Cybersecurity is absolutely critical to national security. Nsa is a combat support agency. We're supporting the warfighters.

You have sitting side by side, that is US Cyber Command, with the experts from NSA all in one building.

Analysts are working the cybersecurity problem together. That's where you get to scale cybersecurity in a way that we've never been able to do in the past.

Welcome to another episode of No Such podcast. My name is John Parker.

I'm Brian Fassler.

And today we are joined by two very special guests, Dave Luber, Director of Cybersecurity here at the USA, as well as Major General Jerry Carter, Deputy Director of Cybersecurity for Combats support. Gentlemen, welcome, and thank you so much for joining us.

Thank you.

Great to be here.

We always like to kick things off by letting our guests tell us a little bit about ourselves. Dave, we'll start with you. What can you tell us about your background?

Hey, thanks. My name is Dave Louber. I've been with the National Security Agency for 37 years. I started very early in my career directly out of high school, joined the USA, and really enjoyed the work that we do. Also had a chance to go to school at night and earn my degrees. Over the 37 years, I've had a chance to work in a variety of missions, SIGINT, cyber security, and today I serve as the Director of Security for NSA.

Major General. Yeah. Thank you very much. Again, Jerry Carter. I enlisted in the Marine Corps in 1985. Was fortunate to get a commission through Morehouse College in 1992. So been serving for just shy of about 37 years. And in terms of background, signal intelligence electronic warfare officer, commanded battalions as well as at the 06 level. And as a general officer, had the opportunity to serve as Director of Intelligence and at various portions of the intel community.

When we talk about cybersecurity, could you tell us a little bit about what that means to the NSA?

Cybersecurity is absolutely critical to national security. So when you think about advanced cyber actors, whether it's Russia, China, Iran, North Korea, or nonstate actors, it's critically important for our nation to have threat intelligence that helps us navigate all the various aspects of the cybersecurity mission. When you think about national security systems, you think about all the systems that support the Department of Defense, all the systems that support the intelligence community, and also select portions of our federal civilian agencies and departments also rely on national security systems capabilities. Whether it's threat intelligence, whether it's partnerships, or whether it's a focus towards key encryption capabilities to protect our most important national security systems, that's what cybersecurity means to the National Security Agency.

Now, when it comes to cyberspace, it seems to be a very fast moving field, particularly in the past 10 years or so. What are some of the changes that you're seeing, and why should our listeners care?

Well, first off, I'd say that cyberspace is under constant change. Even as we're recording this podcast today, new vulnerabilities are being discovered, new patches are being applied to systems and critical systems across our nation, and new software is being developed by many different developers across the community. And adversaries are always looking for that advantage to find those vulnerabilities and then exploit those vulnerabilities. So what's critically important for us is to continue to focus on ensuring that we have insights on how those adversaries are developing their tradecraft, how they're expanding their capabilities, whether it's a scope and scale perspective or the employment of new tools and capabilities. So I think what's changed dramatically in the last 10 years is really that scope and scale. When you look at what's happening now, whether it's threats and challenges coming from the PRC or the activities that the Russians are conducting in Ukraine as well from a cyber perspective, all these different areas are demonstrating greater levels of sophistication. The other thing I think that's changed dramatically is the nonstate actor community, whether it's ransomware or hacktivists. You can take a look at the example several years ago with Colonial Pipeline, where a ransomware actor shut down the flow of petroleum on the East Coast of the United States and caused delays and shortages in that critical infrastructure sector.

So even the ransomware and nonstate actors have certainly been a big change for us in the last 10 years. Yeah.

And if I could, Dave, I think you're absolutely right. And from a military perspective, in terms of how the landscape has changed over the last decade, I would just reflect on the adversary that we were fighting. And so for the military, for the last 10 years, we were postured for this global war on terrorism, rightfully so. It was an adversary that was not that sophisticated, did not rely on technology. And when you look at the world today and now to 2030, I mean, It's a different environment. And Dave, you hit it on cyberspace, in the past, air, land, and sea. But now we add space and cyberspace, which really challenges us.

So, Dave, can you talk a little bit more about how NSA has responded to these threats that are constantly changing.

