What is the future of U.S. Counterintelligence and the National Counterintelligence and Security Center?

[Music and Narration]

 

Jack Capizzi:  Welcome to The Federalist Society’s virtual event. Today, this afternoon, Wednesday, December 7, we are discussing “What is the Future of U.S. Counterintelligence and the National Counterintelligence and Security Center?” My name is Jack Capizzi, and I’m an Assistant Director of Practice Groups at The Federalist Society. As always, please note that all expressions of opinion are those of the experts on today’s call.

 

Today, we are glad to be joined by Bill Evanina, CEO of the Evanina Group and former Director of the National Counterintelligence and Security Center, and Jamil Jaffer, Adjunct Professor, National Security Institute Founder, and Director of the National Security Law and Policy Program at the Antonin Scalia Law School at George Mason University. After our speakers give their opening remarks, we will turn to you, the audience, for Q&A. If you do have a question, please type it into the Q&A feature at the bottom of your screen, and we will handle the questions as we can towards the end of today’s program. With that, thank you all for being with us. Jamil, the floor is yours.

 

Prof. Jamil N. Jaffer:  Well, Jack, thanks to you and to the International Law and National Security Practice Group at The Federalist Society for hosting today’s webinar. And, Bill, thanks to you for being here with us today and giving us the benefits of your insights on the future of counterintelligence. So I think we ought to just jump right in, Bill. Talk to us about what --what is counterintelligence? What does that mean? What does that discipline -- what has it historically meant, and what does it mean today because I know that there’s been something of an evolution in the last decade or decade and a half? Talk to us about what CI is and what it means today.

 

William Evanina:  Sure. Thanks, Jamil, and thanks to The Federalist Society. I want to echo your comments, Jamil. It’s really important that we have these dialogues and discussions amongst people who have open minds—same mindset in terms of protecting America. So I’m humbled to be here. I’m also humbled to be your partner in this event. I think it’s really important to really take a look at where we are in a society and the government with respect to counterintelligence. I mean, counterintelligence literally means countering the intelligence collection of others, in this case, adversarial actors and the Big Four, so to speak. And we’re countering their collection.

 

Prof. Jamil N. Jaffer:  Hey, Bill, real quick, when you say the “Big Four,” what do you mean by the Big Four?

 

William Evanina:  I’m sorry. Like Russia, China, Iran, and then four is a combination of North Korea, Cuba, and all the other players in the small game.

 

Prof. Jamil N. Jaffer:  Gotcha. Yeah.

 

William Evanina:  Sorry. I think when you look at counterintelligence historically, in our age group—you go back to the Cold War—it was spy versus spy, right? It was who could collect and recruit more spies than the other country. When you look back at the big spy scandals of the ’70s, ’80s, and ’90s, it was, “Who got the bigger spy?” That spy got you the intelligence collection that you needed to promulgate your nuclear programs, your industrial programs, and your weapons in a DoD ecosystem.

 

That has changed dramatically, specifically in the last ten years. I would proffer to you, Jamil, that’s really exacerbated since 2013 and the onset of Xi Jinping. He has really changed the definition of counterintelligence. And I go back to the Counterintelligence Enhancement Act of 2002. That was a result of Hanssen and Ames and Pollard. There was a bunch of spies-versus-spies. I would proffer you we are no longer in that space anymore. The private sector and academia is the new battle space for our adversaries.

 

Prof. Jamil N. Jaffer:  So what do you mean? So when you say -- so I get the spy-versus-spy. Right? So the Russians have somebody at their embassy here that’s trying to recruit Americans to give classified information to the Russians and the Chinese or the Irans [sic] or North Koreans, and they’re taking those secrets; they’re learning about -- what our plans, our intentions, are, what our capabilities are. I get that old spy-versus-spy world. Right? But what do you mean that academia and the private sector are the new battlefield? I mean, why does anybody care what -- first of all, nobody that I could have mentioned -- I mean, you just go look on the internet and go -- I mean, the people publish their research. Why does anybody care what academia and the private sector are doing? Why isn’t it still about the old spy game? What’s changed?

 

William Evanina:  Yeah. Great question. For fairness, the old spy game still exists, right?

 

Prof. Jamil N. Jaffer:  Right.

 

William Evanina:  We’re not going to kid each other. That is still there. But those spies that are recruited are for deeper, darker secrets. Your point is well asked, Jamil, that we have to bifurcate academia and private sector. And I would throw in a third—research and development. What we’ve realized since the Counterintelligence Enhancement Act, the advent of the internet has put everything online. Like you said, you can go online; you can see what people are doing. Well, in 2002, you weren’t able to do that. Right? So now, our adversaries have identified ways to collect classified and unclassified secrets, trade secrets, proprietary information—PII—from companies, researchers, and academia via the internet.

