Black Hat: NSA guru lauds security intelligence sharing

InfoWorld - U.S. government initiatives aimed at fostering the sharing of security intelligence throughout the federal space are helping to establish the community atmosphere and best practices necessary to help those agencies -- and private enterprises -- improve their network and applications defenses, a National Security Agency leader told attendees of the Black Hat conference on Wednesday.

Stepping to the stage to deliver a keynote presentation at the annual hacker confab in Las Vegas, Tony Stager, chief of the Vulnerability Analysis and Operations Group at the NSA, said that data-sharing efforts led by his agency and others in the federal space are maturing rapidly.

Having served a little less than 30 years as a security expert at the NSA, Stager said that federal agencies are finally succeeding in their efforts to build standards for issues such as secure configuration of Microsoft's Windows operating systems, and that those guidelines are likewise being adopted by other security initiatives and moving into the public arena.

At the heart of the progress is the notion that government entities and private institutions cannot effectively tackle security problems on their own, a deduction that seems obvious, but one that has been hard to implement on a practical level, in particular among agencies such as the NSA and the Department of Defense, which closely guard all their IT policies.

"NSA has shifted the nature of its work over the last few years; the time has come when we are all living in this same chaotic network and need to come together to solve problems of this scale," Sager said.

"In the old days, the idea was that we could simply design away the risk, but this is a much more complex world today," he said. "We've gone from protecting [assets] to protecting not only data, but all the information around that and the infrastructure that supports it; it's a much more dynamic problem, and there's no way of escaping that this is a shared problem."

As part of its effort to help foster security data sharing, NSA has moved its focus from trying to build technologies aimed at solving major security issues to attempting to influence practices across the government space that can also be adopted by private-sector firms, he said.

A major element of the vision is pushing for standards that translate security intelligence into language that any organization can interpret, said Sager. He highlighted the Common Weakness Enumeration (CWE) project -- an effort aimed at creating a common language for identifying software vulnerabilities that is backed by the Department of Homeland Security and nonprofit Mitre -- as one example of the types of standards that are delivering on the NSA's goal.