The strategy requires the intelligence community to think of the private sector as consumers of its threat information.
The Office of the Director of National Intelligence will take a “whole of society” approach that hopes to encourage greater private-sector participation in protecting the country from cyber threats, according to a leading official who said a related strategy document will be published Monday.
“As the new strategy gets rolled out Monday we are going to take a look at a whole of nation approach, a whole of society approach to defending what we believe are true to our values, our laws, our morals,” said Bill Evanina, director of ODNI’s National Counterintelligence and Security Center.
Evanina spoke Tuesday at an event hosted by the Institute for Critical Infrastructure Technology.
His announcement is in line with pledges by government agencies such as the Cybersecurity and Infrastructure Security Agency and the National Security Agency to share more contextual information about cyber threats—without sharing classified sources or methods—with industry.
Evanina said the president signed the 2020 counterintelligence strategy for America on Jan. 8, and characterized it as representing a “paradigm shift” while also acknowledging that the intelligence community is playing catch up.
“[The Homeland Security Department] owns a lot of this space, [working] with industry,” he said. “The intelligence community is reliant about collecting information, the transfer of that intelligence to DHS, to the Department of Energy, to Treasury, through existing [information sharing and analysis centers]. I think we’re going to have to take a look at that paradigm and maybe amp up our game.”
He added: “I think right now the intelligence community is going to be forced, and is probably late to this, to look at the private sector as a constituent of the information we collect. We haven’t necessarily done that.”
Evanina is counting on private-sector entities to use such actionable information to improve their defenses amid rapidly changing technology, but during his remarks, he highlighted ways the industry is still falling short of implementing more traditional and basic practices.
“The old construct still exists—insider threat still today is the number one threat facing our nation,” he said, but noted “only 34%” of U.S. companies have an insider-threat program.
He also cited recent reports that found 78% of industry chief information security officers admitted to clicking on a link that hadn’t been validated despite an environment where the majority of breaches are caused by spearphishing.
Industry representatives have argued against regulations saying they already have every incentive to protect their systems, given the hit their reputations would take in the event of a breach.
But Evanina said the opposite is true.
“The pain threshold isn’t there right now, as companies keep making profits,” after breaches, he said, adding there’s a lack of clarity over who is accountable in incidents involving third parties such as cloud service providers.
Moreover, as one audience member noted, a lot of the most valuable threat intelligence originates on the private-sector side, and despite laws passed to protect companies from incurring antitrust violations when sharing information, they’ve still been reticent.
“What about the flip side of the coin, and the commercial sector actually providing threat data to the federal government?” asked Ed Monarez, director of defense cyber programs for Pacific Northwest National Laboratory.
Evanina said it drives him “crazy” to still hear companies say they can’t share because it would introduce a competitive advantage.
But the new strategy will focus on the government side of the equation, Evanina said, turning a traditional narrative on its head.
“Industry is going to have to make the government more accountable and hold us to what we want to do,” he said.