 

So there’s two main ways they do it—cyber-enabled, whether it be through malware or stir fishing, or through the insider threat program. When you look at the counterintelligence strategy and the numbers you come out with now -- I think the latest FBI numbers are $600 billion a year in economic loss just from the country of China, the Communist Party of China, just from theft of trade secrets and proprietary data—600 billion.

 

Prof. Jamil N. Jaffer:  A year?

 

William Evanina:  A year. That is $4,000 for every American family after four. Right? So you think that -- does that matter? But that 600 billion comes from the private sector and academia and research and development loss of their theft of proprietary data and trade secrets.

 

Prof. Jamil N. Jaffer:  Can I ask you sort of the -- Bill -- so, okay. So I get conceptually, the Chinese, maybe, are stealing intellectual property. But why are they doing this? What’s the benefit to them? What are they gaining out of stealing American intellectual property? And how big a threat is it to the average American? You mentioned $4,000 a family, but why should I care if a bunch of R&Ds walk out of the back door? What does that matter to me if I’m sitting in American society?

 

William Evanina:  Great question. That depends on who you are. So, if you are a CEO of Boeing, you should care that the Chinese are building a new Cormack airplane that’s going to be competitive with Boeing and Airbus in just a few years. That entire air fleet they built was built on stolen intellectual property and trade secrets from Boeing and Airbus. Right? So the theft that’s been occurring the last 10 years has resulted in China being able to put together an air fleet that’s going to be 30 cents on the dollar from Boeing. Right? That’s number one.

 

You look at just the last five years, what General Electric has lost in their intellectual property and trade secrets from theft of Communist Party of China actors, the acoustical information from weaponry from the Department of Defense to hypersonics all going to benefit China’s military and [inaudible 07:11]. So it does matter in terms of who the victim is ultimately. But it's also the new way that nefarious countries are stealing secrets from the people who actually make the secrets.

 

Let’s be honest, Jamil, Department of Defense is the biggest in the history of the world. They don’t make anything, right? They pay people to make it. So over time, both the Russian and Chinese got smart and said, “Hey, we don’t need to steal this anymore from the Department of Defense. We can go to where they’re making it, both in the classified realm but, more importantly, in the unclassified realm.

 

Prof. Jamil N. Jaffer:  Interesting. So what I hear you saying, Bill, is that there’s a few reasons to be concerned about this. One, secrets are walking out the back door, but they’re not just coming from the government. They’re coming from contractors alike who have secrets and may not be protected in the way the government is or may not be able to protect in the way the government is because their unclassified systems and classified systems are connected, or some of the information may not be classified, but it may be really sensitive. Right? So that’s one problem.

 

It sounds like another problem is we’re spending -- the United States, because we’re an innovator—we engage in lots of innovation—we spend hundreds of billions of dollars on innovation, on research and development to create new things. And if that’s all walking out the back door to China, they’re building new companies built on that without having to spend that money. And they’re saving money, able to offer products at a lower cost, and then undercutting us in the marketplace.

 

William Evanina:  I couldn’t have said it any better. That happens every single day. We used to call it the old bus stop schemes, where the Communist Party of China would bid down still to IP and the property and then have a ghost company in China. And before everybody even knew it or the FBI started investigating when data was gone, they already had a patent and manufacturing up and running, and they were selling that product for 30 cents on the dollar in South Asia, right? So that’s been happening since Xi Jinping took power.

 

Prof. Jamil N. Jaffer:  And it’s not just the CEO of Boeing, right? I mean, it’s the line work or the plant -- at the Boeing plant, right? Because if they’re not building a plane anymore because the Chinese are undercutting them, those people will lose their jobs, will lose their American jobs and American productivity here in the country. Right?

 

William Evanina:  Right. And I think it’s really important, Jamil, to think about this in terms of the vast span of where this goes. I mean, from the hybrid grain and steel to seats to a steel that’s insulated for skyscrapers to medical technology, biopharma to hypersonics, you name the platform, the Chinese have been very successful at stealing it. And the research and development ecosystem you talked about just before, I would proffer that that is -- we have the best research and development academic ecosystem the world has ever seen, but it’s built on a collaborative mindset. And that collaborative mindset is so successful, but it also avails itself to that very, very easy theft from actors who want to steal it.

 

Prof. Jamil N. Jaffer:  Yeah. That makes total sense. And, by the way, for the audience members, we are going to be taking questions from you in the latter half of this session, so please do put your questions -- there’s a Q&A function. You can drop your questions there. We’ll see them, and then we’ll go through them and have Bill answer them as questions. But coming back to this idea, Bill, of IP theft and the like the Chinese are building this economic engine based on stolen American R&D. Presumably, other countries are doing the same. They’re also stealing secrets that helps them. That benefits them on the national security front. Both economic security and national security are really closely tied together.

