fresh look. And for us that’s an opportunity because it allows us to sometimes make an [IT] environment better,” Pitelli said. “The cyber dimension is adding, on one hand, what you can call issues or events, but I think can be opportunities.”
Historically, Fort Meade’s defensive efforts in cyberspace have been overshadowed by the spy agency’s more offensive-centric, intelligence gathering mission set. This is evident from a labor perspective, given that the NSA’s Signals Intelligence workforce remains much larger than the Information Assurance unit.
An overwhelming majority of budget dollars are allocated to offense rather than defense, former intelligence officials say, and that’s resulted in an agency that is known almost exclusively for digital espionage rather than cyberdefense.
Dukes, former IAD head Debora Plunkett and departing NSA Deputy Director Rick Ledgett recently voiced their concerns that the NSA should be focusing on defense more than it has in the past.
Roughly 90 percent of the U.S. government cybersecurity spending is used to fuel offensive operations, Ledgett told Reuters.
“I absolutely think we should be placing significantly more effort on the defense, particularly in light of where we are with exponential growth in threats and capabilities and intentions,” Plunkett, who oversaw the NSA’s defensive mission from 2010 to 2014, recently told Reuters.
Defense under NSA21
The trio’s comments come amid an expansive reorganization effort by the NSA, instituted by agency Director Michael Rogers, that works to combine what was once called the Information Assurance Directorate and Signals Intelligence Directorate into a single, joint entity.
Although Rogers’ plan, known as NSA21, is intended to streamline operations, it has also spurred new concerns that the spy agency’s defensive mission will receive even less resources in the future.
“When the NSA goes through a change a lot of that discussion goes on because there’s a big difference between offense and defense as far as the budget … and so that was one of the big concerns that some folks vocalized,” said Pitelli, “I see a need, a bigger need for cybersecurity not just at NSA but for everybody.
The dual impact of NSA21’s rollout and Dukes’ recent retirement has caused some confusion in government.
“I know Curt voiced concerns that as we make this move [towards NSA21] there can be this perception that ‘Oh well who do I call?’ And if they don’t know who to call the question is, ‘Well where did it go?’ Curt was really one of the great, visible icons of Information Assurance and he retired and so there is that time right now where we are waiting to find out whose going to be given the mantle next,” Pitelli said.
Pitelli declined to specifically discuss the NSA’s budget but said he would like to see Congress broadly allocate greater resources for cybersecurity writ large, across the entire government.
“I will go so far as to say I would hope that the government — not just at NSA, but the government — really tries to allocate additional funds for the cybersecurity information assurance mission,” Pitelli said. “A lot of times people have lumped in their information assurance budgets with their IT budgets and … the challenge I think you’re seeing now is that we haven’t kept up with the budgets of cybersecurity.”