Welcome to CyberFocus from the McCrary Institute where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege to sit down with Dave Luber. Dave is a 37 year veteran at the National Security Agency where he currently is the Director of Cybersecurity at NSA, responsible
for defending our national security systems, Defense Industrial base and obviously DoD systems writ. Prior to that he served in leadership roles including the Executive Director, the highest ranking civilian at U.S. cyber Command. Also was head of NSA Colorado and also served at the TAO and many other leadership roles including stints at the Undersecretary of Defense for Intelligence. And quite honestly a true veteran and really appreciate the time that he will spend
with us us today. Dave, thank you so much for joining us. Frank. It's great
to be here. Really looking forward to the discussions today. So NSA has sort of
become much more visible in its role in defending our country and our national security systems and cybersecurity. I thought maybe it'd be helpful to start with a little bit of mission setting just so we can set the stage for, for where we are today. Sure, Frank. You know, at NSA we have two primary missions, Signal intelligence and
cybersecurity, SIGINT and cybersecurity. And about nearly five years ago then the Director of NSA, General Nakasone decided that, hey, it's really important for us to rethink. How do we make sure that we bring the best advice, guidance and capabilities from a cybersecurity perspective to protect our national security systems, our weapons and space systems and the defense industrial
base as a primary focus. So by firing up this new Cybersecurity directorate, we brought together the best of signals intelligence and the expertise and cybersecurity advice and guidance into one directorate. And this has been a real significant change for NSA and the national security community. And I can imagine made for some interesting times, especially given the red
side of the mission as well. And it's really good to see because I used to think, and still do to an extent, that the initiative remains with the attacker. But it is good and I think we're hitting the time where maybe blue is catching up with red. Yes. No. Well, I think you have to think of it
from both perspectives. You need to use the hacker mentality to think about how you would protect those critical systems. And when you have folks that have had experience in both the signals intelligence mission and the cybersecurity mission, you can bring those disciplines together and really allow that critical Intelligence that we glean from SIGINT to drive smarter cybersecurity application and policy, as well as mitigation against sophisticated actors. Awesome. And lots of developments
within the Beltway and the many agencies that are responsible for cybersecurity. But I think arguably some of the greatest developments are the public private partnership and where industry and government can come together. A little bit of light on some of your work there.
Absolutely. About four years ago, we stood up a center called the Cybersecurity Collaboration center, sometimes called the CCC in a short name. But really the intent of the CCC is really to bring together analysts, analysts from NSA, analysts from the Defense Industrial Base so that we can share insights back and forth. What we've learned is that NSA
has very interesting and insightful insights from signals intelligence. And when we separate what we know from how we know it, we can begin to share those insights with other analysts in the community, especially the Defense Industrial Base. Collectively, we get a broader picture of what advanced actors are doing in cyberspace when our analysts can share insights back and forth. So whether it's tracking down and identifying advanced threats from the PRC or
Russia or other actors, even ransomware, non state actors, this is where. This is where we've brought together the talents of NSA along with the talents of industry to really scale cybersecurity in a way we've never been able to do in the past. And
talk a little bit about the one team, one fight, the unified mission. So obviously the National Security Agency and the CCC in particular plays a significant role. But cisa, FBI, other doe, depending upon some of the sector risk management agencies. But give us a little bit of a picture of how NSA fits into that puzzle. Absolutely. I
mean, as I mentioned, signals intelligence brings very specific insights into the. Including very exquisite,
exquisite means. Exactly. But really the power of partnerships across US Government. You mentioned cisa,
FBI, US Cyber Command, and other agencies. Extremely important when you think about using all the different levers of a national power to thwart and otherwise expose sophisticated cyber tradecraft. But the partnerships don't stop inside the US Government. We also have very focused partnerships with our five eyes partners, as well as other select foreign partners. Partners. We have
partnerships with academia and of course, industry. Right. So collectively, it takes the partnerships across the board to really bring focus and impact to ensure that we can defend against these threat actors. And the role and mission on Defense industrial base is 100% clear.
