As the national counterintelligence executive, William Evanina has led the National Counterintelligence and Security Center since May 2014. In that position, he oversees counterintelligence and security for the U.S. government and private sector entities targeted by America’s adversaries.
This juncture in history may be one of the most difficult times to do that job. Today’s espionage is largely virtual, and China and Russia are effective in that arena. The two countries have hacked the State Department, the Defense Department, and the White House in the last year, among other federal agencies.
The most damaging attack was on the Office of Personnel Management, which allowed the China-linked attackers to steal files on more than 21 million people who have applied for security clearances from the U.S. government, including the sensitive SF-86 form that applicants are required to fill out.
As a result, Evanina said he’s concentrating on protecting those whose files were stolen, who are now especially vulnerable to “social engineering” and phishing attacks. The NCSC is, in fact, devoting the last four months of this year to an awareness campaign on those fronts.
The NCSC is additionally responsible for monitoring state-sponsored attacks on American companies, conducting threat assessments, and driving intelligence policies for the U.S. government.
Washington Examiner: Looking at the worst threats the U.S. faces in the cyber arena, what are the top areas in which we need to improve in terms of training and infrastructure?
Evanina: My No. 1 threat that I see here is the threat to our critical infrastructure. That’s vague, but it goes from the energy sector to the financial sector, water systems, bridges, mass transit, you name it. The ability for us to protect our critical infrastructure from a cyberattack manifests itself in the criminal element, to the terrorist element, to the foreign intelligence services.
We have to continually work closely with federal agencies, with our state and local partners, and anyone who’s involved in protecting critical infrastructure to continue to share information that we have so that we can put ourselves in the best possible scenario to protect our critical infrastructure from our adversaries, criminal and intelligence. DHS, FBI work really hard in this realm. We work closely with everyone to provide intelligence.
I think that’s our greatest threat right now. As a democratic society, the free country that we are, it’s very easy to move around. Being free provides us with a lot of vulnerabilities, and we have to continue to work closely in collaboration, federally, state and locally, to protect our critical infrastructure. That’s the No. 1 concern for me.
“China has been and continues to be a threat to the United States with regard to economic and corporate espionage,” Evanina said.
Examiner: A cybersecurity firm has reported that Chinese hackers have engaged in commercial espionage, even after President Obama’s agreement with President Xi Jinping. What are your thoughts on this?
Evanina: China has been and continues to be a threat to the United States with regard to economic and corporate espionage. On that topic, I will say what I have said historically. As Americans, we get bogged down by the way we look at our government.
We’re clearly, we have separation of powers here and bifurcation between the U.S. government, our private sector, and our criminal elements. They’re pretty spread apart, and they don’t integrate very much.
That’s not the case in China. Countries like China and Russia are all for one, right, so I think any business entity in China would have a hard time saying that they are not state-sponsored. So the idea of having a hacker in China not coordinating their activities or being facilitated by the government of China is probably a stretch.
The symbiotic nature of the government, the criminal elements, and the private sector in Russia and China — they’re all the same.
Examiner: Does the impact of sanctions really outweigh the value that these companies obtain by engaging in commercial espionage?
Evanina: What we do in the intelligence community is provide options on what we can and cannot do, and how we can manifest some efforts on behalf of the intelligence community and law enforcement community. But the administration ultimately makes the decision on what they want to do.
Examiner: It’s been suggested there is evidence that our adversaries, namely China and Russia, have used information obtained through the OPM to compromise American operatives. What have been your observations in that regard?
Evanina: One of my greatest fears is that the information stolen by the perpetrators, no matter who they were, would have the ability to be put in the matrix creating follow on questions that will allow services in Russia and China to aggregate the data.
Do the Chinese or the Russians have the ability of aggregating data to potentially identify our people? The answer is yes, they do. But there’s no evidence that has been used to target anybody in the U.S. government subsequent to the breach.
Examiner: Former Rep. Mike Rogers suggested there is evidence that the OPM data will eventually be used in a phishing campaign against U.S. officials. What other types of information would you expect a perpetrator to seek before that begins?
