The NSA’s 2020 Year In Review: America’s Top Cybersecurity Concerns
Each year, the National Security Agency (NSA) releases a “Year In Review” report in January for the previous year. It’s a rare chance for anyone interested in cybersecurity to see a bit of the inner-workings of one of the most secretive agencies in the world and learn from unique insights that only the NSA would be able to provide.
While the “Year In Review” is free to everyone, it’s quite a dense document, and it oddly discusses federal politics intermittently. For reference, you can take a look at their press release or just go straight to the full PDF file containing it. To save you time and help cut straight to the chase, we’ve analyzed the publication and have selected the most important components to keep in mind as we continue into 2021.
The NSA Is Sharing More
Historically, the NSA has had a reputation for being a closed-door agency. Due to how the Department of Defense (DoD) classification and information access security clearance processes work, it had been unlawful to share almost any educational output.
For the first time, the NSA has done a complete reversal on this policy. After they did a study, they found that they were sorely behind some of their adversaries and concluded that declassifying information that isn’t harmful for the public to know and then releasing it would help in two ways.
First, because the NSA works closely with its contractors and with academic institutions, making cybersecurity trends and data uniformly available speeds up the development process. Second, the NSA felt that doing so would give back to the taxpayers who fund them and build a stronger sense of public trust rather than the suspicion and wariness they typically face.
The NSA now has a public portal located here. More advanced users will be most interested in the “Cybersecurity Advisories and Technical Guidance” section, which has recent vulnerabilities the NSA has found, fact-sheets on how to securely perform common and advanced IT tasks, and more. Those of all skill levels should check out “Cybersecurity Products and Services”, which has everything from actual cipher-cracking code they have written to basic cybersecurity tutorials. If you’re looking at a possible cybersecurity career or just want to participate in their annual hackathon, see “Cybersecurity Education”.
2020 Broke the Record For Number of Cybersecurity Advisories
Whenever the NSA detects an malicious foreign entity (MFE) stirring up cyber trouble, the agency issues what’s called a Cybersecurity Advisory (CSA) to managers and administrators. These are typically classified and are short briefings on the threat and suggestions on how to mitigate it. In 2020, the NSA put out more CSAs than any year before, demonstrating that there was an abnormally high volume of cyber attacks around the globe.
Fortunately, in their recent transparency initiative, the NSA has now publicly released 30 of these to date. They’re viewable on their public portal. These are very relevant to anyone learning cybersecurity. Though the documents are quite dense and will take some Google-Fu for the many acronyms they contain, they have detailed information on novel threats, vulnerabilities, and some even demonstrate how a malicious actor may exploit those vulnerabilities.
You may be wondering how authentic these are, since it might seem like there’s no rationale for releasing information that could potentially cripple some information systems to the public. The whole purpose of a CSA is to make attack technology that an MFE has useless. For example, say an MFE had found a zero-day exploit in a popular web browser and was targeting NSA employees with it. The private sector and hobbyists are excellent assets in helping patch these exploits much more quickly. As a result, everyone ends up more secure, and it opens up a trove of free cybersecurity insights.
If you’re interested in seeing the highlights of what CSAs the NSA has put out, from finding a cryptographic flaw in Windows 10 that was immediately patched to advisories on rare Linux malware produced by the Russian government, their library is right here.
NSA’s COVID-19 Response
The development of an effective and safe vaccination for COVID-19 involved a huge investment of time, money, and skill by private companies and the US government. While most people have likely heard of “Operation Warp Speed”, a government-wide program to expedite the vaccine’s development, many people do not know that Operation Warp Speed was headed by both the Department of Health & Human Services and the Department of Defense.
The DoD immediately became involved as it became clear that there were two major types of threats on the horizon. First, many countries that are either hostile or neutral towards the US regularly attempted to breach US networks to steal research progress to claim it as their own. Second, and lesser known, there were efforts by unspecified MFEs to subvert the development of the vaccination. In other words, some MFEs wanted to silently change the chemical structure of the vaccine, which likely would have ended in catastrophic loss of life.
Killing “Cozy Bear”
There is an Advanced Persistent Threat (APT), meaning an organization or governmental entity that is constantly on the prowl to attack and must be closely monitored, that the NSA has labeled as both “APT29”and “Cozy Bear”. For the first time, the NSA has acknowledged in this report that it is “almost certainly” a branch of Russian Intelligence Services.
In the case of COVID-19, APT29 developed custom malware called WellMess and WellMail. WellMess debuted a few years ago but has been used consistently in attempts to steal intellectual property like the scientific progress on the COVID-19 vaccination. WellMail is a “helper”tool for WellMess; essentially, it allows the malicious functions of WellMess to be commanded and controlled by obfuscated emails with commands and files.
Fortunately, both of these threats had been identified by the NSA and other countries’ security agencies around the world, effectively killing off “Cozy Bear” for the time being; too bad, it was such a sweet name.
NSA’s 2021 Cyber Projections
Though the NSA successfully fended off other countries from stealing the US’s progress on COVID-19 vaccination development, there are still countless threats on the horizon. There are three countries in particular who seem to relentlessly attack both US government personnel and assets as well as civilians not involved in the intelligence community in an attempt to destabilize the country.
Unsurprisingly, these countries are Iran, China, and Russia. Though they have the common goal of undermining the US, their approaches to it vary significantly. The NSA notes that China has a huge amount of personnel and money invested in their wide-scale hacking operations largely due to the fact that nearly all technology in the country is developed from stolen intellectual property.
Russia was specifically named as the adversary focusing the most on using divisive and “corrosive” tactics against multiple countries in an attempt to sow discord among citizens of those countries. This is often performed by Russian Intelligence Service employees acting as US citizens and funding demonstrations and riots throughout the US and other, unnamed countries. Notably, Russia also was called out for doing the digital equivalent of this for the same aim.
The NSA’s wording on the threat Iran poses is vague. It appears that the NSA is implying that Iran is a wildcard threat, popping up seemingly out of nowhere (much like North Korea). Unlike China’s larger-scale, over-time attacks and Russia’s focus on division and diversion, Iran is known to target specific state-owned infrastructure, such as power grids.
The Hope Ushered In By 2021
In part due to the NSA’s knowledge-sharing initiative and transparency, the public has an opportunity to fully understand some of the events that seemed strange or random in 2020. Cybersecurity enthusiasts can legally get their hands on lots of useful and educational stuff free from the NSA. The NSA has also publicly identified the major attack attempts and primary offenders in an attempt to prevent further division among people.
All of this comes at a time when the industry is finally reaching a consensus: reaching out to civilians and the private sector is the only path forward. The days of complete silence and secrecy are gone because that approach was benefiting nobody besides cyber adversaries. With all of these free resources that are of the highest caliber available for all, learning cybersecurity skills has never been easier.
Remember, even if you have zero interest in working with the DoD or NSA, the information they provide can help you pass certification exams, practice with real-life examples, and show you what skills are most in-demand on both the white hat and black hat ends of the spectrum. At the end of the day, more people being aware of cyber threats and taking proactive steps to prevent attacks will lead to a better world.