But there's so much capability, lessons learned, insights that can be shared with other critical infrastructure owner operators. Right. From the private sector. How does that work? Absolutely. I mean,
when you think about it, if we were just at the ccc, considering that the insights from signals intelligence should only support the defense industrial base, that would provide a
major shortfall for the rest of government. So really, when we look at these different areas of concern and we publish cybersecurity advisors or other guidance, we look to do that collectively with other US Government partners and farm partners so that we get the best opportunity to present actionable guidance for network defenders and policymakers when it comes to, you know, strong cybersecurity. So not just theory, these are hands on. And by the
way, we will make available in our show notes, I love seeing seals from allied countries and hope we continue that. But any in particular that sort of rise above the fold you'd like to mention here? Well, I would say that as we started
some of our first cybersecurity advisors advisories and some of the partners that joined in, Obviously within the U.S. government, FBI, CISA, obviously NSA and U.S. cyber Command have always been on just about every advisory. But then the Five Eyes partners, also critically important. But you probably may have noticed this year that partners in Japan, partners in South Korea, partners in Germany have also joined in on several advisories that have been published
across the Five Eyes as well as the intelligence community. And I hope we double
down on some of that because quite honestly, these countries live in tough neighborhoods. And if they're vulnerable, we're vulnerable, and vice versa to some extent or another. Exactly. And
if you kind of think about it, each of those partners sees the Internet a little bit differently. And as they bring insights together, that strengthens the opportunity to identify and thwart some of these actions. Absolutely. Let's go to a little bit on education,
since we are an academic institution and very proud to be a center of excellence on education as well as research and cyber operations. But tell us a little bit about the centers of excellence in cyber and whether or not they play a key role in building this workforce which we all know needs to grow, grow, grow, grow, grow, grow, grow to keep up with the threat environment. Frank, I've been engaged with
academia for many, many years. Even evaluating University of Maryland. We love it. Even evaluating some of the first CAE colleges that entered into the centers of academic excellence. So we've been in this business for 30 years or so, and today we have over 400 universities that are part of the CAE program. I always think of engagement with academia as an opportunity to work left of launch, left of launch of an employee's
career with the US Government or with the intelligence community. So it starts first with our Gen Cyber program. And for your listeners, you can go to gen-cyber.com and learn about how we engage with K through 12. Right. Bringing summer camps to students to get them interested in STEM and cyber type programs. And that's really been extremely beneficial for those students because then after they've completed their high school years, they're often looking
for a university that's it's got a CA program. So of those 400 plus universities, whether it's Auburn or others across the country, this is where students can now work at the academic level and focus on a bachelor's degree, master's degree, or even PhD
in cybersecurity related topics. Whether it's cybersecurity, cybersecurity research, or computer network operations, each of those three certifications ensures that those students have the opportunity to be prepared to work directly in a cyber security related or computer network operations related field when they graduate. And I know Auburn is also part of the Cyber Corps program, which is, I think there's only about 100 universities across our nation. We need more that are receiving
Cyber Corps grants. But that's a scholarship for service. So those students are getting portion of their degree paid for and in turn then they will provide two years of government service, whether it's at FBI, whether it's NSA, cisa. But that's really another great opportunity, especially for those students who may need that extra push to get them through from a financial perspective. And we love having those students come work at NSA just
as an example. You know, and NSA does a lot of amazing things. But one
initiative that I'm impressed with and I don't feel gets a lot of attention is you also have figured out how to bring in neurodiverse students at young ages that quite honestly society is cast aside. But the truth is they're some of the top warriors in the cyber environment, as well as upskilling and reskilling veterans. Given its DoD culture and mindset. Anything you'd like to share on that? I just say diversity is
