The NSA is creating a Directorate of Operations over the coming months to fuse together its offensive and defensive cybersecurity teams, according to a speech given at the agency today. Essentially, the team that collects information about system vulnerabilities in order to exploit them for espionage purposes will work alongside the team that collects information about vulnerabilities in order to shield US networks from cyberattacks. The reorganization is being called NSA21 and was publicly disclosed today.
The project is described as a two-year plan to help the agency better address national security threats, especially surrounding its cyber missions. Signals Intelligence, which exploits vulnerabilites to spy on foreign targets, and the Information Assurance Directorate (IAD), which protects the NSA’s own classified networks against spying, will be combined under the new Directorate of Operations, The Washington Post explained earlier week. Five other directorates, in addition to Operations, will be created to realign the agency's interests and investment in its workforce. It also refocuses the NSA on conducting research.
The plan goes completely against a suggestion made three years ago
The cyber portion of the plan contradicts a suggestion made three years ago. At the time, shortly after Edward Snowden’s leaks, the President’s Review Group argued that the IAD become a separate agency within the Department of Defense. The IAD's work to protect systems across the US from cyberattacks is totally different from the NSA’s stated espionage goals, which could lead to an unwelcomed mixing of missions. "We are concerned that having IAD embedded in a foreign intelligence organization creates potential conflicts of interest," the review group wrote.
The IAD relies on private companies disclosing their bugs to the agency and has already faced an uphill battle after Snowden's releases. Government skepticism is high and discourages private companies from disclosing vulnerabilites to the agency. When the severe Heartbleed vulnerability was discovered in 2014, for instance, many people speculated that the NSA had known about it for years. The same goes for the recent controversy about a backdoor in Juniper Network’s VPN suite.
This restructuring backpedals on that report while also confirming that the NSA's offense and defense share the same mission of identifying bugs, and that their coordination could prove fruitful for both missions. However, it likely won't do much to boost the NSA’s broader standing and trustworthiness for companies already hesitant to share vulnerability information.