Evanina: We believe that the information stolen via the OPM data breach can be used to identify and target individuals in that data breach. The information in the SF-86s that were stolen can be used in combination with other things, like social media, websites including Facebook and LinkedIn to identify individuals who would be vulnerable in phishing campaigns.
Our adversaries can utilize that data to target you and me and others with a spear phishing attempt so that we would click on a link and they would have access to our data and potentially use that against us, blackmail us, and put us in a vulnerable position. So that’s how that process would work.
They would utilize the data stolen to implement a spear phishing campaign against a bunch of people and individuals like myself. So I’m very much more cautious and vigilant about the email that I get because of the data that was taken from the SF-86.
What we’ve done as a result of the OPM data breach, as well as many other data breaches that have stolen [personal information], like the healthcare industry and banks and credit cards, we’ve put together a very comprehensive counterintelligence awareness campaign. It’s being rolled out over four months.
“I think people need to understand that the word hack is vague. Sometimes a “hack” is not a hack,” Evanina said.
Examiner: It’s been reported that a teenager hacked CIA Director John Brennan and Homeland Security Secretary Jeh Johnson. What do you make of this?
Evanina: The word hack is very vague. When someone says they hacked into a bank or a business or government into my Hotmail account, there’s a lot of connotations as to how that happens. Hack could be they stole your identify, they stole your credentialing, got your password, that’s hacking.
They could also send an email and you click a link that allows them to access your computer. So I think people need to understand that the word hack is vague. Sometimes a “hack” is not a hack. It’s someone sending you an email that you click on and you allow them inside.
I think there are multiple facets to the need to understand and be aware of hacking, whatever hacking is, and protect your data. But it’s holistic in nature. It’s having the right firewall, the right protection, the right frequency of password changes, but also being very cognizant of emails sent to you by people who you think you know.
We hear this all the time. When we hear OPM got hacked, Target got hacked, Sony got hacked, someone’s got hacked, they may have all happened different ways. I think in the public sector people think of “hacked” as based on what they see in the movies, as some hacker in high school who’s really good with ones and zeroes hacks into a computer, which goes all the way back to “War Games.” Sometimes that’s the case, but very rarely.
Examiner: DNI James Clapper has said that Russia has greater cyber capability than China, but that they haven’t used it against the U.S. as much. To what extent do you see that?
Evanina: I agree with Director Clapper. I concur with his public statements. I’ll be more specific in my realm of counterintelligence.
The Russians and the Chinese and Iranians and other countries have very robust and very capable intelligence services that will utilize anything they can to facilitate their mission. They’ll do anything they can to facilitate their mission. Cyber is a modality, it’s another way they can facilitate utilization of their mission to collect intelligence against the United States.
Those countries are the most sophisticated adversaries that we have. Their intelligence services are very capable of doing what they do, and cyber is another means by which they do that.
Examiner: How much evidence do you see that China and Russia or other adversaries are sharing information?
Evanina: Whether we do know that or we don’t know that, I probably wouldn’t tell you.
Examiner: What do you see from the Islamic State in terms of cyber?
Evanina: ISIS does possess cyber capabilities, infrastructure, and counterintelligence that concerns the U.S. government.
Examiner: Can you speak to the threat posed by terrorist or criminal groups? Are their methods similar to those used by state actors?
Evanina: Holistically as an intelligence community we do share daily techniques, and patterns that everybody uses in the cyber realms, whether they’re terrorist groups, or criminal organizations, or an intelligence service. Some of our global, I’d say proliferation of this, is fast and it grows every day. So everyone is always trying to learn new techniques and procedures to… mitigate that threat. It’s a daily challenge to keep up with what the technology is out there.
I’d posit to you that every criminal element, and I’d even say domestically whether they’re proliferating children exploitation, bank fraud, they’re organized crime members, or they’re transnational organized crime, or they’re Hezbollah, they’re all looking for the next best thing with not only cyber techniques to enhance their criminal capability, but also protective measures such as encryption. I think 10 years ago we only saw that in our intelligence services that we play against, but now we see that manifested in all other aspects outside the wall.
