Vinnie Liu was hired out of high school at the age of 17 by the National Security Agency (NSA) after clearly making an impression on intel community professionals he met and befriended on IRC channels for technical skills far beyond his years. The year was 1999.
Twenty-two years later, Liu, CEO and co-founder of offensive security firm Bishop Fox, recently reflected on the NSA's gradual transformation from a little-known and highly secretive intel agency to one that is making overtures to the private sector, including releasing publicly a detailed technical report on a Russian intel agency's hacking team's activities and opening its new Cybersecurity Collaboration Center for working alongside private-sector companies.
Here's an excerpt from his interview with Dark Reading Executive Editor Kelly Jackson Higgins.
The Edge: NSA at one time was jokingly referred to as "No Such Agency." The National Security Agency didn't speak to the press, much less share public information like it did earlier this month about Russia's GRU hacking team, aka Fancy Bear/APT28. What drove this dramatic shift with the NSA now "opening up" and taking a more public-facing role?
Liu: When I was there that was the era [when] you never told anybody what you did. You never told anybody where you worked. The closest thing that you would say was, "I work up at the Fort" [as in Meade], and they might assume you were DoD or military. You would never say it out loud, and even if you did, most people didn't know what it was until that movie Enemy of the State came out with Will Smith.
Everybody always thought about CIA and FBI; NSA was this sort of happy-to-be-super-discreet-in-the background-branch kind of combat support agency. I think it's an inevitability that the NSA, given the importance of its role and what it's doing, to be in the public eye because of its mission.
The Snowden leaks really made the NSA a household name ... you couldn't turn on the news and not hear about that for 12 months basically. And, subsequently, a number of other incidents have made the NSA and its involvement in various activities, especially in cybersecurity and [uncovering] cybercrime, a lot more on the forefront.
[NSA] "old timers" like myself might have been trained in a very different way about how to interact with press and the media. The reality is there was never a choice, really, for any organization that's dealing with something as critical as the nation's infrastructure to be able to just go and stay hidden under a rock hoping nobody would come and bother them.
The Edge: How did the ShadowServer leaks, especially EternalBlue, shape NSA's current shift to providing threat information to the private sector?
Liu: It was definitely a pie in the face for the NSA. I think it definitely caused them to revisit their policies around the exploits and the vulns -- a further refinement of it. The most important thing that did is that it wiped away sort of this image of infallibility of the NSA. You're still people making mistakes that anybody can make.
The Edge: What is the significance of the NSA's teaming up with CISA and the FBI in their warning about brute-force attacks out of Russia-exposed TTPs and IoCs of the nation-state group? How does it exemplify NSA's evolution?
Liu: It's a new mission. NSA for a long time was chartered with signals intelligence and information security. Signals intelligence was to gathering intel on foreign adversaries. Its information security role was to protect DoD and government infrastructure, but not private industry. Honestly, that's evolved over time. In the last 12 months, the NSA has been beginning to share more information about different threat actors -- specifically from Russia -- around different vulns they are taking advantage of.
They are releasing a report [on the GRU] that's like one you'd almost expect to see from Mandiant or CrowdStrike. And it's really, really credible coming from the NSA ... and it's what people expect them to do but being specific about what to look for and what they're seeing really is valuable. The challenge is how to get that out and operationalized for all companies. It's not just the Fortune 100 that needs it; it's every company these days relying on digital infrastructure to operate. And that's gonna be a big challenge: How do you get it out there?
The Edge: How can NSA earn the trust of private industry about sharing threat/attack information and threat intelligence? How can NSA convince them they will get fair sharing?
Liu: The NSA's mission has evolved now to also protect private industry to protect itself by sharing information.
So the nature of the mission allows NSA to potentially have more of an impact on a proactive stance, and I think that's the cool part of what they're doing with the Cybersecurity Collaboration Center. The information NSA released in collaboration with the other agencies is an example of the direction everyone hopes they are going in.
I hope they ... continue to lean in more in the threat area and experiment more in sharing that information. It's always a really delicate balance between giving up tradecraft and knowledge while helping people protect themselves. l get the sense they [decided to take this approach] even if it means giving up some of their tradecraft and information because, net-net, it's better from a mission perspective ... it lets them directly help private industry, and puts us even farther ahead.
The Edge: How significant is the formation of the Cybersecurity Collaboration Center? Does it actually mean much to midsize or smaller organizations? Or is it just beneficial for large organizations?
Liu: Now the NSA is able to operationalize this and distribute it to more than the Fortune 100.
Let's make it something different, something that can actually get to the midmarket organizations or SMBs served by MSPs so they can get protection somewhere, even if it's somehow trickled down or passed through. But NSA's capabilities and knowledge, tactics, and techniques are nation-state caliber: They're one of the best in the world. So of course everyone could learn from them.
Conversely, I would say there's actually a lot to be learned [by the NSA] in the other direction as well.
They need to treat non-big companies as customers and reach out and figure out how they can consume and utilize the intelligence you are willing share, and go figure out how to get it in front of them so that it's useful immediately -- actually understand how 95% of the rest of the industry needs to be using [intelligence] as well.
The Edge: What does the more public-facing, private-sector-collaborating NSA mean for its major nation-state adversaries like APT28?
Liu: Every situation like this, whether it's people battling over control of an operating system or of networks at scale, always boils down to a cat-and-mouse game. It will forever be a cat-and-mouse game. This is another way that you're raising the bar, making it more difficult, and the attackers will continue to evolve. But that is the game you've signed up for. You have to continue to play.
Defenders just need to do a handful of things to really improve their security ... so that only the top 10% [of attackers] could get in: multifactor authentication, making sure you don't have bad passwords, patching, and just configuring existing options within existing software that you have the right way so it can't be taken advantage of.