Q&A with Deputy Director Michael J. Orlando
The Homeland Security Enterprise Forum (HSEF) continually strives to engage in thought dialogue, educate the public and inform government leadership. Today, HSEF is honored to share a security-related professional blog from our partner SIMS Software featuring Michael J. Orlando in an informative and insightful exchange on continued/emerging challenges many of our readers face. Mr. Orlando is the Deputy Director of the National Counterintelligence and Security Center (NCSC) and presently serves as the Senior Official Performing the Duties of the Director of NCSC. Mr. Orlando’s career in the U.S. Army, the CIA, FBI and the ODNI is an impressive one indeed, and we have added a link to his biography here: https://www.dni.gov/index.php/ncsc-who-we-are/ncsc-leadership. Mr. Orlando is taking time with SIMS Software Advisor, Tom Langer, to discuss some of the initiatives and challenges on the agenda for NCSC and ODNI for the year ahead.
Question from Thomas Langer: Welcome, Deputy Director Orlando and thank you for taking the time to share your insights with the SIMS Software community of industrial security professionals. Those of us who have been involved in the defense and intelligence (D&I) communities for so many years tend to think of our mission to be primarily the safeguarding of classified information. For NCSC your mission extends to intelligence threats to all of America, D&I as well as commercial and critical infrastructure. How do you approach such a broad range of diverse risk profiles and what educational resources are you using to get the message out?
Answer from Michael Orlando:
NCSC leads and supports the U.S. Government’s counterintelligence (CI) and security activities. Some of our key policy and integration functions within the U.S. Government include CI intelligence integration, security clearance policy and reform, supply chain threats, insider threats, and security standards and compliance for overseas diplomatic facilities. Unlike the FBI or CIA, we don’t have agents conducting investigations or officers abroad collecting intelligence; we’re not operational.
Much of what we do across the government relates to integrating CI efforts at the national level and developing policies to enhance the nation’s CI posture. At the national level, NCSC is responsible for crafting the National Counterintelligence Strategy of the United States, which sets goals and priorities for the federal CI community. We also produce the National Threat Identification and Prioritization Assessment, which informs policy makers and senior officials with CI responsibilities on current and emerging foreign intelligence threats. We develop priorities for CI collection across the government and advocate for CI program budgets. We also routinely work across the Intelligence Community (IC) to identify threats and bring agencies together to mitigate them in a coordinated way.
Another core mission of NCSC is to conduct CI outreach to the private sector and issue public warnings regarding intelligence threats to the United States. We seek to educate these stakeholders on the nature and scope of foreign intelligence threats to their organizations and provide information on risk mitigation.
We do this through classified and unclassified briefings, dissemination of written products and videos, partnerships with associations, national communications campaigns, and other efforts. NCSC is a relatively small outfit, but we’re able to conduct hundreds of direct, in-person engagements with the private sector every year, reaching thousands of executives. We often conduct these engagements with our partners at the FBI, at DHS, or other agencies. I encourage everyone to visit our website at NCSC.gov to review risk mitigation materials available to industry and the public. We also engage the media to help spread the word to the general public on foreign intelligence threats and mitigation.
Today, our outreach mission has never been more important. Twenty years ago our adversaries were primarily targeting U.S. Government secrets. Today they’re targeting virtually every sector of our economy to acquire Intellectual Property, technology, and data for their own national priorities. We need to help companies get to the left of an attack, to help them harden their defenses and build resilience so they aren’t victimized. This doesn’t eliminate the threat for companies but will help reduce it and allow companies to mitigate problems more quickly.
Question from Thomas Langer: In an interconnected world, the supply chain risk is greater than ever. Although the U.S. Government has taken significant steps to have their contractors secure the supply chain on delivered goods and services for them, our suppliers are not always U.S.-based or part of the D&I community. Do you have some tips for helping security professionals get the supply chain risk management (SCRM) message across to their leadership?
Answer from Michael Orlando:
Getting executive level buy-in for an effective supply chain risk management program is essential for any organization. Within the private sector, it’s important to speak to leadership in terms they understand, including costs and benefits. What are the financial benefits to the company of having a secure supply chain? What are the third-party risks transferred to the company from compromised or at-risk vendors? What are the operational and recovery costs from a cybersecurity breach? Will the company survive the reputational damage from not knowing the suppliers in their supply chain?
By some accounts, the average cost of a cyber-data breach was $4.24 million in 2021. Security officers need to understand the costs of these issues and compare those with the costs of having a strong and proactive supply chain risk management program, which will help them articulate the stakes for corporate leaders making broader, enterprise-wide decisions on security.
While there is no single, silver-bullet solution to immunize organizations against supply chain threats, NCSC encourages organizations, at a minimum, to consider the following basic principles to enhance the resilience of their supply chains.
