William Evanina, director of the National Counterintelligence and Security Center in the Office of the Director of National Intelligence, made a spirited plea today for Federal government and private sector organizations to take additional steps to address cybersecurity and include operations at all levels in an “enterprise-wide security apparatus.”
Speaking at the 2018 Symantec Government Symposium, Evanina urged Federal agencies and other organizations to appoint chief risk officers that report to senior management and organize security efforts to best protect “your brand, what is most important to you.”
The need to do so, he said, is driven by ever-increasing security threats.
“The threat we face has never been greater,” Evanina said, in part because “our adversaries’ capability is growing so fast we can’t keep up with it.”
On the Federal front, he emphasized that cybersecurity has to be a core part of “mission” for every part and level of government, and conducted as an “enterprise-wide security apparatus.”
By way of example, he said of his long tenure with the Federal Bureau of Investigation, “I didn’t care about security … I didn’t know who my CIO was.” But now, “cybersecurity has to be everyone’s job,” he said, and suggested that organizational elements as diverse as human resources and acquisition and procurement also consider security to be core to their missions. “We have to make sure everyone is part of the security apparatus,” he urged.
Unless such a stance is adopted, he said, “we will become numb” to continuing data theft and financial loss–on the latter front emphasizing an FBI estimate that total U.S. losses from cyber theft totaled $500 billion during 2014-15.
Evanina did not spare Federal intelligence and security efforts in his evaluation of the current state of security and the need to improve it.
He criticized the speed at which the Federal government disseminates cyber threat data, saying agencies “don’t get that information as quickly as we should … We have to make sure that is timely and actionable information that can be acted upon.”
And he criticized the tendency of the Federal government to scrimp on training and IT costs when it looks for budget savings. “Which gets as budget hit the most,” he asked, answering, “training and IT.”
Evanina also emphasized the long-standing theme of cooperation between the Federal government and the private sector to address cybersecurity threats. “The only way the government gets better” at security “is to partner with the private sector,” he said. “If you ever needed a partnership this is it.”
He also said legislative action may be necessary to help the government improve its security capabilities, but offered no detailed course on that front, other than to say lawmakers might look to “modernize” how the government is able to defend itself.