The newly launched NSA Cybersecurity Directorate is working to develop security standards around the Department of Defense‘s use of nascent emerging technologies, particularly for weapons and national security systems.
It’s a continuation of NSA‘s “many, many years” of work developing security standards for the nation’s most critical and sensitive systems, Director Anne Neuberger said Thursday at CyberTalks. Her directorate is “putting a focus on that as there’s a new host of technologies that will reshape the way we need to run security — 5G, Internet of Things, distributed ledger,” as well as cloud computing and quantum-resistant cryptography, she said.
The Cybersecurity Directorate, still in its infancy, will work over the next several months to “build the internal processes … to integrate that threat intelligence, security engineering to focus ourselves” on these technologies and how to securely use them, she said.
Neuberger pointed to cloud computing as one area around which her directorate has already received a lot of questions.
“And the question to us is: How do we use it safely?” she said. “And we say, great question. Cloud is really compelling, but it brings together some of the security risks of the old model with some of the unique virtualization and other isolation-need risks of the cloud model, and you need to go in eyes wide open. But we want to do more to actually document that and release it in a way that’s useful for enterprises.”
The big challenge is the wide variety of use cases that exist in an enterprise as large as DOD’s. Neuberger said NSA must think “carefully about what is the level of security assurance needed for the different kinds of uses.”
“If a given service wants to use distributed ledger to track its supply chain, that will be the use case we’ll use to say ‘What’s the appropriate level of security needed, and then how will they actually implement that?'” she said.
Additionally, once the standards are in place, there’s the challenge of making sure people are following them. Neuberger pointed to using incentives as one solution.
“Because in many cases, cybersecurity today is a leadership issue,” she said. “In some cases, like in IoT, we know the standards exist, but they’re largely not implemented, and we all know the risks, so how can we use the force of NSA’s insights, DOD procurement to help those become implemented, to really address some of the risks we see coming but haven’t as a community made enough progress against.”