WASHINGTON–The man who oversees cybersecurity for the United States said he doesn’t want to be thought of as a person who frightens people, but he did just that in speaking to credit unions here, outlining cyber threats, especially from China, and calling on credit unions to sit down and hold a meeting as soon as possible.
Speaking to NAFCU’s Congressional Caucus here, William R. Evanina, director of the National Counterintelligence Center, told credit unions, “This sounds like scary, bogey man stuff, and it is.”
Many of the threats and stolen data are not the result of sophisticated attacks, but instead are due to a particular “inability” by many Americans, according to Evanina. He strongly urged the credit union execs on hand to immediately sit down with their top staff–including HR––upon returning to their homes to gauge where they stand, conduct exercises and map out better plans to respond to data incidents that will occur.
Evanina wasted little time identifying where he and the Trump Administration believes the real threat is coming from. While North Korea, Russia and Iran are bad actors, it’s China that’s a significant threat to the U.S. and future economic prosperity, America’s top cyber cop said. And the federal government cannot respond to the threat on its own, he stressed.
Evanina said the U.S. estimates China steals intellectual property and trade secrets valued between $300 billion and $500 billion every year.
‘The Largest Threat We Have Faced’
“What does it mean for you and I? It’s about $4,000 a year for the average family in America after taxes,” he said. “If we told everyone in America you have to pay an extra $4,000 per year in taxes, do you think America would care? I think they would care.
“Existentially, the People’s Republic of China poses the largest threat we have faced in many years,” Evanina continued. “(China President) Xi (Jinping) is en route to being an emperor. He and his Communist Party will stop at nothing to get there. The FBI has over 900 active investigations of China’s intellectual property and trade secrets theft. Just Google it and you’ll find case after case after case.”
According to Evanina, 60% of Americans have had their personally identifiable information (PII) stolen by China.
“Do they use sophisticated tools? Nope,” said Evanina. “Most of the breaches have occurred due to one thing: successful spear phishes. We as Americans have an incredible inability to not click on a link. That’s how they get into our businesses and organizations.”
Companies Mandated to Share Data
Evanina said of the top 15 companies in China, 13 are banks, and of those 13, nine are owned by the Communist party of China and integrate daily with the Minister of State Security.
“China has a national cybersecurity law that says ‘Organizations and citizens in China shall support, assist and cooperate with the national intelligence efforts of the People’s Republic of China,’” said Evanina. “Their companies are mandated to have data-sharing agreements and it must be provided to the Minister of State Security. We have a clear bifurcation in this country between the government the private sector and the criminal element. That is not the case in China and Russia. They work together as one and that puts us in a very unfavorable position.”
The Insider Risk
The second big risk can be found in insider threats, Evanina said, saying it’s the reason HR must be a part of all security efforts.
“It means we have to be fully aware of who we are hiring. We have to be able to vet those individuals. Are there resumes real? For us, the insider is the number-one threat we face.”
Evanina, who said President Trump is about to sign a new counterintelligence strategy, said there are threat “pillars” that CU leaders need to be thinking about outside of just the credit union itself:
* Critical infrastructure: Financial, telecommunication and energy. “I would proffer you need all three to run your credit union.”
* Supply chain. “Are you vulnerable? Absolutely. You have to know who your vendors are. China and Russia will facilitate entry into your organization through your supply chain."
* Economic security. “It’s critical to be the most successful economy in the world. We have the best military in the world because we have the best economy in the world.
* Foreign influence. “Russia is inhibiting our ability to live in a free and open democracy. If we don’t have that then we are going to lose long term.”
The CU Role
Saying credit unions need to be part of the solution, Evanina told credit union leaders that upon returning home they need to sit down with their general counsel, CISO, CSO, chief data officer, and head of HR.
“It will cost you nothing but a Dunkin Donuts box of coffee,” he said. “You need to ask what are we doing about these things. Do we understand the threat? What are we doing about it? Are we protecting our networks as effectively and efficiently as we can, and if not, what do we need to get there.”
That discussion also needs to include discussion of physical protection of the credit union.
And there is one more group of employees that pose a risk, according to Evanina: employees with procurement and/or acquisition authority.
“These are the people who have your credit cards and buy the things you need to do your mission,” he explained. “We see on the intelligence side our adversaries getting in through procurement networks.”
As several recent breaches have illustrated, Evanina said credit unions must be asking questions around the security of data stored in the cloud.
“Forget the money part. Do you think you have data nation-states would love to have? Of course you do,” he said.
A Mandatory Exercise
Evanina called on every credit union to conduct a mandatory tabletop exercise every year, including around an insider breach of data.
“Write a crisis plan. Assume you’ve been breached and CNN is breaking the story that you’ve lost files of your members’ data. What will you tell the media, your employees, your members?” he asked. “You as leaders of credit unions owe it to your members and your communities to protect what you have. What is going to be your role in protecting this nation? We need your help.
“We are all in this together,” he continued. “We all have children and grandchildren we want to see prosper in the next 25 years. I can tell you as the head of national intelligence in this country, if we don’t do something, it’s going to be a different picture 25 years from now.”