The National Security Agency plans to issue updated guidance to companies on cybersecurity in the cloud, a senior official said, amid a series of attacks that have targeted service providers in recent months.
director of the NSA’s Cybersecurity Directorate, said that one of her division’s goals is to produce advisories for businesses and other organizations. The advisories will describe attack methods used by nation-state and advanced hackers and will lay out methods to counter them.
“We’ll be coming out with an unclassified advisory on the techniques used to compromise clouds and some mitigation advice,” she said, speaking at the WSJ Pro Cybersecurity Executive Forum in New York on Tuesday.
More from the WSJ Pro Cybersecurity Event
Separate subscription required for some articles.
Prior advisories have included advice on methods used by Russian hacking groups and on vulnerabilities in virtual private networks that are being routinely exploited by sophisticated attackers.
Ms. Neuberger said the NSA aims to publish the advisory by the end of the year.
The directorate was created by NSA head
Gen. Paul Nakasone
earlier this year. It became operational in October, as part of a fusion of the agency’s offensive and defensive capabilities. Gen. Nakasone, an Army general who is commander of the U.S. Cyber Command, named Ms. Neuberger as the directorate chief in July.
The directorate protects the U.S. from foreign threats by sharing insights about specific cyber threats with other federal agencies and the private sector, including information gleaned from foreign intelligence-gathering activities.
Cloud services can bring big security benefits to corporations, Ms. Neuberger said. “One can leverage the encryption and security services that are built up and easier for developers to use in a consistent way,” she said.
Despite these benefits, using the cloud can also carry risks. The NSA’s guidance comes as smaller businesses that use cloud services are increasingly vulnerable to cyberattacks through their service providers. Insurer Beazley PLC estimates that 24% of the ransomware claims that it received during the third quarter of 2018 were found to be caused by a vendor or managed service provider.
“If you want to steal research and development from multiple entities, you can compromise one managed service provider and accomplish a lot more from an espionage perspective,” Ms. Neuberger said.
This new NSA advisory follows previous guidance issued by the agency on cloud services last year, detailing basic cybersecurity precautions that companies should take. An NSA spokesperson said the coming release would be more sophisticated than that document.
The directorate is looking into other emerging technologies that offer both benefits and security risks to companies, such as cryptography that can survive quantum computing, 5G, the Internet of Things and distributed ledgers, Ms. Neuberger said.
Write to James Rundle at email@example.com and Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8