a powerhouse in our field in national security. And as we are bringing in talent across the United States, we want that talent to represent what the United States represents. So it's really important for us to look broadly at all different opportunities to ensure that we have the next generation of workforce to support the critical missions of signals intelligence and cybersecurity. One other area that I didn't mention that I think is worth
mentioning too is we have a really strong summer Internship program. In fact, for the students of Auburn and other students across the nation who may be competing for a summer internship next year, this is the time to start applying. Yeah, one word of
advice. With clearances and everything else, do it in advance. So the deadlines are in
October. This would be the time now to start looking at the summer internships that we offer across our entire enterprise. It's not just at Fort Meade. We have summer internship slots in Colorado and Texas and Georgia and Hawaii as well. But when you think about this, the students have a chance to work with us, often for about 12 weeks in the summertime. They have a clearance, they're working real mission, they're contributing
to that mission. And the things that, that they create while they're working with us stick. They stay and we use those capabilities. And so it's really very beneficial. And
at the end of the day, the mission, doing something that matters really does matter, does it not? I mean, and you really can't get it better insight than working with the National Security Agency to have an appreciation for that. Exactly. I think it's
the mission and it's the people. We have an amazing team. And just, just as a university is a learning organization, NSA is a learning organization. So it doesn't stop. Learning doesn't stop after you finish your degree and start as a, as a new employee. We have development programs for new employees. We have midterm, mid year or mid career development programs. We have senior development programs. So learning is part of your career
at the National Security Agency. And you know one thing, and not to go down
a rabbit hole, but are you thinking about gamification? So when I look at a university, truth IS K through 12 is where it really needs to start. And some of that is cyber awareness. I think everyone needs to be cy aware. And then we need the special force, those that are actually very deep into specific cyber skills. But, but do you see anything around gamifying? And the reason I bring this up
is again, another infomercial. I, I'm a trustee at the Alabama School for Cyber Technology and Engineering in Huntsville, which is the first magnet school at high school focused on cyber and engineering. And these kids are going on to do amazing work. They're getting cleared before 18, so they have a unique opportunity and carve out in the last National Defense Authorization act to get to some of that. But do you think that
that plays a role in all this? And I say this not to pick on my university colleagues, but the reality is the technology is moving so fast that you need to be able to keep pace with all of that and have those critical thinking skills in addition to just very exquisite specific skills. We have a number of
different opportunities. Whether it's the code breaker challenge, I think various technologies, as you point out, whether it's simulation or other activities where AI play, AI plays a stronger role in the future of cybersecurity, all is in the realm of the possibility. I will share with you though that we also have some of our gen cyber camps that I mentioned earlier, where we start with this idea of building not only the next
generation of cyber workforce, but also what we might call the multidisciplined language analysts. So as an example, when I was in Denver, Colorado, there's the Denver Language School and this was 13, 14 year old students. They were learning how to program in Python, they were learning robotics, they were learning a little bit of math as well, but they had to speak Mandarin Chinese the whole time. Wow. So bringing together. I can
barely speak English, so that's asking a lot. Yeah, yeah. But bringing the language skills
and the technical skills together presents really interesting opportunities to ensure that we're building that next generation workforce that we need for the future. We also have summer camps for deaf students as well. So ensuring that it's not just in recruiting, but all the way back, as I mentioned, left of launch. Where do you start? We can start in K12. Awesome. And that is unique in so many ways. But I think marrying
that up early is really, really important. And I mean, if you look at the workforce today, it's changed a whole lot. Has it not? I mean, it's not. You still will always have cryptographers, cryptologists, and those fields will always be essential. And obviously in a quantum, post quantum environment that takes on new salience and significance. But it
has changed and I would argue it's pretty cool. And those language skills in particular, I would imagine Mandarin, Cantonese, Farsi, Russian, those are, those are all really important skills today. Yes, absolutely. I mean, when you think about NSA, a lot of folks immediately
