Private sector told to step up defences against spying
U.S. counterintelligence official says government can’t address issue alone
WASHINGTON— The U.S. government’s top counterintelligence official on Monday challenged the private sector to step up and take responsibility for protecting its systems and sensitive data from foreign spying.
William Evanina, director of the National Counterintelligence and Security Center, said that “with the private sector and democratic institutions increasingly under attack, this is no longer a problem the U.S. government can address alone.”
The solution requires “a whole-of-society response involving the private sector, an informed American public, as well as our allies,” said Evanina, in remarks accompanying the release of an unclassified version of a new counterintelligence strategy.
It came the same day as the Justice Department announced indictments of four Chinese military hackers in connection with the 2017 hack of the credit reporting agency Equifax, a massive breach that exposed the personal data of nearly half of all Americans.
“You have a military intelligence apparatus conducting a nation-state attack on a private company,” he said. “We have to be able to recognize that as a counterintelligence issue — not a cyber issue.”
Abig focus in the new strategy, which updates a 2016 plan and covers the next three years, is on the private sector and on defending the supply chain. The latter is a diverse ecosystem of suppliers who furnish cloud services, communications network components and other products that are integrated into the operations of the private sector, including defence contractors, as well as local, state and federal governments.
The threat was highlighted in late 2018, when the United States indicted two hackers accused of working on behalf of the Chinese Ministry of State Security to compromise cloudservice providers in a long-running industrial espionage operation dubbed Cloud Hopper.
The hackers allegedly compromised the tech firms to steal intellectual property from their dozens of clients in the aviation, pharmaceutical, oil and gas, and manufacturing sectors.
The public and private sector have improved their cyberdefences, but adversaries have adjusted and become more sophisticated, Evanina said.
“Now we’re going to have to up our game as well.”
The intelligence community’s role is to develop new sources of information and identify suspect or high-risk vendors, products and services that pose a risk to national security, the strategy states.
Evanina said the government, when it has useful intelligence, will alert companies and organizations they are being targeted.
But it cannot take the lead in protecting the private sector, which includes academia and think tanks, he said.
“They have to be proactive … self-police,” he said.
Evanina said he and his deputy briefed 1,400 corporate chief executives last year on the threat. “We’re trying to get them to understand the consequences” of inaction.
He urged them to identify assets that foreign adversaries might target, hold tabletop exercises to prepare for a breach, and have a crisis strategy in place.