Secretive NSA opens doors to new “collaboration center” as cyberthreats mount

Fort Meade, Maryland — One of the most notoriously secretive U.S. intelligence agencies has opened a new facility that it hopes, uncharacteristically, will welcome plenty of outside visitors.   

While most of the National Security Agency’s (NSA) outposts are closed-off, highly restricted spaces, the agency’s newly launched Cybersecurity Collaboration Center, located a few miles outside its main campus in Fort Meade, Maryland, is meant to serve as a gathering point for government and private sector cybersecurity experts to exchange information about hacking threats from adversaries in real time.  

Its opening — including to members of the press, who were invited to visit the space on Tuesday — comes as massive cyber incursions and multiple ransomware attacks have roiled U.S. government agencies and private sector companies, and amid an admonition from the NSA that it can’t effectively protect what it can’t see: vulnerabilities in domestic networks.  

General Paul Nakasone, who leads both the NSA and U.S. Cyber Command, has said repeatedly in appearances before Congress that the two organizations, which are authorized to operate outside of the U.S. to track and counter foreign threats, are limited by U.S. laws and policies in what they can observe internally.  

“It’s not the fact that we can’t connect the dots. We can’t see all of the dots,” Nakasone said in public testimony in March. Adversaries “understand that they can come into the United States, use our infrastructure, and there’s a blind spot for us not being able to see them.” 

“Being able to identify and being able to fix those areas are part of the resiliency of the nation that has to be addressed,” he said.  

The 36,000-square-foot Cybersecurity Collaboration Center, run by the NSA’s recently restructured Cybersecurity Directorate, is designed to be at least part of the fix. The agency has invited cybersecurity experts from a range of industries to sit side by side with agency analysts, share what they see on their computer networks and thereby help hone the tradecraft needed to identify and counter foreign cyberthreats.  

“[I]f we’re able to combine our insights with what they’re seeing in their apertures, we’re going to have a better comprehensive picture of what the adversary is doing,” said Morgan Adamski, the chief of the center. She declined to name any of the partner companies or offer details on the number of relationships the NSA had established to date.

While the building itself is an unremarkable exemplar of industrial flex office space, it stands worlds apart from other NSA facilities by virtue of having Wi-Fi, open work areas and lots of windows. 

There are some classified spaces available for partners with security clearances to use, but there are also elements of flair that are uncharacteristic of the NSA. There is modular furniture. Columns are emblazoned with one-word slogans like “Transform” and “Imagine.” There are cushy chairs upholstered in a vibrant persimmon. 

“You will notice it is not the custom ‘NSA beige’ color,” Adamski said. “What we wanted to do was ensure that our space felt like the cybersecurity industry that we’re partnering with.”  

Though it hadn’t yet opened physically, one of the center’s early mitigation efforts, Adamski said, involved the NSA’s disclosure in January of 2020 of a critical vulnerability in Microsoft Windows 10. It was also behind a subsequent public disclosure, in April, of a series of vulnerabilities in the Microsoft Exchange email app.  

The disclosures were notable for how far of a departure they were from how the NSA was used to operating. In the past, the agency likely would have kept any software vulnerabilities it came across to itself, for possible use as tools to spy on adversaries. Its leadership has since acknowledged that the exponential growth in cyber threats and the need to partner with the private sector have meant transparency — once an anathematic notion — would need to become the norm. 

“It’s clear that things have to change,” said Rob Joyce, a career cybersecurity official who now leads the NSA’s Cybersecurity Directorate.

“The ransomware issue has hit the general population and cyber threats have spilled over from the digital realm into the physical realm, and all of us, as a consequence, either stood in line for gas, or drove by gas stations without fuel,” Joyce said, referencing the attack, attributed to Russian cyber criminals, on Colonial Pipeline last month. “It is the culmination of the recognition that we’ve had for years that the things we’re attaching to the Internet that control things in the physical world bring vulnerabilities.”

“So as that threat evolves, we have to evolve,” he said.

Joyce, who succeeded Anne Neuberger, now the deputy national security adviser for cyber and emerging technology at the National Security Council, said the NSA was also drawing increasingly on its foreign partnerships, including the Five Eyes intelligence-sharing alliance, for insights into how malign actors are operating.

“What we’re finding is all our allies, whether it’s across NATO or more broadly, have these same cybersecurity threats and they want to work with us, and one of the most common areas of desire for collaboration is on cybersecurity,” Joyce said. “So we’re pushing at an open door with foreign partnerships.”

Earlier this month, the U.S. and European Union pledged to deepen existing cybersecurity information exchanges. And notably, President Biden and Russian President Vladimir Putin — whose government has been known to launch cyberattacks, engage in cyber espionage and to countenance the operations of criminal groups operating on Russian soil — said following a summit last week that they had agreed to start “consultations” on cybersecurity matters.

Joyce said the NSA would inform, but was unlikely to participate in, any talks with Moscow.

“I would not expect NSA to be directly involved in big policy discussions of cybersecurity. There [are] other entities in the government that are going to do that international policy,” Joyce said. “But we will absolutely use our threat-informed mission and NSA’s reporting to inform those policymakers, and others in the executive branch who would lead negotiations and engagement.”

“What we’re finding is all our allies, whether it’s across NATO or more broadly, have these same cybersecurity threats…”