The White House issued a memo today that gives the National Security Agency (NSA) more authority over protecting national security systems and seeks to better position the Department of Defense (DoD) and intelligence agencies to handle a range of digital national security threats targeting cloud systems and outdated encryption standards.
The memo places the NSA in a role similar to the one the Cybersecurity and Infrastructure Security Agency (CISA) plays among federal civilian agencies. The agency will now have the authority to issue emergency and binding directives that require agencies to take discrete actions on cybersecurity problems or emerging threats.
While each agency will still ultimately be responsible for protecting their sensitive systems and data, it gives the director of the NSA wide latitude to designate what constitutes a national security system at other defense and intelligence agencies, examine systems for security controls and incident response and issue new requirements or activities meant to shore up cybersecurity.
It also establishes the NSA as the “focal point” for visibility over cybersecurity threats that affect military and intelligence systems. Within two months, the NSA will issue a directive ordering agencies to send relevant information for any and all “cross domain solutions” or systems that connect to other systems with different levels of classification. Agencies will send logs, IT asset inventories, patching history and other information to the NSA, who will serve as the principal advisor for all such actions.
The memo also puts responsibility on DoD, the FBI, the CIA and the Office of the Director of National Intelligence to flesh out a framework for conducting incident response activities on national security systems and requires any breach to be reported to the NSA.
The order lays out a number of timelines for military and intelligence agencies to follow.
By March, each agency with systems that handle sensitive or classified national security data must update their plans around zero trust and cloud adoption. By April, the Committee on National Security Systems must establish minimum security controls for national security IT systems that are migrated to the cloud. Agencies must also confirm that all national security system data are using multifactor authentication and encryption protocols for, both for data-at-rest and in transit, by July.
On the encryption side, the NSA has been at the forefront of implementing new encryption protocols that can withstand potential attacks from quantum computers in the future. The memo puts the NSA in the driver's seat of implementing similar transformations across the national security space, including contractors. Defense and intel agencies will have six months to map out any systems that are not-compliant or using NSA approved algorithms and establish timelines for replacing them.
A House report on the National Defense Authorization Act last September explicitly floated giving the NSA the authority to issue binding operational directives, saying that while current law allows the Joint Functional Headquarters-Department of Defense Information Network agencies “to direct required actions to the majority of the federal government, there appear to be impediments to a comparable authority over National Security Systems.”
At the time, one former NSA employee told SC Media that it would depend on the specifics but if granted, he expected such authorities to be used not only to defend U.S. government networks, but also enhance intelligence collection against the foreign adversaries targeting them.
"No federal agency has ever said, ‘Please don’t give us an authority,’ and intelligence agencies are certainly no exception,” said Jake Williams, a former NSA hacker and chief technology officer at BreachQuest. "Intelligence agencies only operate within the authorities they’re granted and certainly any BODs given to NSA will be used to enhance the intelligence mission.”
Sen. Mark Warner, D-Va., praised the move in a statement and pointed to the requirement that agencies report hacks to the NSA, calling for Congress to pass legislation he authored imposing similar requirements on critical infrastructure. A bill to do so was stripped out of last year's NDAA, but sources in Congress have told SC Media that they are eyeing a number of possible legislative vehicles, including an upcoming government spending bill due in February and as a rider to the United States Innovation and Competition Act, to get it passed into law.
"Now it’s time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours," Warner said.