🎁'Tis the season to support public service journalism Donate Now
How the NSA and private sector are working together on cybersecurity
Dec 15, 2022

How the NSA and private sector are working together on cybersecurity

Rob Joyce of the NSA says sharing declassified information with partners who can then take action on it is a "game changer."

A government agency known for keeping its secrets has been attempting to be a bit more open when it comes to cybersecurity.

Digital attacks are now a regular threat, not just the for private sector, like last year’s hack of the Colonial oil pipeline. They are also a threat for public infrastructure, like major ransomware attacks on hospitals and public schools.

So the National Security Agency is expanding its work with the private sector, nearly tripling the number of industry partnerships to more than 300 in the past year, according to the agency’s 2022 Cybersecurity Year in Review report.

Marketplace’s Kimberly Adams spoke with Rob Joyce, the NSA’s director of cybersecurity, about how the agency’s Cybersecurity Collaboration Center is working with private companies.

The following is an edited transcript of their conversation.

Rob Joyce: That group has been focused on taking the things we know from intelligence and getting those down to unclassified levels so that companies can take action. Because what we’ve learned is, it’s really important to protect our sensitive intelligence sources and methods. But what we’ve found is it’s not what we know that is sensitive, but how we know it. And so we’re able to get that information down to the actionable level that uncleared companies can take action on it. And it’s just a game changer.

Kimberly Adams: Can you walk me through a piece of information or an example of something that maybe a year or two ago would have stayed at the NSA, but that you were able to declassify and it had a big impact?

Joyce: We’re able to look out into foreign space and watch the tools and capabilities that ransomware actors are bringing against U.S. businesses. A good example of that was several of the infrastructure threats that hit the U.S. last year as the ransomware gangs were on the rise. We would collaborate with things we knew, both to warn businesses, usually through FBI, and we would also work to help inform the defensive guidance, talking about things people need to protect against. It’s akin to locking your car doors, because these ransomware actors are going around jiggling the handles on all the doorknobs of the businesses throughout the U.S. And when they find a door that’s open, they don’t care who it is, they’ll go through and hold them at ransom, they’ll victimize them, they’ll steal and extort their information off their customers’ data. And so by understanding the tradecraft that’s being used, you can prevent yourself from being a victim.

Adams: You’ve said in past interviews that these ransomware attacks are a really big issue for the NSA. Where do you feel like the threat is most severe for ransomware attacks right now? And what is the NSA doing about it?

Joyce: Ransomware actors go where the money is. And what they’ve learned is that the biggest companies will pay to either get their data back or prevent their customers’ data from being released. So they are hoping to get in and exploit the biggest companies. They don’t care who they are, they just want to get a payday.

Adams: There have been so many ransomware attacks, not just on private companies, but public areas like hospitals, schools. Can you give us a sense of how much these threats or attempts are increasing or decreasing? Are your efforts working?

Joyce: Year on year, ransomware is up. We really have a challenge ahead of us. I think the government and industry have gotten a lot better at responding and defending against ransomware. But the criminals are understanding there’s money to be made, so they’re innovating and improving as well.

Adams: Everything from our communication infrastructure, our water systems, sometimes even our voting machinery, it often comes down to the security of networks or computers. Where do cyberattacks fit into the overall assessment of severity of threats? I know there’s been some discussion on the international stage about whether a cyberattack committed by one state to another is equivalent to a physical military attack.

Joyce: There’s no denying that cyberattacks are significant. I think you only need to look back at the Colonial Pipeline hack in the U.S. to understand that it was a national security threat to the U.S. We had the East Coast fuel supplies damaged, impacted. I drove by gas stations without gas, and I drove by gas stations with huge lines for the places that did have gasoline. When you start to impact the critical infrastructure of a country, there’s no doubt that it’s a national security issue.

Adams: I guess a lot of us growing up, when we’re learning about national security, or even in school, what the military does, what an attack looks like — how does that framing and paradigm need to shift in the country today?

Joyce: This is one of the reasons I think the U.S. government is putting so much emphasis and effort into the problem. As an issue becomes a national security challenge, it becomes a policy challenge, it becomes a resource challenge, it’s certainly a law enforcement challenge. And there’s no one tool that’s going to solve this. But at the top levels of government, there’s focus and resources going into the problem because of the recognition of how much impact this is having on just ordinary citizens all the way up through our businesses and then to the security of our nation.

Adams: We’re coming up on a government funding deadline, as we often do this time of year. How might any suspension of government funding affect your operations?

Joyce: So the good news is for national security issues, we work whether there’s government funding or not. We’ve, in the past, always been back-compensated by Congress. They do a great job at recognizing that folks on the front lines in these types of matters need to be here, and we can’t shut down if there’s a lack of funding, so we’ll be on the watch.

Adams: What role do regular people, especially those not working for government intelligence agencies, have to play in this brave new world of our cybersecurity landscape?

Joyce: So I think the average citizen has to recognize that they can be a vector into their businesses. Protecting yourself should start with doing the basics: You should be updating the software on your phone and your computer, you should understand the importance of having a strong password. And when you choose a password, don’t reuse that password across multiple sites. Because what we find are these criminal actors, sometimes even the nation-state actors, they can go through our accounts into those things that matter for business and government.

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.

The team

Daniel Shin Daniel Shin
Jesus Alvarado Assistant Producer