One of the big changes that we've made at the National Security Agency over the past four years is really focusing on the threat intelligence that we collect from a signals intelligence perspective and then turning that threat intelligence into outcomes that will drive higher levels of cybersecurity for our national security systems and other critical systems across our nation. What we've learned is that we can separate what we know from how we know it, and then share that information on what we know with many different partners. Those partners can be industry partners, those partners can be foreign partners, those partnerships can also be across the US government. When you have strong partnerships with insights where analysts are working the cybersecurity problem together. That's where you get to scale cybersecurity in a way that we've never been able to do in the past.

Now, as a newer employee at the agency, one thing that surprised me as I came in was the number of service members that work with us. Now, Major General Carter, could you tell us a little bit about the military's role here at the agency, and more specifically, your role as a senior military officer?

In my role as a senior military officer, my goal is to really sit with the technical experts at NSA, those computer scientists, those data scientists, those engineers, and help take that technical detail down to the Pentagon and translate that into requirements. Threat informed, also out to the combat commanders, but that's a big change that we've seen in the last probably about five years.

Yeah, and I'd just add to that. I mean, it is a partnership across our agency between military and civilian leaders and analysts, and and operators. And, NSA is a combat support agency. We're supporting the warfighters in air, land, sea, space, and cyber. And it's critically important that we can speak with one voice across all of those different areas and then ensure that we're protecting all those different critical national security systems that support warfighting activity.

Yeah, and David, you mentioned about the partnerships and some One of the key engagements that I'm responsible for from a uniform perspective. Down at the Pentagon, some of our key interlocutors or partners are the DOD, CIO or Department of Defense, Chief Information Officer. Honorable Sherman is one that I sit down with on a regular basis, advise as he thinks through providing that best advice to Secretary of Defense. I also say one of the key individuals that I deal with across the services is that responsible cyber advisor. So work very closely with them, highlighting the threats that we see here at NSA to ensure that they're informed decisions as we translate that information to policymakers.

A lot of folks think that cybersecurity is just the IT systems that everyone has on their desktop or the servers or the cloud. But in reality, cybersecurity also supports and surrounds our weapons and space systems, both current and future. So it's It's really important as we engage with military leaders across the Department that we work together as a team to make sure that our current and future warfighting capabilities are secure.

We talked a little bit about partnerships with General Carter and the military. Can we talk a little bit about partnerships and their value to the nation as a whole?

I always think of cybersecurity as a team sport. General Carter mentioned our partnership with the Department of Defense. But when you look across the entirety of the partnerships, it's throughout the US government, it's partnerships with academia, it's partnerships with industry, and also partnerships with select foreign partners that really helps us scale the cybersecurity mission. When we bring focus with those partnerships, we can do some amazing things to ensure that those actors that I mentioned earlier, whether it's Russia, Iran, the PRC, North Korea, and some of those nonstate actors, are not successful in conducting operations against the US or Allied partners. Some of the key partners we work with in the US government, FBI, the Cyber Security and Infrastructure Security Agency, CISA, are a couple of key partners that we're working with every single day when we think about protecting our nation from cybersecurity threats.

The partnership with the military, how important has that been?

One of our most critical partners in the US military is US Cyber Command. When you think about the work that we do between the National Security Agency and US Cyber Command, it's one of those partnerships where we focus on unity of effort. While we have the intelligence mission, Cyber Command has the military mission when it comes to protecting Department of Defense Information Networks and also providing support to combat and commanders around the world when it comes to cyber support.

I think that one of the things that I really appreciate now, I've learned over the last year in terms of that partnership, Dave, that you just mentioned is really under General Naukosol company's vision, really continuing with General Hawk, is this integrated cyber center. Now, in terms of the partnership you mentioned, you have sitting side by side, that is US Cyber Command, with the experts from say all in one building. That's a phenomenal concept.

There must be great value in sitting next to each other. Can you talk a little bit about that relationship a little bit more?

Absolutely. When you think about it, we have different authorities. But when we have unity of effort, we can bring the capabilities of both partners together to really focus on key cybersecurity issues that we need to solve. We found that bringing together the insights from the National Security Agency The military capabilities and teams that the Cyber Command brings to bear, really brings great capability for our nation.

So looking back, you talked about protecting our weapons and space systems. What does it look like in the future with us protecting that area?

