Enhanced Information Sharing With Industry Key to Deterring Digital Threats, NSA Cyber Chief Says

The federal government needs to further enhance information sharing partnerships with the private sector to counter potentially crippling cyberattacks—particularly as hostile nation states like China pose a growing threat to U.S. interests—the National Security Agency’s cybersecurity chief said during an event hosted by the Center for Strategic and International Studies on Tuesday. 

NSA Cybersecurity Director Rob Joyce said that intelligence agencies need “to continue getting faster at being able to take the things that are sensitive, and get them into the operational space,” where they can be leveraged by companies to patch software vulnerabilities and better defend against specific cyber threats. 

A large portion of this, Joyce said, entails providing private sector entities—such as large technology companies, cloud service providers and defense contractors—with streamlined access to actionable, declassified information in a collaborative environment that ultimately benefits both industry and government. 

Joyce cited NSA’s Cybersecurity Collaboration Center—which serves as the agency’s collaborative hub for sharing unclassified intelligence with the private sector—as a key initiative and model for deterring threat actors and cyberattacks across the nation’s digital ecosystem. He said that the goal of the center “is to operationalize the things we know with the people who could do something about it,” largely by “getting those secrets sanitized to the point they can be actioned” by private companies. 

“We can take and understand a threat, and get it to that ecosystem at an unclassified level,” Joyce said. “And that's the key, because if I give a company a secret at a classified level, most of the time, even if the person receiving it is able to receive it at that level, the people who action it aren’t.”

Joyce said that roughly 300 companies have voluntarily partnered with the center since it launched in 2021, adding that “we interact with many of them on a daily basis.” 

This type of public-private collaboration also benefits NSA’s work, Joyce noted, since companies can also provide “other things associated with that [threat] that we never would have seen because it lives in their ecosystem,” which makes the agency “more effective.” Companies are able to take immediate action to remediate security concerns, while also providing the agency with valuable information about the threats they are seeing. 

“One thing we've found is we can work with one company one-on-one, they can bring their unique understanding, their intellectual property or their perspective to the problem, and then they publish the blog that then illuminates all of the activity they know about,” Joyce said. “And then industry dog piles onto that and continues to tear that thread up. And that's really a beautiful cycle to watch, where it starts from an intel threat to a company that just grabs the adversary hard, and then the whole community piles on and pulls it apart.”

Joyce also cited a component within the center, known as the enduring security framework, as an example of the real-time collaboration being undertaken between agencies and the private sector to address cyber-related threats. Under the public-private partnership, NSA works with industry CEOs and the Cybersecurity and Infrastructure Security Agency to focus on specific risks to critical infrastructure services and national security systems. 

These are “long-term, joint government and industry security efforts,” Joyce said, such as a recent focus on 5G cloud security over the past year. 

“What people often don't recognize is, when you want to do 5G security, you're really talking about the concepts of securing the cloud, because that's how the architecture is broken down,” he added. “And we took telecommunications companies, high tech vendors and brought them together with the government threat expertise and put out a series of how you architect 5G for security.”

Beyond working with agencies—such as NSA and CISA—to identify and mitigate cyber threats, Joyce said that tech firms and companies within the defense industrial base should be working to proactively shore up their cyber defenses and supply chains in response to the potentially cataclysmic scenario of a Chinese invasion of Taiwan. 

Joyce cited the upheaval that some U.S. companies faced as a result of Russia’s invasion of Ukraine last February, noting that “we had a lot of companies who had to endure hard decisions and take rapid action at the time of the invasion.” Some of these firms, he noted, had network segments in both countries and “had to think about whether they severed that or firewalled that” against attack. 

“But think about if you scratched out Russia and Ukraine, and wrote China and Taiwan, how that changes and how much more intertwined and difficult that is,” he added.

Joyce said companies that could be impacted by a Chinese invasion of Taiwan need to “tabletop and see where your pain points are” now, rather than waiting for international tensions to reach a boiling point. 

“You don't want to be starting that planning the week before an invasion, when you're starting to see the White House saying it's coming,” Joyce said. “You want to be doing that now and buying down your risk and making those decisions in advance.”