• Diversify Supply Chains: A single source of goods or services is a single point of failure. Diversify supply chains to ensure resilience in the event a supplier suffers a compromise, shortages, or other disruptions.
• Mitigate Third-Party Risks: Conduct robust due diligence on suppliers, understand their security practices, and set minimum standards for them. Incorporate security requirements, data breach notifications, and supply chain transparency requirements into third-party contracts. Set standards for compliance and monitor compliance throughout the lifecycle of a product or service.
• Identify and Protect Crown Jewels: Identify critical corporate systems and prioritize their protection. Monitor systems and network performance to minimize impact of disruptions.
• Ensure Executive-Level Commitment: Name a senior executive as owner of supply chain risk and include stakeholders across the enterprise in the risk mitigation program. Communicate across the organization to ensure buy-in and establish training and awareness programs.
• Strengthen Partnerships: Information exchange between government and industry on current threat information and security best practices is paramount.
Question from Thomas Langer: Trusted Workforce 2.0 remains a critical priority for the D&I security community and our employers. All indications are the timelines for security clearances have been reduced, and reciprocity has not been negatively impacted. We applaud the efforts by you as the Security Executive Agent (SecEA), and the Defense Counterintelligence and Security Agency’s (DCSA) National Background Investigation Services (NBIS) in achieving these improvements. My question is: are these timelines still improving and what do you, as the SecEA, see as the next phase of Trusted Workforce 2.0?
Answer from Michael Orlando:
The Trusted Workforce 2.0 initiative is transforming how the federal government vets its workforce, known as personnel vetting, to better align with today’s complex missions, societal norms, foreign and domestic threat landscape, and changing workforce. As part of this initiative, federal agencies across the government are working toward an end state that will produce rapid delivery of a trusted workforce to execute the missions of government and improve workforce mobility through an improved risk management posture.
Thus far, we’ve achieved several key milestones, but there is still substantial work to do. Since the framework of the Trusted Workforce 2.0 initiative was established in 2018, the background investigation inventory has been reduced from a high of 725,000 cases to a steady state of less than 200,000 cases. Timeliness for background investigations has also been significantly reduced during this period, with completion of Top Secret cases reduced from an average high of 411 days to 79 days presently and completion of Secret cases reduced from an average high of 173 days to 56 days presently.
Furthermore, Trusted Workforce 2.0 has developed a continuous vetting capability, allowing the government to receive information on clearance holders in real-time, including via automated record checks, to detect potential areas of concern earlier. Previously, the government typically received such information through labor-intensive periodic reinvestigations every five-to-ten years. Today, we have some 4.2 million clearance holders enrolled in a continuous vetting capability, as federal agencies pivot away from the traditional periodic reinvestigation model.
In terms of the next phase, there will be a cascade of policies during 2022 that will further build out the framework of the Trusted Workforce 2.0 initiative:
• Investigative Standards. These will modernize investigative requirements to achieve the outcomes described in the Federal Personnel Vetting Guidelines. The new standards will introduce a risk management approach to investigations that maximizes uniformity across all federal personnel vetting and focuses on the efficient collection of information needed to make informed decisions on an individual’s trustworthiness.
• Common Principles in Applying Adjudicative Standards. These will provide the framework through which agencies render trust determinations based on a thorough evaluation of an individual’s conduct and perceived indications of vulnerabilities.
• Performance Management Standards. These will establish the key performance measures to assess the success of the personnel vetting outcomes and empower stakeholders to make rapid and informed decisions, improve processes, and assign accountability.
• National Training Standards. These will enhance the quality of investigations and adjudications by ensuring government-wide consistency through standardized policies, processes and training.
• Investigative Forms. These will align information collection from individuals on standard forms (SF-85, SF-85P, SF-86) with the new Trusted Workforce 2.0 policy framework and three-tier structure.
Question from Thomas Langer: In the D&I contractor community we have developed insider threat programs that are tailored to each company’s operating profile such as manufacturing, personnel services, IT, etc. The last two years of coping with COVID has changed those profiles significantly for many of our companies and may have done so permanently for some. As we resume more “normal” business operations what advice can you share as organizations revisit their insider threat programs?
Answer from Michael Orlando:
The last two years have presented a very challenging risk environment for employees and organizations. There have been significant adjustments to work and home life, disrupted supply chains, financial insecurity, unreliable or overwhelmed technology capabilities, political and cultural fissures, and serious individual and collective health concerns. We’ve been quite concerned about adversaries taking advantage of these vulnerabilities to increase targeting of employees in government and industry.
To help address these issues, it’s been more important than ever to increase communication with employees, many of whom have been operating remotely and feeling isolated. In our agency we've discussed with our employees and contractors how they may be targeted in this environment. We’ve discussed with them how it’s okay to seek counseling during these stressful times. We’ve also worked a great deal to ensure they feel included and engaged. Government and industry organizations must continue these types of communications as employees begin to return back to work and resume more “normal” operations.
