New NSA Head Faces Repairing Ties to Business Over Cyberthreats

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

New leadership at the National Security Agency provides a fresh opportunity to work with the private sector on alerting companies about security vulnerabilities, former NSA officials and lawmakers told Bloomberg Law.

Lt. Gen. Paul Nakasone on May 4 is set to become director of the spy agency, which collects communications data and signals intelligence on foreign national security threats. Nakasone is also slated to become head of U.S. Cyber Command, replacing Adm. Michael S. Rogers in both positions.

The NSA shares gathered intelligence with such law enforcement agencies as the FBI, CIA, and Justice Department that track cybercriminals and national security threats globally—and often threaten companies as well, former U.S. Rep. Mike Rogers, (R-Mich.), who chaired the the House Permanent Select Committee on Intelligence, told Bloomberg Law.

Today, the NSA “like any private sector company is dealing with more sophisticated adversaries” in cyberspace such as “China, Russia, North Korea and Iran,” Rogers, now a fellow at the Center for the Study of the Presidency & Congress, said.

Some say the NSA hasn’t gone far enough in sharing important information—and it will be up to Nakasone to build trust with the private sector. U.S. lawmakers, corporate officials, and other contend the agency hasn’t always turned over critical vulnerabilities that could potentially stop large scale cyberattacks in the corporate sphere.

“Nakasone will face a substantial challenge in repairing the relationship in a way that protects the integrity of business’s relationships with clients around the world while also defending U.S. national security,” Susan Hennessey, who was an attorney in the office of the general counsel at NSA, told Bloomberg Law.

Foreign adversaries have “really stepped up their game,” and “the NSA will have to follow that trend” and improve, he said. “The sheer volume and intensity of cyberattacks these days on financial institutions and critical infrastructure” operators, Rogers said, calls for greater cooperation.

What to Tell

An NSA spokeswoman, Clarese Wilson, said the agency “strongly supports partnering with U.S. industry to help provide a solid cybersecurity foundation for our nation.” The NSA does so when discovering “vulnerabilities while conducting our signals intelligence and cybersecurity missions,” told Bloomberg Law..

The NSA and private sector already have somewhat of a working relationship. As part of the vulnerabilities equities process (VEP), the NSA and other executive branch agencies such as the departments of Defense and Homeland Security decide which computer network vulnerabilities to tell the private sector about.

“Historically, NSA has disclosed, after equity review, more than 90 percent of the vulnerabilities that it has discovered in products that are made or used in the United States,” Wilson said.

Under Adm. Michael S. Rogers, the NSA sought to work with the private sector following the 2014 Sony Pictures Entertainment Inc. hack.

Rogers, soon after that cyberattack, made known that “the government (and presumably the NSA) offered assistance to the private sector computer security firm that Sony brought in to clean up the mess” left by North Korea, said Rhea Siers, scholar in residence at the George Washington University’s Center for Cyber and Homeland Security. Government agents “had full access to Sony’s network and data” to help them with the cyberattack response, she said.

The vulnerabilities equities process exposes “the difficulties in the NSA-private sector relationship,” Siers, former associate director for policy at NSA, told Bloomberg Law. The NSA has to make the decision, sometimes, to withhold actionable cyberthreat data from companies to be used for “offensive or intelligence collection purposes,” she said.

Request Bloomberg Law: Privacy & Data Security