Cyberthreats are no longer only a peril to government internet networks – if you’re a public servant at any level, your devices are also at risk.
“The threat landscape is vicious,” William Evanina, Director of the National Counterintelligence and Security Center (NCSC) at the Office of the Director of National Intelligence (DNI) said Tuesday. “We rarely protect our hardware. Our adversaries know this. They’re not going to stop – not today and not tomorrow.”
Evanina was speaking at the 2018 Symantec Government Symposium in Washington, D.C. Today’s cyberthreats include foreign governments, criminals, hacktivists and terrorists. Their motivations range from financial gain to intellectual property theft or harming U.S. national security.
“Foreign actors are the No. 1 threat,” Evanina said, listing China, Russia, Iran and North Korea as major antagonists. “The capability of our adversaries is evolving so fast we can’t keep up with it.”
Government data is valuable as it often involves sensitive information about citizens. Current cyberthreats are increasingly targeting these assets from new angles. Poor cyber hygiene increases the danger by letting adversaries take advantage of unprepared people.
“Nation-state actors put malware on phones for a reason,” Evanina said, noting tablet and other devices are also in the crosshairs. “As Americans we have an incredible ability to click on a link. It’s funny and amusing, but our adversaries know that. They don’t need to be sophisticated to attack us.”
Evanina said that 2018’s cyberthreat landscape means that agencies at all levels should adopt an all-hands-on-deck mentality to security.
“We need to have a system-wide, enterprise-wide apparatus to deal with cyber,” he said. “It’s everybody. The more folks that are involved the better we’re going to be.”
Evanina charged that a strong defense includes more than an agency’s cybersecurity and IT teams. Every government employee has a role to play, he said, including human resources, procurement and mechanical workers.
“We should all own consequence,” he said of government workforces. “It’s us and what’s dear to us. If your data gets stolen, who’s responsible? At the end of the day, that’s your brand. Protect those things that are dire to you and critical to your mission, brand and organization.”
Evanina also voiced concern that the federal government is struggling to sound the alarm about cybersecurity. He cited the 2015 Office of Personnel Management (OPM) breach as missed opportunity for educating Americans on the dangers facing them. The incident resulted in about 21.5 million federal records being stolen.
“It was painful,” he said. “I don’t think we’ve learned any valuable lessons from that. The threat of activity from those records will be everlasting as those records won’t return.”
Evanina additionally challenged agencies to avoid becoming complacent about cybersecurity incidents while better explaining the harm that they cause.
“It’s almost daily,” he said. “We get numb to it. It’s just so frequent it’s no longer newsworthy. We in the government must do a better job talking about the damages. We’re losing gigabytes of data.”