 

So let’s add, by your story, that this is the new counterintelligence—the real problem. So who in the government owns this problem? Like, who in the government’s responsible for stopping the Chinese—or any other country for that matter—from, A, stealing our secrets and, B, stealing our economic capabilities and building a new economic engine without that investment of R&D that we’re all putting in?

 

William Evanina:  That’s a great question. And I’m pretty sure that’s one of the reasons why we’re here, Jamil. Let’s put it in current context. The last year and a half, the legislation that the U.S. Commerce has put out, from Build Back Better to the infrastructure to, recently, the CHIPS Act, billions of dollars that are going into --

 

Prof. Jamil N. Jaffer:  Hundreds of billions, yeah.

 

[Crosstalk]

 

William Evanina:  -- to the private sector. Right? The president was just in Arizona this week with TSM putting together new plants there. I would ask you, “Who’s responsibility is it to protect all that economic investment and the delivery of intellectual property and trade secrets as we build chips more effectively here in the --who’s job is to protect that?” Nobody’s. There is no assigned -- so is it a supply chain issue? Right? Is it a research issue? Is it critical infrastructure? Now, the FBI’s number one line to investigate when that stuff is stolen, I would proffer to you that we don’t have a definitive organization that’s primary role is to prevent that, educate, inform, and provide real-time intelligence to help those companies protect what they’re ideating, manufacturing, and developing.

 

Prof. Jamil N. Jaffer:  Well, but Bill, you ran an organization called the National Counterintelligence Security Center, right? So, I guess maybe I just assumed it was your job back in the day. Tell me, where did NCSC come from? Right? What does it do if it’s not that? And is there something else it should be doing? Or does it need authority? Does it need money? What’s the challenge? And maybe it’s not their job. I don't know. I mean, you tell me.

 

William Evanina:  Well, first of all, those are good questions, and they’re a little -- they’re not softballs, Jamil. They’re not softballs. I just want to put that clear. So I think NCSC stemmed from the old National Counterintelligence Executive, which was created after the 2002 Counterintelligence Enhancement Act to really coordinate efforts in the United States government to protect spies in the US government, to coordinate counterintelligence operations to, A, protect from getting recruited as a spy but also to facilitate operations overseas. It’s grown since then. And then, in 2014, the DNI made it a center, a counterintelligence security center, and it really --

 

Prof. Jamil N. Jaffer:  That’s the Director of National Intelligence.

 

William Evanina:  Yeah, sorry. Director of National Intelligence created it to be equal to or on par with the National Counterterrorism Center and the National Proliferation Center. And it really was now a bastion for counterintelligence and security professionals to have the same center. It really grew out of demand, and I would say hit hard by the OPM data breach for a centralized place that really had one foot in the intelligence community and one foot in the rest of the government—the non-Title 50 organizations, research and development—to be able to bridge the gap from what we see overseas from collection to providing threat and warning to the other government agencies as well as the private sector. NCSC never really grew fast enough to be able to do that role effectively among their other duties, but the other primary duties are the government’s strategy and policy organism to drive counterintelligence security.

 

Prof. Jamil N. Jaffer:  Yeah. So you mentioned a couple of things there that were drivers to sort of building NCSC up. And one of them was this OPM data breach. What is that OPM? I think a lot of people may know, but what is the OPM data breach? And talk to us about why that was relevant to how NCSC’s mission may or may not need to change?

 

William Evanina:  Sure. So the OPMN data breach, Cliff Notes version, was breached by the Communist Party of China. And they were able to take 21 million -- 21 million human beings who’ve applied for security clearances, they were able to exfiltrate not only their applications for clearances but their entire files. Right? So a couple things on that. Number one, they have all that data, all the secrets, all the things you don’t want to put anywhere else but under security clearance. They have all that availability too. What’s seldom known is that the breach occurred from a contractor who was servicing OPM. Right? So in today’s day, 2022, it would be a major supply chain breach, which it was.

 

And I would say thirdly, it was really the top of mind where it was the first time we saw a nation state threat actor, the Chinese, really siphoning massive amounts of data in the government. And I think that was the place where we looked at it in congressional hearings as to, “Okay, well, the FBI’s going to investigate this. Well, then who else should really do a damage assessment?” Right? And that’s when NCSC, they came in to be able to put together and show what this data looks like when combined with other data stolen from Marriott and Equifax to others.

