SAN FRANCISCO — Before Microsoft released its January 2020 software patches, the NSA’s new Cybersecurity Directorate let another government agency in on a secret: the tech giant was releasing solution to a critical vulnerability the NSA found in the Windows 10 operating system.
That extra time allowed the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which protects critical infrastructure and federal networks from cyberattacks, to get a head start on preparing its partners to patch the vulnerability. Chris Krebs, the director of CISA, said this meant he was able to push a series of notifications out to partners, including the election community, state and local governments and critical infrastructure.
Krebs spoke Feb. 24 on a panel hosted by CyberScoop.
That information sharing is one example of how two new agencies, CISA, the newest component inside DHS, and the NSA’s Cybersecurity Directorate (which was created Oct. 1 and works to protect the Defense Industrial Base and weapons systems), are partnering to combine their strengths.
Anne Neuberger, the director of the Cybersecurity Directorate, said the two agencies “fundamentally need each other” because CISA works closely with officials running critical infrastructure.
“When we see adversaries developing a specific capability, per se, or having a particular intent to accomplish something, it’s often hard for us to understand the domestic vulnerability space, particularly outside DoD and the intelligence community and sensitive systems,” said Neuberger, in San Francisco for the RSA cybersecurity conference.
CISA, meanwhile, has insight into how many federal entities are running specific operating systems. For example, CISA knew the number of computers across federal civilian government running a Windows operating system. In response to the Windows 10 vulnerability, Krebs issued a mandate that federal agencies patch the vulnerability.
CISA can also help amplify NSA’s message to a broader spectrum of operators outside of the federal government. Days after the United States killed a prominent Iranian general, CISA had nearly 6,000 dial-ins to a conference call on Iranian threats. Krebs said Feb. 24 he estimates that DHS reached at a minimum 26,000 individuals over three calls that week.
“We partner on providing security guidance because we’ll have people who do vulnerability assessments who can provide mitigation advice partnering with folks who are actually on those systems,” Neuberger said.
With the new cyber directorate, the NSA wants to share threat information with stakeholders faster and with more context. Solving the Windows vulnerability is one of the group’s greatest successes so far, she said. Network defenders have to know the vulnerability exists and the patch is coming in order to patch quickly.
“We realized we had to start beginning planning way before,” Neuberger said. “So we did joint sessions with U.S. government CISOs to make them aware. We tipped awareness to key network owners to ensure they were aware so the moment the patch came out, they could jump on that and ensure they did whatever they could to mitigate that threat.”
With the extensive threats facing U.S. critical infrastructure, the two agencies’ work complement each other.
“It’s far easier to just say, let’s link arms and run at speed, because we’re being pursued speed,” Neuberger said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.