I would say building organizational trust among the workforce is paramount in today’s environment. Organizations with positive and inclusive work cultures that foster trust between employees and leadership have more engaged and loyal employees and are better positioned to identify, mitigate, and reduce insider threats. Studies have demonstrated that disengaged workers have higher absenteeism, more accidents, and more errors and that organizations with low employee engagement suffer from lower productivity, lower profitability, and lower job growth, all conditions that can contribute to insider threats.
With respect to insider threats, all companies should know they are vulnerable. These threats can take many forms, whether it’s an employee coopted by a foreign adversary to steal intellectual property or one who clicks on a phishing link that infects a company network. It’s important to understand that most insider threats exhibit risky or concerning behavior before committing negative workplace events. If companies have robust insider threat programs that foster a culture of trust and encourage employees to recognize and report behaviors of concern, early intervention can occur. This can lead to positive outcomes for at-risk employees and reduced risks to organizations.
Question from Thomas Langer: As the war in Ukraine grows in its intensity, there is an expectation Russia will be using their expansive cyber capabilities to target U.S. companies involved in supporting U.S., NATO, or Ukraine forces. What safeguards and overall awareness can you share with industry to help them be better prepared? A corollary question is: what would you recommend individuals do to practice better cyber hygiene at home?
Answer from Michael Orlando:
U.S. companies should raise their vigilance and be prepared for the possibility of cyber intrusions from Russian state cyber actors and others, including a range of criminals and hacktivists who have taken sides in this conflict. Companies also should consider the potential for collateral damage from cyberattacks related to the conflict impacting individuals and organizations far away from Ukraine and Russia. The White House and other federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and NSA have issued many cybersecurity advisories to help U.S. organizations prepare. I would advise companies to pay close attention to these notices and act on their recommendations. The White House recently provided a good list of mitigation steps for companies to take:
• Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system.
• Deploy modern security tools on your computers and devices to continuously look for and mitigate threats.
• Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors.
• Back up your data and ensure you have offline backups beyond the reach of malicious actors.
• Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack.
• Encrypt your data so it cannot be used if it is stolen.
• Educate your employees about common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.
• Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. IT and Security leadership should visit the websites of CISA and FBI to find technical information and other useful resources.
Companies also need to think beyond just cyber and should be prepared to defend against multiple different attack vectors. Nation-state operations often combine many different tools and approaches to achieve their goals, including cyber, the use of witting or unwitting insiders, supply chain attacks, technical surveillance operations, and agents of influence. They may also use blended operations that combine some or all of these tactics. Similarly, U.S. companies should be aware of some of the legal and quasi-legal methods used by state actors or their proxies to acquire technology or talent, including investments, mergers and acquisitions, joint ventures and partnerships, scientific/academic collaboration, and talent recruitment.
To help organizations improve their defenses, we offer some basic CI steps:
• Institute a comprehensive, enterprise-wide security posture
o Include Acquisition, Procurement, and Human Resources in security planning
o Ensure collaboration among all of your organization’s threat mitigation programs
o “War game” your worst day
• Implement robust insider threat programs
• Know who you are doing business with
o Vet your vendors and suppliers and understand their security practices
o Set minimum standards for participants in your supply chain
• Strengthen cyber security and hygiene
o Patch regularly, use multi-factor authentication, and protect your credentials
o Segregate your networks, continuously monitor systems, and maintain computer logs
• Maintain an “enigma list” of unexplained events or anomalies and periodically review it to detect patterns
• Maintain enduring connectivity to the U.S. Government on current threat information and security best practices
• Identify, prioritize, and commit to protecting your “crown jewels”
We also offer some basic CI steps that individuals can take to mitigate risks:
• Cyber Hygiene Basics
o Spear-phishing: never click on suspicious links / attachments
o Use multi-factor authentication
o Create strong passwords (passphrases) and change them often
• Social Media Basics
o Never accept online invitations to connect from people you don’t know
o If possible, validate invitations through other means
o Review social media settings and control the amount of your information is available to the public
o Be careful what you post on social media about your work and contacts, as it could draw attention from criminals or adversaries
• Foreign Travel Basics
o Understand you may be targeted while traveling abroad, even to a friendly country
o Have no expectation of privacy when traveling abroad, especially on electronic devices
o If you can do without them, leave your electronic devices at home and take a temporary phone
o Avoid Wi-Fi networks abroad if you can, as they are regularly monitored by security services
o Never leave electronic devices unattended while abroad; hotel safes are never “safe”
Question from Thomas Langer:
In 2020, the NCSC crafted the National Counterintelligence Strategy for the United States 2020-2022, focusing on 5 key areas
• Objective: Protect the nation's critical infrastructure
• Objective: Reduce threats to key U.S. supply chains
• Objective: Counter the exploitation of the U.S. economy
• Objective: Defend American democracy against foreign influence
• Objective: Counter foreign intelligence cyber and technical operations
2022 is the final year of this national CI strategy; how would you rate U.S. efforts against this plan and where might the focus be for the next national CI strategy?
