Wanted: Private Sector Help
Print Issue: February 2016
U.S. national intelligence leaders say they know what threats are going to test the nation in 2016, and they are focusing their efforts on encouraging public and private organizations and employees to be the first line of defense.
With awareness campaigns, educational programs, and intelligence-sharing agreements, homeland security and intelligence agencies are showing their hand and turning to the private sector to make the nation safer.
“This is a call for the private sector to continue to drive solutions and share them with the government,” says William Evanina, director of the National Counterintelligence and Security Center (NCSC) and the national counterintelligence executive with the Office of the Director of National Intelligence, in an interview with Security Management. “All initiative and innovative activity happens in the private sector…We need the private sector to have enough guts to drive these solutions.”
The specific challenges facing private security professionals include an attack on critical infrastructure, lone wolf terrorist attacks, and cybersecurity.
At the forefront of national security experts’ minds is the threat of an attack on U.S. critical infrastructure. Evanina explains that a catastrophic attack on the nation’s critical infrastructure could be devastating.
“If it’s the power grid system, or the financial sector, or private companies, do they have contingency plans? Do they have networks built to facilitate alternate power means, or transportation means? That’s my biggest concern: are we prepared for a 9-11 event on a different scale?” he asks.
Evanina points out that even minor incidents, such as last May’s Amtrak derailment in Philadelphia that muddled travel throughout the Northeast corridor, can be paralyzing. “It’s catastrophic,” he said of the rail suspensions. “We’re just that reliant on little things in this country that can cause big problems.”
Drawing on his intelligence background, Evanina adds that another concern regarding a catastrophic event is the paralysis of the intelligence and first responder communities if the cause of the event can’t immediately be determined.
“We’d have no analysis if we can’t identify initially whether it’s a terror threat, explosion, a bomb—is it cyber, is it a foreign adversary, is it something bigger, what happened?” he explains. “A critical infrastructure scenario with an unknown origin is what keeps me up at night.”
Caitlin Durkovich, the assistant secretary for infrastructure protection at the U.S. Department of Homeland Security (DHS), agrees that both the public and private sectors must prepare to cope with low-probability, high-impact events involving critical infrastructure.
“I think we’ve gotten better at handling what we’d call the higher-probability, lower-consequence events,” she tells Security Management. “We’ve gotten good at preparing for natural disasters. I am increasingly concerned about what we used to consider low-probability, high-consequence attacks or events. Whether that is the Internet or a disruption to our GPS systems—frankly, security is becoming increasingly reliant on the Internet, and these types of events can disrupt operations or how businesses do security, and we have to start to think about them as well.”
Durkovich has been the head of DHS’s Office of Infrastructure Protection (IP) for three years. In her tenure, she has focused on mitigating the risks faced by critical infrastructure, such as terrorist attacks, extreme weather, and cyberattacks. She has also helped impart changes to the Chemical Facility Anti-Terrorism Standards (CFATS) program.
Although a large-scale event involving critical infrastructure would disrupt large portions of the country, Durkovich acknowledges that a more common and troubling scenario is an event similar to the November terrorist attacks in Paris.
“We are moving increasingly from the spectacular type of attack—weaponizing critical infrastructure and planes and flying them into buildings—and more towards the call of ‘take whatever tool is available to you, like a gun, knife, or rock, or make your own [improvised explosive device], and you can act on your own accord at a time that you feel is right,’” Durkovich explains.
Tracking down potential lone wolves is a tall order, so Durkovich says IP has been focusing on working with the private sector to prevent potential bad actors from getting their hands on dangerous materials, including bomb-making materials.
“How can we continue to ensure the open operating environment of our malls, sporting venues, concerts, marathons—you name it—while recognizing that the lone offender is harder to find?” Durkovich asks.
One way is raising awareness about chemical precursors—materials that are innocuous by themselves but when combined can create a bomb—among retailers where such items are sold. The Bomb-Making Materials Awareness Program, for example, is a resource for businesses to teach employees to identify precursor materials, improvised explosive device (IED) components, and suspicious purchasing behavior. It also strengthens bonds between law enforcement and local business owners, so managers know what to do if an employee reports suspicious activity.
