The debate about the “dual hat” leadership structure of the NSA and Cyber Command has evolved into a study group effort announced by the White House this week to review the fact that “both Cyber Command and NSA have always been helmed by the same military officer, a role currently filled by Army Gen. Paul Nakasone. That practice has been enshrined in law, but has rankled some within the clandestine community who do not believe it’s appropriate for NSA — the country’s largest intelligence agency, responsible for electronic espionage — to have a uniformed chief.” (3)

OODA Loop will keep the membership abreast of the results of that review.  In the meantime, we are not without  plenty of developments over at the NSA which will impact current cyber security conditions and the future of national security, including:

NSA sets 2035 deadline for adoption of post-quantum cryptography across national security systems

The National Security Agency…expects the owners and operators of national security systems to start using post quantum algorithms by 2035…[and[ recommended that vendors start preparing for the new technology requirements but acknowledged that some quantum-resistant algorithms have yet to be approved for use.

Prior to full adoption within the intelligence community and U.S. military, the new algorithmic standards will be approved by the National Institute of Standards and Technology and the National Information Assurance Partnership.

The memorandum includes Commercial National Security Algorithm Suite 2.0 — a new set of cryptographic standards from the agency — and comes amid rising concern about the potential for foreign adversaries to use advanced computing technology to break the public-key cryptography that for years has secured most federal systems.

The agency expects that traditional networking equipment such as virtual private networks and routers adopt the new standards by 2030, and that web browsers, servers and cloud services exclusively use the new algorithms by 2033. (1)

NSA adoption deadlines and new cryptographic standards from the agency follow the NIST selection of 12 companies for implementing quantum resistant cryptographic algorithms.

Details of the NSA Advisory an be found here.

CISA and NSA Publish Joint Cybersecurity Advisory on Control System Defense

CISA and the National Security Agency (NSA) have published a joint cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). Control System Defense: Know the Opponent is intended to provide critical infrastructure owners and operators with an understanding of the tactics, techniques, and procedures (TTPs) used by malicious cyber actors. This advisory builds on NSA and CISA 2021 guidance provided to stop malicious ICS activity against connect OT, and 2020 guidance to reduce OT exposure.

CISA and NSA encourage critical infrastructure owners and operations to review the advisory, Control System Defense: Know the Opponent, and apply the recommended mitigations and actions. For more information on CISA’s resources and efforts to improve ICS cybersecurity, visit CISA’s role in industrial control systems webpage.

NSA, FBI warn hackers are using these flaws to target VPNs and network devices

The US has warned that hackers conducting illicit cyber activity on the behalf of China may be exploiting publicly disclosed flaws in network devices. This may be part of a broader effort to steal and manipulate network traffic, the NSA and FBI warn.  According to the agencies, there are at least 16 flaws in network device software that is vulnerable to attack. The flaws are located in software from brands such as Cisco, Fortinet, Netgear, MikroTik, Puse Secure, and Citrix. The flaws were disclosed between 2018 and 2021, and are all rated as critical.

According to the NSA and the FBI, these flaws are the most frequently exploited by hackers who are collaborating with the People’s Republic of China since 2020. The technique allows threat actors to gain access to victim accounts by leveraging publicly available exploit code against VPN services. The warning was released amid concerns about attacks affecting small business routers, enterprise VPNs, and network-attached storage devices. (2)

Alert (AA22-158A):  CISA Joint CSA  – People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

This CISA Joint CSA is referenced above.  This joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).

Summary details include:

• Common vulnerabilities exploited by People’s Republic of China state-sponsored cyber actors: PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.
• Telecommunications and network service provider targeting:  PRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The actors have utilized open-source router-specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable the exploitation of SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting.

What Next?

• Short-term:   For Technical Details, Mitigations, Resources, Additional References, and Contact information, review the Joint CISA CSAs link above.
• The Long-View:  For strategic planning and risk strategy, consult the  “Commercial National Security Algorithm Suite 2.0” (CNSA 2.0) Cybersecurity Advisory (CSA) .

Quantum Computing, Quantum Security, Quantum Communications, and Quantum Sensing will be discussed at OODAcon 2022 – The Future of Exponential Innovation & Disruption in the context of the following panels:

Swimming with Black Swans – Innovation in an Age of Rapid Disruption

Dawn Meyerriecks, Former Director of CIA Science and Technology Directorate

If Yogi Berra were to evaluate today’s pace of global change, he might simply define it as “the more things change, the more they change”. Are we living in an exponential loop of global change or have we achieved escape velocity into a “to be defined” global future? Experts share their thoughts on leading through unprecedented change and how we position ourselves to maintain organizational resiliency while simultaneously reaping the benefits of new technologies and global realities.

The Future Hasn’t Arrived – Identifying the Next Generation of Technology Requirements

Neal Pollard, Former Global CISO at UBS | Partner, E&Y

Bobbie Stempfley, Former CIO at DISA | Former Director at US CERT | Vice President at Dell

Bill Spalding, Associate Deputy Director of CIA for Digital Innovation

In an age when the cyber and analytics markets are driving hundreds of billions of dollars in investments and solutions is there still room for innovation? This panel brings together executives and investors to identify what gaps exist in their solution stacks and to define what technologies hold the most promise for the future.

Postponing the Apocalypse:  Funding the Next Generation of Innovation

What problem sets and global risks represent strategic investment opportunities that help reduce those risks, but also ensure future global competitiveness in key areas of national defense?  This session will provide insights from investors making key investments in these technologies and fostering future high-value innovation.

OODAcon 2022

To register for OODAcon, go to: OODAcon 2022 – The Future of Exponential Innovation & Disruption

Further Resources – Business Strategy and Quantum Computing

OODA Loop has also provided the following research and analysis on quantum computing and the private sector, business models market creation activities:

OODAcast Conversation:  Lawrence Gasman on Assessing the Business Impact of Quantum Technologies:   Lawrence Gasman has researched and reported on quantum technologies from the beginning of the discipline of quantum computing. He is now the President of Inside Quantum Technology (IQT), which provides in-depth business intelligence for the quantum technology industry. IQT also runs several major quantum technology conferences as well as a quantum industry news service.

On this OODAcast we ask Lawrence to provide us with frameworks for understanding the state of quantum computing, quantum sensing, quantum security and the business around each of these major fields.

The Quantum List Updated: Companies leveraging quantum effects for real world functionality and security:  OODA is tracking almost 1300 firms that leverage quantum effects to provide real-world functionality. Of these, we have selected 23 to bring to our network’s attention because of our judgment of the importance these firms are already playing in the domains of Quantum Computing, Quantum Security, Quantum Communications, and Quantum Sensing.

By Design, The Quantum List Companies are Strategically Structured for Exponential Speed and Scale:  At some point, like artificial intelligence, quantum will be “in the midst of a real-world paradigm shift: the final stages  of a decades-long transition from the scientific discipline known as quantum computing (and its various sub-disciplines) into an array of applied quantum computing technologies made more widely available through innovative enterprise architectures unique to the business culture of the technology sector.”  Equally as interesting is that everything is now in place to continue to transform consecutive scientific disciplines (at exponential speed and scale) into the marketplace of solutions for the next few decades.

Exponential speed and scale have started to lose their ‘pie in the sky’ strategic implications and, based on the insights garnered from The Quantum List, are feeling progressively more tangible and tactical with each passing year. What we all intuited (when we first heard of and evaluated the promise of exponential technologies over the last eight to ten years or so, ) is that the next few decades could be (hands-down) one of the most breathtakingly transformative periods in human history.

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.