So I'll talk about space systems for a second. When you look at the changes that have been occurring across our Department, especially with the advent and use of proliferated LEA low Earth orbit architectures to support warfighters. It's been really important for us at NASA to ensure that high assurance cryptography protects all parts of that space ecosystem. So whether it's the ground segment, the user segment, the link segment, or the space segment, NASA is there to support the warfighters as they develop those new capabilities to ensure that we have warfighting systems in space. So one of the partnerships that we've had over the past three years is with the Space Development Agency. Working closely with SDA, Dr. Tournaire and his team, we've ensured that over the last year, we've been able to support the launch of 27 low Earth orbit satellites to support Department of Defense capabilities. That includes the capabilities to provide secure communications from that ground all the way up to the space segment, but also bring new capabilities online to really enhance warfighting systems. One of the things we're most proud of in the work that we've done over the past year is to have what's called Link 16 from space, command and control capabilities for weapons systems from the space sector.

First ever capabilities in partnership with the Space Development Agency. We'll also support additional 20 launches in the coming year and then more launches in the next year and years out. But It's just an example of how NESA works very closely with our US military to ensure that future warfighting systems are not only meeting the mark, but exceeding the mark when it comes to the cybersecurity aspect, but then also supporting warfighter communications.

Dave, can I just add to your point about the military in the future systems? The thing that we see today is the development of artificial intelligence, machine learning, and how we, the capability, can really give us a decision advantage on a battlefield. I spent a lot of time with my counterparts in the services down to the Pentagon, ensuring that they embrace that technology, but it's in a safe and secure way. I We've learned a lot of things by serving in just a few months at NSA on what NSA is doing in that area. But Dave, any thoughts about artificial intelligence?

Absolutely. Six months ago, we set up our AI Security Center within the National Security Agency, and it has three main objectives. First, detect and counter foreign threats that would impact AI systems that we would want to use in our national security systems. The second is to really focus on developing deep partnerships, deep partnerships with industry, deep partnerships with those across the national security community that would want to use and implement AI for either warfighting capabilities or intelligence community capabilities. Then the last is really to develop and promote best practices in securing AI. If you take a look at one of our cyber security advisories that we published on 15 April, you can find this on nsa. Gov, but it focuses on how to deploy AI system securely. It's one of our first publications that we worked on with CISA, FBI, our teams here at NSA, but then also our Five Eyes partners across the community to make sure that we were promoting that AI security guidance. There'll be more publications to come in the future.

I was going to say, can you tell us a little bit more about cybersecurity advisors? Where do people access them and how do they leverage to them?

Well, first off, you can access all of our cybersecurity advisors at nsa. Gov. Really, the cybersecurity advisors are curated and focused insights to take threat information and then drive systems owners and network defenders to the priority items that they should focus on to protect their systems. While they're focused for the national security community, they're also applicable across our critical infrastructure and industry systems systems. Really, these advisors can be used for many different systems owners out there.

You also stood up the Cybersecurity Collaboration Center, where I imagine a lot of those relationships are also leveraged. Can you talk about that a little bit?

The Cyber Security Collaboration Center is our unclassified area for which we can engage with industry on a regular basis. Really, the power of those partnerships is at the analyst level. When analysts Analysts from MSA and analysts from industry, especially the defense industrial base, can focus on what we see in cyberspace and what we see from those advanced cyber actors, this is where the power of partnerships between industry and government really comes to focus on those particular threat areas. So it's been a tremendous game changer for both industry and government and has allowed us to really scale the cybersecurity mission.

I think from a military perspective, why is that important? Because we really rely on many of these industry partners to build some of the capabilities that we're going to use, not only in competition, but in conflict. So going back to our earlier discussion about why is cybersecurity important and why is partnership important, I think you absolutely nailed it, Dave. Thanks.

And it sounds like it's a two-way communication channel, right? It's not like, and I say it's telling everybody else what to do, but we're learning from a private industry. They're bringing to the table intelligence or insight that we as a government agency might not have.

Yeah. Let me give you a great example of that. General Carter mentioned living off the land a bit. Back in May of last year, we worked on a hunt guide that allowed national security systems owners and critical infrastructure owners to identify PRC cyber actors that were using normal command line techniques, normal operating system commands to penetrate critical infrastructure systems and other US government systems. And what was critically important in getting that hunt guide together was the partnerships with industry. So if you take a look at that particular publication, there's over a dozen industry partners acknowledged in that publication that contributed to the insights that allowed us then to promote and push that guidance out for national security systems owners and critical infrastructure systems owners to go and protect their systems.

Now, looking to the future, say the next 5 or 10 years, where do you see the agency?