go to our code making and code breaking, which. Is still always going to be,
which. Is absolutely part of what we're doing. But there's so many different skills that
make up the NSA workforce. It's not just civilians, it's military as well. So when you bring together the power of both our military workforce, our civilian workforce, and then think about the entire enterprise. I had a chance to lead at NSA Colorado, one of our cryptologic centers. Amazing workforce across enterprise and maximizing those opportunities is what it's all about. Awesome. Awesome. Now let's jump to space. Since you brought up Colorado and
obviously where space and cyber come together is a very, I mean, our dependency, whether it's PNT positioning, NAV timing clocks, I think most people would never think are so significant to our national security and our economic security. But where do you see that going in particular? And I think again, NSA is uniquely qualified not only in its Title 50 and Title 10 mission, but it's also in terms of a subordinate command
to all the combatant commands, including Space Force. Yeah. So first I'll break it down
and sort of defining that space ecosystem and how cybersecurity intersects. So I like to look at it as making sure that we're looking both at the ground systems, the user segment, which is like the modems and things like that. The link segment is
critical and the space segment. So that entire ecosystem requires a cybersecurity focus. Often the ground segment is going to be very similar to many of the business systems that are out there and other industrial systems where common vulnerabilities are going to be found, need to be patched, whether it's a edge device or whether it's an operating system. So you'll find a lot of commonalities across the board with ground systems that you
would find in other business systems. Where things start to get a little more unique is when you get into the user segment, link segment and space segment. So in the user segment, you know, we'll just take a chapter from Russia, Ukraine and, and you'll see the attack that happened at the KSAT modems. Right. Asset rain being the
malware that targeted the modems. Right. So we've published cyber security advisories for national security systems owners to really focus on the security of your modems as another critical device. Just as you would protect a router, a firewall or a VPN concentrator, you also have to think about making sure that your firmware is up to date on your modems and then that you've configured them with security in mind. So think about Transec.
Let's protect that link. Even at the commercial layer, you can implement Transec along with other national security systems capabilities. We can also put high assurance cryptography in that link to ensure that prying eyes can't get access or understand what's happening across that link. And then when you get into the space segment, it's about having the cryptography on the actual spacecraft itself. And now we have proliferated Leo low Earth orbit constellations where
you have many different satellites. So you have to Think about mesh communications, the cryptography for mesh communications, the key management for mesh networks in space. So all those different aspects, which is. A little mind bending in understanding how the attack surface grows. Yes, yes it is. But think about a weakness in any one of those areas could present an adversary, an opportunity to either exploit, deny or degrade. And if you're in
the system, you're in the system that hinges around intent, by and large, I think is fair to say. And I think that brings up another issue which gets to the education sets of issues and workforce sets of issues. And we really need to start baking security into the design, as the Cybersecurity and Infrastructure Security Agency would say. At doe I was part of a major effort on cyber informed engineering. But the reality is you want to, as much as one can, bake that into the design
of our systems. Anything more we should be thinking or doing in that space? Well,
I think it's a great initiative. Secure by design. If you just kind of look, from January till today, we've seen over a dozen major vulnerabilities discovered in a multitude of edge devices from many different manufacturers. So if you think, if, if, if one is thinking that perimeter security is going to protect you, then, then that's not going
to be a winning strategy in itself. In itself. So, so yes, you do need to have secure by design in the edge devices, but then you have to also think about what's next and that's zero trust concepts, the ability to ensure that you take on this idea that you will have a breach on your systems. How do
you limit an actor's ability to move throughout that network? How do you ensure that whether it's through an effective identity control and Access management system, iCam, or whether it's through the data marking and tagging or the micro segmentation of critical information domains and information within a network, or the separation of OT and business systems that you've set your network up, that limits that adversary's ability to pivot inside your network if they
