CyberWire Daily - Best of: Daniel Ennis
Episode Date: December 30, 2016Our podcast team is taking a break this week for the holidays. We’re revisiting some of our favorite interviews from 2016.   Daniel Ennis is former director of the NSA Threat Operations Center, or... NTOC, and is currently executive director of the University of Maryland Global Initiative on Cyber. We spoke with Daniel Ennis back in July. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
I'm Dave Bittner in Baltimore.
Our podcast team is taking a break this week for the holidays,
but don't fret, we'll be back next week with all new episodes of our show.
In the meantime, this week we're revisiting some of our favorite interviews from 2016. Stay with us.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
and keep your company safe and compliant.
Daniel Ennis is former director of the NSA Threat Operations Center, or NTAC,
and is currently executive director of the University of Maryland Global Initiative on Cyber.
We spoke with Daniel Ennis back in July.
Take me through your career, and what were you studying studying in college and where'd you go from there? Well, I went to the University of Maryland, studied law enforcement
with a heavy dose of history as an aside. Ultimately, first job in the government was
with DEA, Drug Enforcement Administration. I was a DEA agent, spent some time in New York in that space, transferred to NSA into their security element
there as an agent, but ultimately moved over into traditional operations at NSA, SIGINT operations,
which is two missions at NSA, effectively information assurance and signals intelligence.
And in that space, ultimately became the director of the NSA Threat Operations
Center. So take us through the Threat Operations Center. What is the mission of the center?
What are they there to do? Well, the primary mission is to understand what is in the foreign
intelligence space relative to cyber and actually help the protection of U.S. national security
systems by translating that in working with elements across the NSA and across the U.S. government
in providing information assurance and defensive insights that might help protect those systems.
And who are you partnering with? What are your relationships with industry?
Well, that's the cyberspace that we all live in, the cyber context that we all live in.
Principally working with the FBI and DHS because they have authorities to help in the United States context.
But more importantly, across a broader spectrum than that, working with the private sector,
working with industry groups ultimately, working with entities that have been penetrated,
and for whatever reason the U.S. government believes that we ought to help them.
I mean, at the end of the day, when you start talking about cyber,
well, my principal role was to, or our principal role was to help protect national security systems.
Ultimately, when you have threats against the financial sector
or other sectors, and NSA has relevance in that space, it's incumbent upon us to figure out how
to help. And again, most of that was through DHS and FBI. NSA's got a foreign intelligence mission,
but in that foreign intelligence space, you become aware of information that can help others,
and obviously NSA's got a role in that space.
And so take us through the day-to-day for a person in your position. What kinds of things
were you handling, were you dealing with on a day-to-day basis?
Well, in many instances, when you lead a large workforce, your day-to-day issues are leadership
issues and how you engage in strategy. And that's actually where you want to be. So my day-to-day issues are leadership issues and how you engage in strategy.
And that's actually where you want to be.
So my day-to-day was hopefully, for the most part, in the strategic layer,
developing strategies to help the agency and talk the government,
proffer good expertise in the cyber arena.
Ultimately, though, you do become aware of instances or issues that then you engage tactically because it's a threat,
either to one of those national security systems or because it represents some issue that I ought to coordinate with the FBI and DHS on.
So I would say I would characterize mine at the strategic layer, but ultimately you have to keep your finger on the pulse of the workforce? What is it? Not only are there HR issues, but what are the issues affecting cyber
so that you can speak with some sense of the context
and provide leadership at NSA or leadership at FBI, DHS, or other places
what you're seeing in foreign intelligence?
When you look at the various threats that affect both the United States
and on a global level, in your opinion, where does cyber rank?
Where does it fit in?
Well, so, I mean, first of all, you have to look at the context that we're in,
the United States or the world, right?
We live on a digital platform.
I mean, the commerce and everything we do in the United States is on the Internet, right?
I mean, you look at everything that's going on,
and all the innovation that we would anticipate, it's all connected, and we're all connected.
And so if you take that as a given, ultimately, it is one of the highest priority issues,
that being cyber defense. We as a nation are one of the most vulnerable to cyber attacks, to cyber intrusions,
because we are so tied to the internet. I think that if I had to create a construct, I mean,
certainly counterterrorism and issues associated with terrorism take top priority because the
concern about physical threats to U.S. persons and our allies. Certainly counterproliferation, given the problems in that space could create issues
that we all would want to avoid.
But I would put it right up there because of the cyber piece.
I would put it right up there in parallel with those mission sets because we are so
vulnerable as a country, and it is such a part of our future.
When you looked at our capabilities as a nation in terms of defending ourselves, in terms
of being able to handle these cyber threats, what were some of the areas where, I guess
I'm looking for you to contrast, what were some of the areas where you thought this is
an area where we've got it under control versus this is an area that might keep me up at night.
Well, I mean, again, everything's relative.
So I thought we had relative strength in the space at NSA and its primary role of protecting U.S. Department of Defense systems
and ultimately helping others in protection of the national security systems.
others in protection of the national security systems.