Some of the key cybersecurity areas that we'll be focusing on now and into the future, really focus on first, development of the workforce. It's really critically important that we continue to develop the future ready workforce in the cybersecurity arena. Second, there's different ways that we have to think about protecting our national security systems. In In the past, we would think about protecting national security systems with perimeter defense capabilities. But if you take a look at the activities over just the last year, since January, there's been nine major vulnerabilities discovered in perimeter defense systems. If that's the only way you're protecting your systems, that's not a good plan. So what we really have to think about is zero trust. And zero trust considers that a breach will occur in your systems. But the concepts methodologies behind zero trust focus on the idea that you can monitor and segment the networks in a way that ensure that if the perimeter or if the systems are breached, that the adversary has limited capability to move within that system to pivot to the critical data that you're trying to protect. So as we work with the Department of Defense and the IC to develop guidance and zero trust systems, that's one of the key things that we're working on with the community.

The other key area that we're focusing on is ensuring that we have quantum resistant cryptography to protect our national security systems. And a quantum resistant crypto roadmap really allows us to ensure that if the Russians or the PRC have a quantum computer in their hands in the future, that our cryptography will be safe from being exploited by that computer. Of course, that partnership Leadership goes across the Department, the IC, but we also work very closely with the National Institutes of Standards and Technologies, NIST, to ensure that the rest of the community is also protected from the quantum threat. So NIST is really critical because it's not just an assay that focuses on quantum resistant capabilities. We also have to make sure that industry, other parts of government are also protected from the quantum threat in the future as well.

And I would say from military perspective, we talk a lot about partnerships and the value of partnerships. We'd like to continue to see the strength between the NSA and the military partnership. In fact, I would just say the Department is thinking very hard about growing that capability. No daylight between the two, side by side, for all the right reasons that we cited. Then in terms of the future, each of the services are going through a modernization effort. In Marine Corps, it's Force Design 2030. As we think about tomorrow, tomorrow's adversary and tomorrow's fight. Dave, just bring it back to the things you highlighted. Safe and secure communications, and that starts with modern and resilient cryptography. But all those things are pretty important for tomorrow's fight.

So as we wind things down for today, are there any last minute takeaways that you'd like to share with our audience?

The cybersecurity and importance to the military, it's a big deal. So I've learned a lot since being here at NESA. And the thing that I'm I'm completely focused on is ensuring that we have that resilient and ready workforce, not only changing the culture about how important cybersecurity is, but ensuring that we're building the next generation of leaders, warfighters that not only understand cyber security and its importance, but really embrace it on a cutting edge of this new technology.

General Carter, I can't agree with you more because when I think about the people of the cyber security mission, that's the That's the most important part of of MSA. That's the most important part of what we do between MSA and the partnerships with Department of Defense and our military. We take the development of our teams seriously, and it doesn't just start when you join MSA. If you think about the partnerships we have with academia, the centers of academic excellence as an example, we have over 470 partnerships with universities across our nation to help ensure that the next generation of cyber experts are getting the training, getting the insights that they need to then come join the US government. So whether it's cybersecurity, cybersecurity research and computer network operations, the partnership with academia helps ensure that we're prepared not only for today, but also for the future, so that the next generation of workforce comes and joins.

Dave, I can't help as you give your comments about this ready workforce. Just recently, we had an opportunity to celebrate one of our teammates in the cybersecurity directorate. He was a high school work study, joined us for the summer program, graduating this spring and heading off on a full ride scholarship, thanks to the Department of Defense. That's exactly what we need to do to build this ready, resilient workforce that really understands the technology of the future for tomorrow.

I like to think of it working left of launch of a career. And when you can focus universities, when you can focus even K through 12 development through programs like GenCyber, it begins to present opportunities for students to get involved in STEM, get involved in cybersecurity, think about cybersecurity as a career so that when they do decide to join an assay FBI or CISA, they're ready to support our nation.

Yeah. Fantastic.

Dave, Major General Carter. I'd like to thank you both again for joining us today. It has been an honor. Once again, my name is John Parker. I'm Brian Fassler. And this has been No Such podcast.

Thanks for listening to this episode of No Such podcast from the National Security Agency. If you enjoyed the show, please leave us a review and make sure you're subscribed so you don't miss our next episode. For show transcripts and other information, please visit nsa. Gov/podcast.