Feds more at risk from clicking on links than from data stolen during OPM breach

The 21.5 million current and former federal employees impacted by the massive data breach in 2015 may never know if they will be targeted based on the information stolen from the Office of Personnel Management.

Bill Evanina, the director of the National Counterintelligence and Security Center and the National Counterintelligence Executive, said the rate of attacks and the amount of information out there from public and private sector breaches, means hackers likely will bring together a host of data to use in spear phishing attacks.

“If a foreign entity is using the data stolen from OPM, they will use it as one variable in a big matrix of targeting,” Evanina said on Ask the CIO. “It’s really not going to be reality to say if Bill Evanina is targeted a year from now by a foreign government, I’m never going to be able to say it’s because of the OPM data breach. It’s one set of data that is being used against those who would be targeted. We really haven’t seen any anecdotal evidence about anything and at the end of the day I don’t think we will. If it was stolen for the reason which we believe it was, you’ll never be able to point to the fact it was the OPM data breach.”

Bill Evanina is the director of the National Counterintelligence and Security Center and the National Counterintelligence Executive.
Bill Evanina is the director of the National Counterintelligence and Security Center and the National Counterintelligence Executive.

Evanina said federal employees should understand the difference between targeting. If they are getting phone calls at home, that likely isn’t a foreign adversary targeting them.

Download our free ebook to find out how agency CIOs and CHCOs implementing the president's reorganization executive order.

“I think those who are in the government or former government employees who have really big targets on their back for a potential targeting by a foreign intelligence service, if it ever does happen, it will be because of a totality of a lot of things,” he said.

This is why Evanina said agencies need to be more on guard than ever against more advanced spear phishing cyber attacks.

“It’s not only the threat we face from foreign entities and criminals who want to steal our personal information, but it’s also controlling the controllables. How do we best protect ourselves from the number one vector, which is spear phishing? Over 90 percent of all of these breaches have occurred via successful spear phishing,” he said. “So we have to find a way to educate our people and I say our people, the American diaspora, everywhere around the world, to include our young children. Just because you have an attached video file, doesn’t mean you have to click it. When we have an inability as adults to not to click a link, it provides an amazing opportunity for foreign adversaries to not to venture down sophisticated [attack vectors] because we just can’t stop clicking that video of a momma bear and her cubs at Yellowstone.”

Evanina said malware, Advanced Persistent Threats (APTs) and other attacks routinely get through the initial cyber defenses because someone clicks on a link or opens a document they shouldn’t have.

“What we know for a fact is that the foreign intelligence services and criminal elements who utilized these things don’t have to be sophisticated to get into our systems if we continue to let them in by clicking on links,” he said. “It’s two things, the front door of your house, you have to lock your door. If someone knocks on your door, you have to look to see who it is before you open the door. To me that’s the metaphor for spear phishing.”

The National Counterintelligence and Security Center works closely with its mission center the Cyber Threat Intelligence Integration Center (CTIIC) and the Homeland Security Department to share information to better know who is attacking and why they are attacking.

House passes $700B defense bill, which includes pay raise for military personnel

“We as a government have to ensure we work more effectively and efficiently at the speed of translating that information to private sector entities who mostly are the victims. The faster we can do that with context, which is a big part of this, makes a big difference,” Evanina said. “I think if we will increase in 2017 it will be in the speed in which we transit this information.”

While spear phishing is a major attack vector, the NCSC also is helping agencies address the insider threat challenge.

Agencies have struggled to meet the Obama administration’s goal of having a fully operating insider threat program by December 2016. More than 5,500 vendors met the Nov. 30 deadline to develop initial insider threat programs for cleared employees.

Evanina said despite these struggles overall the government is safer from insider threats.

He said the Obama administrated asked NCSC lead an interagency study of the reforms since 2010.

“With all the reforms we put in from a systems perspective, the IT, the authentication, the aspects of audit and monitoring, we have done a really good job in the community of protecting against big data leaks,” he said. “If you look at linear transition of the insider threat from [Chelsea] Manning to [Edward] Snowdown to [former NSA contractor Harold] Martin, not all the same type. Manning was a paper document. Snowden was a big IT program. So we addressed all those big issues on IT and the ability to shut down and stop it earlier. Martin was a little bit different. So as the type of insider changes, we have to be able to look forward, thinking what will be next year’s insider threat and how they will manifest the leaking of the data. When we look at that, a big part of the solution cannot just be tools and solutions put together on IT systems and computers. We have to continue to concentrate on the person. How do we get to Mr. Martin to Snowden before they make the act? How do we do get to the left of the event?”

He said the goal is to identify that bad person earlier through key indicators and behavior analyses.

“We’ve had some significant successes in the last couple of years, not only in the government, but in the private sector, of identifying those folks in need. We’ve prevented such things as suicides along the way, and there are some great business cases in the private sector that the government needs to learn from,” he said. “At the end of the day, we have to be able to work this effort with the knowledge of identifying the person in need to the left of the event and it has to be done with appropriate privacy and civil liberties at the same time.”