Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
New leadership at the National Security Agency provides a fresh opportunity to work with the private sector on alerting companies about security vulnerabilities, former NSA officials and lawmakers told Bloomberg Law.
Lt. Gen. Paul Nakasone on May 4 is set to become director of the spy agency, which collects communications data and signals intelligence on foreign national security threats. Nakasone is also slated to become head of U.S. Cyber Command, replacing Adm. Michael S. Rogers in both positions.
The NSA shares gathered intelligence with such law enforcement agencies as the FBI, CIA, and Justice Department that track cybercriminals and national security threats globally—and often threaten companies as well, former U.S. Rep. Mike Rogers, (R-Mich.), who chaired the the House Permanent Select Committee on Intelligence, told Bloomberg Law.
Today, the NSA “like any private sector company is dealing with more sophisticated adversaries” in cyberspace such as “China, Russia, North Korea and Iran,” Rogers, now a fellow at the Center for the Study of the Presidency & Congress, said.
Some say the NSA hasn’t gone far enough in sharing important information—and it will be up to Nakasone to build trust with the private sector. U.S. lawmakers, corporate officials, and other contend the agency hasn’t always turned over critical vulnerabilities that could potentially stop large scale cyberattacks in the corporate sphere.
“Nakasone will face a substantial challenge in repairing the relationship in a way that protects the integrity of business’s relationships with clients around the world while also defending U.S. national security,” Susan Hennessey, who was an attorney in the office of the general counsel at NSA, told Bloomberg Law.
Foreign adversaries have “really stepped up their game,” and “the NSA will have to follow that trend” and improve, he said. “The sheer volume and intensity of cyberattacks these days on financial institutions and critical infrastructure” operators, Rogers said, calls for greater cooperation.
An NSA spokeswoman, Clarese Wilson, said the agency “strongly supports partnering with U.S. industry to help provide a solid cybersecurity foundation for our nation.” The NSA does so when discovering “vulnerabilities while conducting our signals intelligence and cybersecurity missions,” told Bloomberg Law..
The NSA and private sector already have somewhat of a working relationship. As part of the vulnerabilities equities process (VEP), the NSA and other executive branch agencies such as the departments of Defense and Homeland Security decide which computer network vulnerabilities to tell the private sector about.
“Historically, NSA has disclosed, after equity review, more than 90 percent of the vulnerabilities that it has discovered in products that are made or used in the United States,” Wilson said.
Under Adm. Michael S. Rogers, the NSA sought to work with the private sector following the 2014 Sony Pictures Entertainment Inc. hack.
Rogers, soon after that cyberattack, made known that “the government (and presumably the NSA) offered assistance to the private sector computer security firm that Sony brought in to clean up the mess” left by North Korea, said Rhea Siers, scholar in residence at the George Washington University’s Center for Cyber and Homeland Security. Government agents “had full access to Sony’s network and data” to help them with the cyberattack response, she said.
The vulnerabilities equities process exposes “the difficulties in the NSA-private sector relationship,” Siers, former associate director for policy at NSA, told Bloomberg Law. The NSA has to make the decision, sometimes, to withhold actionable cyberthreat data from companies to be used for “offensive or intelligence collection purposes,” she said.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)