Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Office of the Director of National Intelligence will release a new counterintelligence strategy next Monday that takes a long-term approach to nation-state threats.
Bill Evanina, the director of ODNI’s National Counterintelligence and Security Center, said the strategy will focus on a “whole of society” response to these threats that extends beyond the federal government.
“We’re going to look at everything and say it’s no longer just a government issue, it’s everyone’s issue,” Evanina said Tuesday at an Institute for Critical Infrastructure Technology conference.
The upcoming strategy responds to what he described as a particularly “horrible year” in 2019, citing a growing number of indictments, arrests, and convictions of security clearance holders, as well as a rise in the theft of intellectual property and trade secrets.
“What we’re trying to do is slow the word down — ‘counterintelligence’ — to really be ‘countering intelligence.’ Counter the intelligence collection of our adversaries, break away from just ‘spy versus spy,’ because that still does exist,” Evanina said.
In previewing the upcoming counterintelligence strategy, he said insider threats still remain the “number-one threat facing our nation, both inside the government and outside.”
“We need to expand not only the accountability, but the authorities and awareness of who’s responsible where we work for protecting our intelligence,” Evanina said.
Looking at all the breaches of personally identifiable information over the past decade, for example, Evanina said the vast majority of those breaches trace back to Chinese hackers using simple spear-phishing tactics.
In order to mitigate insider threats, ODNI and the Office of Personnel Management have proposed major changes to the federal personnel vetting system through an initiative called Trusted Workforce 2.0.
The initiative, which is focused on the “continuous vetting” of security clearance holders, is expected to arrive through several changes to policies and procedures. Defense and intelligence officials projected those changes would be due at the end of last year, but Evanina said the rollout would happen “probably in a week or two.”
“Since the Forties, we’ve had a human resource process and a security clearance process. You would go through this first, and then it would have been thrown over the fence. We are merging those together now, so that it’ll be done at the same time,” Evanina said.
Nearly a decade after ODNI created a National Insider Threat Program under a 2011 executive order, agencies have made significant progress standing up their own insider threat programs. But as part of the new strategy, Evanina said private industry should also take steps to mitigate insider threats.
“As we drive the new strategy, I think CEOs and boards of directors have to mandate a fundamental enterprise-wide security construct,” he said. “The security of your company can no longer just rest at the feet of the [Chief Information Security Officer] and [Chief Security Officer]. It now has to include the CIO, the chief data officer, the chief privacy officer, the general counsel, the head of human resources, and the head of procurement and acquisition. And I’d proffer that, at least once a quarter, get all of those folks in a room in one building … and talk about the threat that we face as a company.”
While IP and trade secret theft account for serious financial losses that approach $500 billion, Evanina said the government and the private sector have not yet reckoned with the “existential threat” nation-states pose to national critical infrastructure.
“We have not felt the pain yet. And I don’t want to get to a place where we have, as someone in the intelligence community would say, the ‘Cyber 9/11’ – you know, the heat goes off in three cities in January. I don’t want to get to that point. I want to get to a point where we understand the criticality of that.”
The president’s National Infrastructure Advisory Council (NIAC), in a report last December, urged the Cybersecurity and Infrastructure Security Agency and its agency partners to consolidate its multiple information-sharing and supply chain risk management endeavors in the event of a major cyber emergency.