Answer from Michael Orlando:
From my vantage point at NCSC, there are a number of areas where I have seen real progress against these objectives. Let me spell out a few.
With respect to critical infrastructure, there has been key progress by many federal agencies in working with industry to help them harden these sectors. There has been significant outreach to critical infrastructure sectors to alert them to threats and provide information on mitigation. I would point to the recent cybersecurity advisories that CISA, FBI and the Department of Energy issued to the energy sector in connection with the Ukraine crisis as the latest examples. Whether directed to critical infrastructure sectors or other industries, I believe the government has improved its ability to get cyber threat information out to industry in a timely manner, compared to several years ago.
There have also been major improvements in understanding and addressing supply chain threats. A few years ago this was not a top focus of many organizations. But as our adversaries have increasingly used supply chains as an attack vector against us, the government has taken many steps to enhance supply chain security, particularly in the information and communications technology sector. Where they didn’t exist before, there are now multiple public-private sector initiatives closely monitoring these issues and working to enhance supply chain resilience. I note that in April, NCSC will carry out its 5th annual National Supply Chain Integrity Month campaign with industry and government partners to raise awareness of these threats. The supply chain risk management page at NCSC.gov will have resources.
To counter exploitation of the economy, I would point you to the extensive record of arrests and prosecutions that the FBI and Justice Department have brought against individuals involved in stealing corporate trade secrets or economic espionage in recent years. I believe we’ve also made real progress in raising awareness of nation-state threats to certain emerging technology sectors and in helping these sectors protect themselves. In the bio-economy, for example, we’ve worked extensively to shine a light on foreign threats to genomic data and what this means for privacy as well as U.S. economic and national security. This has led to actions in the United States and foreign nations to better protect this data.
I would also say the government has made advances against foreign influence. Building on lessons learned from the 2016 elections, agencies across the government came together during the 2020 Presidential campaign to synchronize efforts with state and local officials and to expose and disrupt foreign influence efforts. There was also substantial coordination with the private sector to help shine a light on these malign activities. Today, federal agencies continue to work together to combat foreign influence, including disinformation and other activities from nation-state threat actors.
While these are just a few examples of progress in recent years, there is still substantial work to be done. I’m the first to admit the government, writ large, still needs to do a better job of sharing threat information with industry. While we’ve improved sharing cyber threat data with industry, we need a more comprehensive effort to share information on broader nation-state threats. We also need to improve the way we talk to the private sector. If we’re asking CEOs to put more money into security, we need to convince them it’s in their corporate interest to do so, as they balance risk and investment tradeoffs. At the same time, the government can’t address these threats alone. Companies must be willing to adopt robust security procedures as part of their everyday business practices. We must help them understand they’re up against well-financed nation-state actors who could put them out of business.
With respect to the next national CI strategy, we’ve begun working with our partners across the government on this effort. At this time, I’m not in a position to provide specific details as work on the national strategy is in progress.
I can tell you one area that our Center, NCSC, is focused on going forward is the protection of emerging technologies from foreign threats. In October 2021, we announced publicly that we planned to prioritize our industry outreach in a few emerging technology sectors where the stakes are potentially greatest for U.S. economic and national security. These sectors are Artificial Intelligence, quantum, the bio-economy, semiconductors, and autonomous systems. These technologies may determine whether the United States remains the world’s leading superpower or is eclipsed by strategic competitors in the next few years. U.S. leadership in these sectors faces growing challenges from strategic competitors like the People’s Republic of China and Russia who recognize the economic and military benefits of these technologies and have enacted comprehensive national strategies to achieve leadership in these areas. For several months, we’ve been conducting outreach to organizations in these sectors to raise awareness of nation-state threats and help them protect their human talent and cutting-edge research. We’ll continue to engage and listen to these communities to help them build resilience and safeguard their advances.
Question from Thomas Langer: As the nation’s workforce gets back underway from COVID but changed in ways we’ve yet to fully comprehend, what final words of CI awareness would you wish to share with the readers?
Answer from Michael Orlando:
I believe we’ll continue to see impacts of the COVID-19 pandemic on insider risk, including feelings of stress and isolation among employees, continued telework, or other continuity of operations adjustments. Even when work gets back to some semblance of “normal,” we recommend organizations maintain continued vigilance to recognize concerning behaviors among employees and focus on workforce resilience, including mental health and wellness. Our adversaries don’t take breaks and it’s imperative that CI awareness remains front and center for business and government organizations, particularly in today’s elevated risk environment.
TL: Thank you again for taking the time to share such valuable insights and information with us.