The U.S. government's actions to disrupt Russia's attempted cyber incursions into the 2018 midterm elections took place in part in a newly constructed Joint Operations Center (JOC) on the National Security Agency's expanding Fort Meade campus in Maryland. Efforts to protect the 2020 elections are expected to follow a similar drill.
Located in the middle of the Cyber Integration Center — a 380,000 square foot, $520 million building whose construction was completed last September — the JOC links two adjoining facilities where NSA and U.S. Cyber Command personnel reside. A massive floor dotted by pods of desks and dominated by three curved, 20-foot-tall screens, the JOC is run by roughly 200 civilian and military officials who work 12-hour, rotating shifts — 24 hours a day, seven days a week, 365 days a year.
"One of the first activities that were run out of here was NSA and U.S. Cyber Command support to the 2018 elections," said Colonel Stephen Landry, a senior officer in the NSA's recently launched Cybersecurity Directorate. That included support, he said, to the Russia Small Group, an election security task force comprising NSA and Cyber Command officials that was created last year by General Paul Nakasone, who heads both agencies.
The Russia Small Group was instrumental in carrying out an offensive cyber operation that took the, a Kremlin-linked troll farm known to have waged an influence campaign in 2016, offline ahead of the November midterms. Nakasone has since publicly touted the success of the group, made it a permanent fixture, and said its approach in 2018 would serve as a model for 2020. (Its members are scattered throughout NSA and Cyber Command, not physically concentrated in the JOC.)
Landry, who spoke to a group of reporters invited into the facility earlier this month, said officials from the FBI and Department of Homeland Security (DHS), as well as representatives from the Five Eyes intelligence-sharing alliance, also work out of the JOC. Having everyone in one place, he said, helps create "shared situational awareness."
"That's the key of this facility being integrated," he said. "Don't want to have one agency know about something going on and the other agency not. So just sharing that information in real time without having to worry about picking up a phone, finding a phone number, sending an email ... It is all done in one facility now."
Hanging over the JOC is an elevated conference room called "The Bridge," where NSA and Cyber Command leadership and staff meet and receive briefings throughout the day. One long, floor-to-ceiling glass wall can be instantaneously frosted to obscure or reveal the floor below.
The JOC also has a command post for defensive cyber actions and provides support for what Landry calls "crisis contingency operations" — nation- or sector-wide events that would require a rapid cyber response. Such a response would be coordinated from the JOC. However, as is the case with most significant cyber operations, including election security efforts, multiple government agencies and international partners would be involved.
Personnel working in the JOC "have been charged to discover, analyze and disseminate cyber information throughout the government," including the Department of Defense, Landry said. The center "has constant communications with the Pentagon," he said, "as well as all of the combatant commands throughout the world."
One of the giant screens at the front of the JOC is usually dedicated to classified information and metrics used by the NSA's Cybersecurity Directorate; the other to Cyber Command's missions. The middle screen shows a "common operating picture" shared by both agencies, Landry said.
He and more than one other NSA official also expressed particular enthusiasm for the fact that the operations center has windows — in this case, a single row of narrow panes stretches across the ceiling, far above eye level. The view is mostly of another part of the building's exterior, though a sliver of sky is visible at certain angles.
"That's the one thing that's very unique to a Top Secret facility, is to actually have windows," Landry said. "In fact, this is the first one I've ever been into that actually has windows in it."
Letting in daylight
The famously secretive NSA is beginning to let in more metaphorical daylight in other ways. Its Cybersecurity Directorate, which launched on October 1 and is expected to become fully operational by the end of the year, is charged with reinvigorating what has been a longstanding mission: to protect government, defense and private sector systems from cyber attacks.
It will do that, in part, by sharing more unclassified threat information more quickly and, when possible, more broadly, the officials leading it say.
"This is a little bit of a different approach for us from the 'No-Such-Agency' approach," said Anne Neuberger, who was tapped by Nakasone to lead the directorate this year.