do get access. Absolutely. So I think it's beyond just secure by design, but secure by design is really important. It has to be part of. Exactly. And Space Development
Agency SDA in cooperation with NSA there. What does that look like? Well, I think
what's really important there is Dr. Turner and I have built a partnership from the start. As he was thinking about putting new capabilities in orbit for the Department of Defense. We started down a path that said, let's do this together. Let's make sure that high assurance cryptography is in place. To protect those areas of the ground system, the user segment, the link segment and the space segment. And when you think about time to market today with a smallsat or a Leo, it's not 10 years, it's
two years. Yeah, it's iNSAne. So you really have to begin early to plan for secure systems because it's not something you can add on later. And launch and everything
else within that brings about new vulnerabilities too, I would imagine. I might put you on the spot here. Should space be designated a critical infrastructure? You know, that's really
more. And I've been very outspoken on that issue. So I say that with. We
don't have to answer that question. It's a policy question. But it's essential, is it not? To our national and economic security and public safety and everything else. Whether it's
air, land, sea, space or cyber, all those domains are critical war fighting domains. And that's why at NSA, as a combat support agency and as the deputy national manager for national security systems, I will be there to support and ensure that those systems have the right level of security to protect those national security systems. Awesome. And space
and cyber are kind of similar to think about. They both are their own domains and their own war fighting domains, but they cut across everything else society hinges upon. So in cyber's case, it's airland, sea, space and spaces. From space's perspective, it's air, land, sea, cyber. I have a hard time differentiating some of that today because they all kind of do collusion come together, but require very discreet capabilities to defend and
the like. Is that, is that fair? I mean, it makes your head spin a little when you really think about just how big and broad it is. I'd say
all the different war fighting domains and domains we just talked about requires a level of specialty from a cybersecurity perspective. We talked about all the work that we do with the university just to prepare a student to be ready to work in this domain. Same is true in the space community as well. It's a complex area and it's a contested area, much like cyber. So you do have to think about not only what an adversary might be doing to affect operations in the space domain, but
then how do you defend against it, how do you mitigate it? And just because
it doesn't get a whole lot of attention, I think undersea is going to take on greater prevalence and significance in the days ahead because it does kind of all come together. But you sort of mentioned contested domains. Let's jump to the threat environment in as much as you'd like to sort of zero in on how do you rack and stack, how do you see the threat environment from a cyber perspective here? And obviously I think it's multi domain, but let's talk cyber. Sure. You know, I
think what I would say over the course of the last five years we've continued to see state sponsored actors increase in both their sophistication and scale and capabilities and impact of some of their operational. China, Russia, Iran, North Korea. I'd focus
mainly on pretty much everyone else. Right. Anyone who has a military has to have a cyber capability today. So I'd focus on this conversation. PRC and Russia of note,
Bolt Typhoon as exposed over the last year and a half. If you go back to 2023 when we published that the cybersecurity advisory, the first hunt guy on a fine living off the land, I think it's really important to take a look at that particular advisory, especially the acknowledgement section. There's about a dozen companies in the acknowledgment that said, hey, we want to come together and be recognized that we contributed to
developing this hunt guide. And that was a bit of a watershed document, wasn't it?
It must have been some very interesting discussions before it was made public. But, but kudos and hats off for doing so because at the end of the day, if you can't get it into the hands of the people who can do something about it. Pretty difficult to defend against, right? Exactly. And additional publications came out February of
2024 to add to the knowledge that was published in May. But this was a different kind of tradecraft because if you think about the PRC from an espionage perspective, you know, property theft, I'm gonna, I'm gonna hack into your systems, I'm gonna steal your intellectual property. There's gonna be a lot of data going over the line. Right.
