NSA Piloting Secure Domain Name System Service for Defense Contractors

The National Security Agency is six weeks into a pilot program where a private third party is providing select companies from the defense industrial base with services to secure their domain name system use.

Anne Neuberger, head of the cybersecurity directorate the NSA stood up in October, shared insights into the pilot during an exclusive interview Thursday, the last day of the Defense One Tech Summit.     

The technology being tested has the potential to drastically change the security posture of small- and medium-sized companies and follows analysis the NSA conducted on how to maximize results given the limited budgets of such entities, Neuberger said. 

“We began a pilot called secure DNS,” she said. “Our analysis highlighted that using secure DNS would reduce the ability for 92% of malware attacks both from command and control perspective, deploying malware on a given network.” 

Neuberger said not many people may be aware of the program because her office likes to focus more on trying a lot of new ideas rather than just talking about them. 

But the effort dovetails with others, such as one looking to provide continuous monitoring services to contractors that undergo the Defense Department’s Cybersecurity Maturity Model Certification program, where third parties play a larger role in protecting entities that work with the department.

Neuberger said her office worked with Defense’s chief information officer in implementing the pilot which could result in “enabling” other companies to provide similar services and bring the fruits of the technology to scale. 

“We partnered with our partners across DOD, for example, the DOD CIO, to both understand what actors might be doing to target the DIB and then that second core part, how to protect against it,” she said. “We partnered with other elements in DOD to roll out a commercial managed service provider, essentially providing secure DNS services to a group of defense industrial base companies to say, is that a model that can help kind of jumpstart security, particularly for smaller and medium-sized companies that may not have the ability to invest the resources or the right skilled personnel.”

Malicious actors could potentially infiltrate networks by adjusting identifiers of devices on the internet and “spoofing” access protocols. Neuberger said the service “essentially filters DNS calls.” 

One goal of the pilot, she said, was to help identify a provider and have companies try the service.  

“The results of the pilot have been very, very successful,” she said. The next step would be “to document and standardize what a secure DNS service looks like, and then enable any number of companies who can meet that standard to offer that service with the goal of really encouraging small- and medium-sized DIB companies” to adopt it.