Having joined the NSA from the private sector almost a decade ago, Neuberger served as the agency's Chief Risk Officer in the aftermath of the 2013 disclosures by Edward Snowden and, more recently, led the NSA team that made up the Russia Small Group.
"Applying all of the lessons that we learned here with the work that we did in the 2018 midterm elections," she told reporters, "We realized that we really needed to — in order to make threat intel useful — we needed to operationalize it."
Less than a week after it launched, the directorate issued its first public-facing cybersecurity advisory, warning that multiple nation-state hackers were targeting vulnerabilities found in virtual private network (VPN) devices. The NSA's advisory followed similar warnings from government agencies in Canada and the United Kingdom, both of which are part of the intelligence-sharing Five Eyes alliance that includes the U.S.
Neuberger said the context and practical details the advisory offered was indicative of the kind of work the directorate intends to do.
"What we recognized is we are all human," she said. "When we know the context of the 'why something matters,' we will act much more quickly on the recommendation."
Neal Ziring, a 30-year NSA veteran who now serves as the new directorate's technical director, said the growing universe of targets and the increasing sophistication of adversaries' capabilities posed unique challenges for the agency's cyber defense mission.
"What I think I have seen over my time in cybersecurity is, historically, you used to see a nation state spent their time attacking a nation state to gain intelligence," he said. "And now we are seeing a broadening of that."
Strategic competitors like China, Russia, Iran and North Korea still pursue government targets, he said — but they seek out a different way in.
"They will also go after companies and they will go after universities and nonprofits and civilian government agencies and state governments," he said. "That changes the game in terms of how an organization like NSA or folks we partner with, like DHS and FBI, how we have to confront them all."
Opening up the "black box"
While a clear, though still not comprehensive, picture of Russia's efforts to influence the 2016 election has publicly emerged, comparatively little is known about election interference attempts that were made by Russia — or any other actor — in 2018.
And while the U.S. government issued a now-infamous warning about Russia's activities in October 2016, no such warning came as the 2018 midterms approached.
Neuberger said the agency weighed heavily the merits of making any public disclosures about potential threats that, she said, could themselves undermine the public's confidence in the voting process. "Trust is a really hard thing to regain once it is taken," she said.
"That was something we thought hard about ... how to maintain election integrity and that trust of the American public, and how to balance warning of what could be, versus doing one's best to prevent it from becoming reality," Neuberger said.
She said she also recognized that the NSA itself, after Snowden, would have to address an enduring trust deficit.
"A black box is not trusted," she said. "The average American is a thoughtful, thinking person, and they want to know what's in the box. They want to know that the people who work there operate by the same set of values they have."
While the NSA's foreign intelligence mission — which is separate from its cybersecurity mission, and involves surveilling and intercepting signals and communications overseas — is unlikely to see any additional public exposure, the agency is taking otherwise uncharacteristic steps to reveal more of itself.
The relative visibility of senior NSA officials — including Neuberger and Nakasone, who have made frequent public appearances since assuming their respective roles — comes as other intelligence community leadership has in large part retrenched. CIA Director Gina Haspel has made public remarks only twice since her confirmation last May.
The NSA has also nearly doubled its communications team, from eight to 13. Two full-time staff members run its growing social media presence, which includes a Twitter, Facebook, and, as of last month, Instagram account.
The latter has posted five times and garnered just over 1,600 followers — still a fraction of the more prolific CIA account, which gained 240,000 followers since launching in April. Their Twitter accounts have similar disparities — 600,000 and 2.5 million followers, respectively.
Ziring said he was working to change some of the culture inside the agency, too.
"For us to be most effective at the mission that the nation's asked us to do in cybersecurity, we have to be out there," he said. "We have to be working with universities. We have to be speaking at conferences. We have to be writing guidance."
"It's not an option, it's not a 'nice-to-have,'" Ziring said. "If we're going to be effective, we have to be out there and open about the cybersecurity part that we play."