Counter Intelligence Chief Calls for Zero-Trust Software Supply Chain Policy

In the wake of the SolarWinds hack, a lead intelligence official said the vulnerability software presents to critical infrastructure will only grow and pushed for more government scrutiny of such products.

“I think we have to be able to be in a position, and be willing to have a supply chain risk mitigation program that really is around zero trust,” said William Evanina, director of the National Counterintelligence and Security Center, noting the need for an “understanding of who provides your services, where they get them from and actually how they get them, and how does that fit in the ecosystem of the food chain for IT services.”

Evanina spoke during a virtual live event hosted by the Washington Post Tuesday where he stressed the importance of public-private collaboration in response to the widespread hacking campaign he believes is Russian in origin. 

Asked whether that suggests the government should have greater visibility into private networks, Evanina said, “I don’t know about that.” But he warned, particularly with the coming of fifth-generation telecommunication networks, software security is going to be crucial.

“As we move into the modern world, as we move towards 5G, the software of vulnerability will only continue to expand,” he said. “We really have to find the right mechanism, the right modality...where we could have real-life, public-private partnership that's beyond what we see now. We have to have in the government, the ability to utilize private-sector talent capability and know-how to protect our nation and our entire society.”

Evanina said this will be a challenge for the incoming Biden administration that will require increasing government powers.

“We're gonna have to expand the paradigm for how we do business as a country,” he said. “I think the government is going to have to expand authorities and laws to allow the private sector to partner more effectively.”

Increasing collaboration within the government will also be important, Evanina said, citing siloed responsibilities at the National Security Agency, the Department of Homeland Security and the FBI.  

“The NSA-DHS-FBI trilogy, you know, one's domestic in terms of hardware and government systems, one's [outside the continental United States], one's investigative, I think we have to get to a sound solution, how we make that all one in the future,” he said. 

Asked about what officials believe is Russia’s “likely” spearheading of the hacking campaign, Evanina said the intelligence community should be focused less on who the hacker is and more on how and why they’re hacking. 

“I think we have to really, in my space, pivot away from not only that it was the Russians or who it was, but also what did they do, why did they do it, what is the methodology,” Evanina said. 

He said it’s important to remember that identifying the intentions of foreign leaders and their governments is “the first rule of espionage.”