That said, given the wide open nature of the Internet and given essentially how both the nation states and criminal elements have proffered and prospered in this space,
I think we're massively vulnerable across all the spectrum.
And so I think that we have strength in our knowledge,
we have strength in our capability. We even have strength in our knowledge as how we apply
defensive measures to protect systems. But there's such a huge vulnerability and such huge gaps,
and we talk about, you know, new zero days being created every day that make whatever element that you might refer to vulnerable.
I think that in that space, you know, we just have a huge way ahead,
a huge mountain to climb if we're going to actually secure systems.
I mean, it doesn't go unnoticed that our information assurance organization at NSA had come out with,
in many instances, you know, hey, these are the top 10
things you should do to protect yourself. But even in that space, most entities aren't even
taking the most basic steps to do that. So it's not just that the vulnerability is there. It's
that even when you represent that you understand how you could make yourself less vulnerable,
how you can close off the possible vectors of attack that you might face.
Most people aren't doing it.
From a business point of view, from a leadership point of view,
as you made your way up to a leadership position at NSA throughout your career,
what kinds of advice do you have for people who are coming up,
just from a purely leadership point of view, from an organizational, operational point of view,
to be a good leader?
What are some of the things you learned along the way?
Well, first of all, it always helps to have a good mission.
I mean, so people want to achieve.
They want to have success.
But they also want to have an interesting job.
I think that the idea that I would sit there every day and turn a screw and that's my job, I mean, that's problematic.
So if you have good mission, I think that's a great piece. And certainly at NSA, we had great, and we do,
and they do have great mission. But I think that great mission exists in the cyber world as well.
I mean, you actually, if you're involved in cyber defense, you're doing great work. You're doing
great work for the country. You're doing great work for the economy. And it can be an incredibly
interesting job. So that idea of great mission and an interesting job.
But what they also look to leadership to do is to stay in their lane. And in certain levels,
leadership has to stay in the strategic lane and empower them to be successful in their own right.
I think that the idea that you don't have to be the technical expert as a
leader. You have to empower those that are the technical experts to do their job. I think that
is a leadership lesson. People have a difficult time when they've grown up as a technical
person ultimately making that transition, but the successful leaders actually make that
translation. They understand the context by which, and you have to know enough of the technical parameters of whatever
the mission is that you're doing to understand it, but you have to make that transition that says,
okay, I'm moving to a leadership level, and I need to empower those folks that understand
the day-to-day activities in whatever mission space that they are in to be successful.
Let them do their job while I provide the strategic infrastructure,
the mechanisms that allow them to do that efficiently and effectively.
I think the other issue is you have to provide feedback to employees.
I mean, the tried and truism is that you counsel in private and you praise in public.
I mean, I think that's huge.
I've heard that people don't leave organizations, they leave people.
I do think that there's a lot of truth in that.
If you can empower your people, you've got good mission,
and ultimately you provide them the type of feedback that they need to improve. So, you know, you counsel them and say, hey, John, Sally, here's where you need to improve in this space. But that's done privately in a constructive manner. And then you praise in public when they've done a good job because people want their peers. They want their family. They want others to understand that they're doing a good job. Not just doing a good mission, but doing a good job.
I think the other issue, frankly, and one that's overlooked at times, is people want to have a little bit of fun.
I think that you have to make the workplace a little bit of fun.
Slide across the odd conference room table and wake people up occasionally if it's gotten too staid, too, you know, people aren't having fun.
But, I mean, I joke about that.
But the fact is that, you know, you have to loosen up a little bit at times.
You have to allow people to joke around appropriately, of course.
But at times you just can't be it's all about mission every day. It is about mission every day, but you also can laugh. You also can have some fun
in that space. So when people think of the NSA, I think there's this popular, almost sort of
Hollywood version of what the NSA is and what the NSA does. How do you think the public's perception
of the NSA aligns with the reality
of what the NSA actually does on a day-by-day basis? Well, I think you hit it. There's probably
a Hollywood version. If I go to see a James Bond movie, I want to see bells and whistles, right?
And I think that in some instances, people kind of want to see that. But obviously,
the reality is much different. I think there's also a part of this context is some of the Snowden insights that were provided,
which, by the way, clearly I think he got that a lot wrong.
NSA is an incredibly technically proficient agency,
and I think what we would want them to know, and I'm retired but still love the place,
what I would want the people to know is that they actually follow the rule of law,
that in fact they at great pains strive to follow the rule of law.
We have an incredibly robust process, incredibly robust leadership,
whose job it is every day is to make sure that we are following that rule of law. I
think if you checked with some of the civil libertarians that were a part of the process,
the review process after some of the Snowden information came out, they will tell you that,
you know, if they had a surprise, it was just how much emphasis and how much just true,
pure process that NSA places on ensuring that they follow that.
That's Daniel Ennis, former director of the NSA Threat Operations Center.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.