Hush-Hush NSA Lifts Veil on How Businesses Help Fight Hacks (2)

The U.S. National Security Agency, which is renowned for its secrecy, has opened its arms to the private sector and, at least for a day, the media.

The agency invited reporters on Tuesday to tour its Cybersecurity Collaboration Center, an unclassified space opened last year where private companies can swap information with the spy agency about cybersecurity threats and overseas hackers. It’s part of an effort by the agency to deepen its relationship with American companies in the hopes of thwarting cyberattacks in the U.S.

The NSA is prohibited by law from accessing American computer networks, so it hopes that increasing partnerships with the private sector will provide insights the agency can’t get on its own, said Rob Joyce, the NSA’s director of cybersecurity.

“What we get from the private sector is we get reach into places that NSA doesn’t go, into that domestic space,” Joyce said. The NSA is also seeking to share more of its own cybersecurity intelligence with participants at the center, he said.

The NSA is seeking to work with internet service providers, cloud computing companies and cybersecurity firms, said Morgan Adamski, chief of the collaboration center. The center has already worked with Microsoft Corp. to disclose vulnerabilities in the Windows operating system and Exchange mail server, she said.

“We want to ensure who we partner with covers a significant amount of the U.S. market share,” Adamski said. A Microsoft representative didn’t respond to a request for comment.

Joyce declined to name other companies the NSA is working with and didn’t expand on what information private companies would share with the agency.

A sign-in sheet at the event included four representatives from AT&T, along with NSA officials. An AT&T representative didn’t respond to a request for comment.

The NSA’s publicity tour comes as the Biden administration has said it has made cybersecurity a priority amid a string of high-profile hacks, including a ransomware attack against Colonial Pipeline Co. that curtailed fuel supplies along the East Coast last month.

The center, which started in January 2020, looks more like the office of a startup than a drab government office and includes a sensitive compartmented information facility, or SCIF, where discussions about classified information can take place.

It is located in a nondescript office park in suburban Maryland next to defense contractors, including Northrop Grumman Corp., Raytheon Technologies Corp. and General Dynamics Corp., and is across the street from NSA headquarters. But the center doesn’t have the same barbed wire fencing and armed guards as the NSA.

Among the NSA’s responsibilities is protecting classified networks, including those operated by defense contractors. Those contractors are often targets of foreign hackers looking to steal intellectual property or American defense secrets.

“We can eliminate a tool, we can eliminate infrastructure, but the chances are that the adversaries are going to keep coming after those defense contractors year after year,” Joyce said. He said he hopes for the companies to be a “sensor net” that can provide information to the NSA. “What they’re observing fills in that blank spot that we don’t see,” he said.

Following Joyce’s comments, an NSA public affairs official clarified that the agency isn’t seeking any new surveillance authorities.

Adamski proposed a scenario in which the NSA would provide information about a cyber threat to an internet service provider, which would then block that traffic from reaching not only classified networks, but also critical infrastructure and the public at large. She said the agency will be inviting employees of its private sector collaborators to have permanent space inside the center.

Greg Nojeim, senior counsel at the Center for Democracy & Technology, said the NSA’s efforts to be more transparent should extend to consumers, by sharing the nature of the information it is receiving from private companies, “particularly from consumer-facing technology companies that hold enormous amounts of our personal information.”

“It’s important that people be able to trust that their communications data isn’t being shared without their consent or without the legal process required by law,” he said.

Michael Bahar, former general counsel of the U.S. House Intelligence Committee and now a partner at Eversheds Sutherland, said information was critical and the “only way” for the U.S. to defend against hackers. But he said there were “definite privacy concerns and legal hurdles to turning over information to what is essentially a military or intelligence agency.”

“There is probably an effort afoot to say, ‘Trust us. Our job is to defend the homeland. We can do this without adversely impacting privacy and civil liberties,’” Bahar said.

But Glenn Gerstell, former general counsel of the NSA, who retired in 2020, said the collaboration center didn’t represent any threat to privacy. “This is all generalized information that has to do with cybersecurity goals,” he said. “If anything it’s the reverse, which is to say, you can’t have good privacy unless you have good customer cybersecurity.”

“The private sector has way greater ability to be a giant antennae collecting this information than the government does,” he said.

(Updates with new headline)

To contact the reporter on this story:
William Turton in New York at wturton1@bloomberg.net

To contact the editors responsible for this story:
Andrew Martin at amartin146@bloomberg.net

Andrew Pollack

© 2021 Bloomberg L.P. All rights reserved. Used with permission.