There's gonna be opportunities for Net Defenders to see a spike in activity. But if it's, if it's an actor, in this case Volt Typhoon, the PRC conducting living off the land. Well, maybe they're only coming in every 90 days to check to see if they still have access for the time of their choosing. And at the time of their choosing, they may choose to do something with that. But it's not going to be very easy to detect unless you give the Net Defenders clear guidance and
visibility through some of the cybersecurity advisories that we published. And to be clear, espionage
is arguably the second oldest profession of all time. That's understandable, but we're talking about the ability to get into a system. And if you're in that system and you exploit it, you can also use it for more disruptive. It's pre positioning. Pre positioning
for. And I think you're living off the land. Your document said it as clear
as that. Pre positioning for a future network attack at the time of their choosing. And some of the sectors that were compromised wouldn't be the normal ones. You understand it if it's a weapons system or looking for plans to build the equivalent of an F22 or whatever it may be, all of which has happened. But this was a little different. That was a bit of an eye opener. I think we all knew it could. But the fact that you actually went out and published and warned
and ultimately gave people remediation plans is huge. Hats off on that. You must have been very early in the job on that too, right? Well, actually, I started in
CSD in. 2020 as a deputy. As a deputy Y. But now let's pivot and do the inverse, because not all playbooks are the same. If you think about Russia, Ukraine, we expected and saw some initial activity from Russia in the Ukrainian war, where cyber attack was their primary means of achieving objectives in the cyberspace arena. So the Kasat attack was an example. There were some wiper activities, but we really never saw the big bang. And I think what you see today is a pivot where Russia
has decided that, you know what, espionage is more valuable than attack. Because if I can get the insights I need from Ukrainian networks, I can drive an outcome that benefits Russia on the battlefield. So you can see that actors will choose a different playbook depending on what they need at a particular time and. What outcomes they're trying
to achieve. A kinetic attack on a cyber capability will have the same net effect. Right. And vice versa. And I do think that's a great reminder along all of that is the bad guy has a vote in all of this. So whatever we're seeing now is going to be changing in part based on their desired outcomes and intentions and capabilities. And I'd be curious how we stay up. How does blue. How does red, white and blue in your case, how does the defender keep up with
the evolving threat? Well, from my perspective, one of the most valued things that we
have at the National Security Agency, first is the amazing workforce that we have. And then second, the signals intelligence insights. Turning those signals intelligence insights into actionable cybersecurity guidance is really, I think, where we bring unique opportunities for our nation. But again, just ourselves is not Enough we have to have partners and industry, academia, the five eyes partners and select other foreign partners around the globe. This is where the power really
comes together and this is how you help Blue. The best way possible is to bring those insights, share those insights, expose the activity that's nefarious in cyberspace and then ensure that those actors are not getting a free ride. And again, 10 years ago
we'd be wearing auburn orange if we talked about some of these things in terms of naming and shaming. But I think that is part of the calculus that has to be part of the if not deterrent at least to dissuade and impose some consequence on bad behavior. And I think it starts by calling it as it is and I think that is really significant in the past few years. To be able to have discussions like this, I think does cause all boats to rise to some
extent. And none of that's to suggest that the SIGINT mission goes, let's be serious, that still accounts for a majority. This is public information of the President's Daily Brief and I hope will continue to in terms of gleaning information. Dave, what questions didn't I ask that I should have? I think we covered some amazing ground today. I
think we'll continue to publish what we see from the perspectives of CSD and the partners we work with. You know, if I was to take the publications just in the last two years on the prc, I'd have about eight or nine documents in front of. Us and we will make those available, those that
are public. We could actually have a discussion at the unclassified level of the PRC
tradecraft in cybersecurity. More than a discussion, More than a real discussion, A real discussion. We're not done publishing. There will be more. So whether it's publishing on smart guidance for cyber security or actual insights on network, where network defenders can defend, can defend against these advanced persistent threats. That's what we're going to continue to do. And, and
I am a huge proponent not topic of today for defending forward as well since we're never going to simply defend our way out of this problem. And I think it's fair to say NSA Cyber Command and others play crucial roles in shaping that environment. Dave, thank you for your so many years of public service. Thank you for spending some time with us today in universities. It's Publisher Parish. So I'm glad you said you're going to keep publishing. Let's keep publishing and thank you for fighting the
good fight. So thank you, Dave. Frank, it's been a pleasure. Thank you. War Eagle. Thank you. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.