NSA official stumps for information sharing

In a rare public address, an NSA official told Black Hat attendees that information sharing is the key to better information security, both for the government and for enterprises.

Few government organisations have the aura and mystique of the National Security Agency, and it's well-earned. The NSA is the most secretive of the US's intelligence agencies, and its rare that any of its officials speak publicly. So the speech by Tony Sager that kicked off the Black Hat USA Briefings offered a rare peek behind the curtain at Fort Meade's vulnerability information-sharing programme.

Sager, the chief of the vulnerability analysis and operations group in the NSA's Information Assurance Directorate, has been in the business of finding and fixing vulnerabilities for 30 years. He said that the major difference between today's security landscape and that of the 1970s is the ability to share data and ideas with a large community of practitioners.

"When I started in 1977, it was a government monopoly business. The government cared about security, the government controlled the technology, knew what the bad guys looked like and could pay for the technology," Sager said. "We could overwhelm the problem with technology.

Special Black Hat coverage

Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.
"Those days are gone. Now, we're in the game, we're in the fight. The way we think about the vulnerability problem is as a full-spectrum problem."

Like many security professionals, Sager said he and his team have faced the challenge in recent years of trying to translate important security and vulnerability concepts into plain English for business leaders, technology buyers and end-users. Sager's group spends its time identifying and trying to fix software and network vulnerabilities, but making those efforts understandable to the rest of the organisation can be difficult. However, doing so is vital to the success of any security's professional's efforts, Sager said.

For more information

Private sector should learn from government insecurity

Group gives government low marks on data protection

Federal government pushes full-disk encryption

HSPD-12 proving to be a struggle for government agencies
"When I started in this business, you could make a good living poking holes in people's products," he said. "The time has come for us to translate that into actionable intelligence. It changed because we started talking about things like registry settings that operational people care about, and business problems that the leaders cared about."

To that end, the NSA began working with other information security groups in the Department of Defense -- as well as in the government at large -- to develop methods for sharing vulnerability information, reporting and remediation. His group, along with teams from the Department of Homeland Security, the National Institute of Standards and Technology (NIST) and other agencies, developed a model called the Information Security Content Automation Program , which is a method for using open standards and tools to automate vulnerability management and assessment. It includes a number of checklists and a specific protocol for information sharing.

The group also puts on a number of events throughout the year to train security professionals in the use of the program.

Sager urged security practitioners to make the effort to share information with their peers and with their executive teams.

"This is a business that's been about folklore and reading Bugtraq," he said. "We're too big for that now. We can't do that anymore. The key for me has been linking geeky security stuff to other business areas."

Read more on IT risk management