Another approach the DHS is taking involves regulating the precursor chemicals themselves. Durkovich explains that the CFATS program, which applies to organizations or facilities with a certain amount of dangerous chemicals, regulates how precursors are stored and secured. However, as technology advances, smaller amounts of chemicals can still create bombs, which has provided a challenge for DHS.
“Part of the concern is that over time, it takes less and less of these materials to construct an IED,” Durkovich notes. “Certain amounts of precursor explosives are regulated, but some chemicals such as ammonium nitrate can be found in a cold pack. How do you think about the regulation of something like that? You don’t want to end up regulating people who are buying something at CVS.”
Durkovich emphasized the importance of raising awareness and reporting suspicious activity to balance out the regulation of precursor chemicals—“we want to avoid creating a regulatory environment that is burdensome and difficult to manage,” she says.
The intelligence sector is focused on raising awareness about a less obvious but equally disruptive issue: spear phishing. Evanina says that the NCSC has kicked off a campaign to educate federal employees about the risks of clicking on suspicious e-mails. The issue presents a larger national security threat than many might think, he notes.
“Over the last few years, at least 90 percent of significant breaches have been facilitated by spear phishing successes,” Evanina explains. “Foreign intelligence groups or hostile organizations don’t need to be that sophisticated—they’ll send you an e-mail with a video of your favorite rock star and you click on it and that’s it.”
The theft of personally identifiable information (PII), including credit card and healthcare data, has serious implications for national security, Evanina notes. Bad actors, including countries such as China, are building databases of Americans’ PII to find vulnerable—and valuable—people.
“They’re not going to use this information for financial gain,” Evanina notes. “Here’s a hypothetical situation: there’s an engineer who’s worked for Agency X for five years. That’s all the Chinese knew about him. Now with that agency’s most recent breach, they know he has top secret security clearance and he’s doing classified research. They’ve got his healthcare records and see he has kids with significant medical needs, and he’s in dire financial straits because of that. It all builds up. He’s vulnerable, he has a need for money, and he’s got the technology they want.”
That’s why the fallout from the June 2015 Office of Personnel Management (OPM) hack will be enduring, he explains. The NCSC is working to keep the 21 million victims of the hack prepared for what may be coming years down the road.
The intelligence agency received backlash after the OPM breach when it released a letter stating that its statutory authority does not include identifying IT vulnerabilities to agencies or providing recommendations on how to secure their systems—instead, it is the responsibility of the agency to protect itself from attacks.
“The OPM breach had a huge counterintelligence impact, and the only response by the nation’s top counterintelligence officials is to say that it wasn’t their job,” said Sen. Ron Wyden (D-OR) in a response to the letter. “This is a bureaucratic response to a massive counterintelligence failure and unworthy of individuals who are being trusted to defend America. While the NCSC shouldn’t need to advise agencies on how to improve their IT security, it must identify vulnerabilities so that the relevant agencies can take the necessary steps to secure their data.”
Evanina defends the NCSC’s stance and says the organization is not equipped to dispense cybersecurity guidance. Instead, agencies should follow DHS’s Federal Information Security Modernization Act to protect their networks, he says.
“What we do as part of the intelligence community is gather all the relevant data and intelligence that we see, and provide that intelligence to those agencies,” Evanina explains. “We don’t tell them how to protect themselves against the intelligence, we just say, ‘hey, you need to know that there’s this threat information out there, so take the appropriate steps.’ We are not in the IT security business but the threat and warning business.”
Durkovich encourages businesses to take initiative to protect themselves against emerging threats—both outside attacks and from inside the company’s walls. “At the end of the day, you are only as secure or resilient as your weakest link,” she says. “You may have a very robust business continuity plan in place, but if you have a vendor or someone that does not share the same approach to security and resilience you do, you’re vulnerable.”
And regardless of the threat, Evanina emphasizes the important role private organizations play in securing the country. “For 200-plus years, the government hasn’t solved a whole lot of these problems,” he says. “The private sector has all the talent, skills, and the innovation to help drive these solutions, and we have to find ways to make that work. There has to be a symbiotic relationship, but also the private sector has to stop asking the government for help and start driving solutions and then forcing them on the government.”