 

Prof. Jamil N. Jaffer:  Yeah. So what I hear you saying is that there’s all this data about people who had clearances. Right? It’s not just the form they filled out, which has all the addresses they lived at, all their relatives, all their relatives’ phone numbers. But it’s also -- the FBI goes around and does interviews with these people and hears about, “Okay, well, how might this person be vulnerable? What are they -- they spend for -- do they spend in unwise ways? Are they an alcoholic? Are they having affairs?” Because they want to know all the things that might make you vulnerable.

 

Well, now the Chinese have all that information. So they can run very sophisticated data analysis over that. They can also run very sophisticated human intelligence operations to target our people with clearances. And then they combine that with information from TikTok and the Anthem data breach, the healthcare data breach, and the breach of credit reporting agencies -- combine all that data, and now they can train machine learning systems to predict how people might behave and how they might act based on all this data they have about them. That’s pretty scary.

 

William Evanina:  It is. It is.

 

Prof. Jamil N. Jaffer:  And so, NCSC, in part, got some more authorities or some more responsibility to deal with this. So does NCSC, today, have the responsibility for preventing things like that from happening again? Private contract has all this data about Americans, sensitive information -- out the back door to the Chinese. Is that NCSC’s job today? Do they have the authority, the responsibility, and the money to do that job?

 

William Evanina:  Yeah. No, no, and no. So, again, big picture, NCSC’s authority, its responsibility, is to write strategy for the counterintelligence security apparatus of the United States government and private sector, write policies for counterintelligence, and then for security clearance reform. That’s kind of what they do.

 

Prof. Jamil N. Jaffer:  Okay.

 

William Evanina:  But they’re supposed to be doing all these other things with respect to damage assessments and then other things that are cure. But they’re just not big enough and scalable to do that. So responsibility comes from those individuals and those organizations who become breached—to help with their good cyber hygiene, a good CISO, a good CSO integrating the intelligence community, getting ahead of the intelligence. Those are individual organizations that have to do that. Now, what the current government makeup from a cyber perspective will only look to CISA for that role and then the FBI after they’re breached. So right now, from a counterintelligence perspective, the NCSC would provide, “Hey, here’s what the CIA and NSA are seeing from collection that’s going to help you advise your risk matrix.” And that’s when NCSC would deliver that.

 

Prof. Jamil N. Jaffer:  Yeah, but so, Bill, I get that, but one of the challenges I have with that scenario is -- let's go to the private sector and then we’ll talk about the government. So we’ve always thought about, in the private sector, listen, if a Russian bomber comes over the horizon or the Russians fired a ballistic missile at a city, nobody thinks, “Oh, Target, Walmart, JP Morgan, why don’t you guys have service to air missiles on the roof of your building to shoot down that missile or shoot down that airplane?” Right? Everyone thinks, “Oh, well, we’re not going to blame those private companies.” Right? The government has that job of protecting the nation when it comes to foreign nation state actors. Right?

 

But in the cyber domain, it’s the exact opposite. In the cyber domain, we say, “No, no, no. JP Morgan, Walmart, Target, a mom-and-pop shop in Paducah, Kentucky”—nothing gets Paducah, but just wherever—“they’re all responsible for defending against that script kiddie in the basement, the criminal hacker gang, and China, Russia, Iran, North Korea.” And, of course, that doesn’t make any sense. They can’t do that. And now you’re saying the same thing’s true in the government. The government -- “Well, NCSC does strategy.” Got it. “FBI does investigations after the fact.” Got it. But there’s no one that has a defend-the nation-mission. Or maybe there is, and I just don’t know who it is. I mean, who has the defend-the-nation position? It’s really every agency’s got to figure out for themselves?

 

William Evanina:  It’s a great question and a perfect scenario. And I think a metaphor, I think, for the audience here that would understand this is back in 2017, ’18, I think the intelligent community came together and went to the White House NSE. And then we got the NSE and the Department of Defense to stop the Open Skies Treaty because what we identified was these Washington flights that were taking place from a treaty that was 20 years old were flying over the US. Yes, they were taking pictures of military basins. But more importantly –.

 

Prof. Jamil N. Jaffer:  Which is what they were allowed to do. That’s what they’re supposed to do back in the day.

 

William Evanina:  What they’re allowed to do, but more importantly, they were taking pictures and videos and photos of stadiums, water treatment facilities, gas and oil pipelines, petroleum pipelines. Well, that’s not part of the treaty. And why would they be doing that if not for nefarious capabilities? Right? And then what we were able to do was to show, “Okay, this flight came over today and took a video of a petroleum facility in Houston, Texas. Well, also at the same time, a Russian spy was seen in and around that facility.” So it was [Inaudible 20:26] collection in critical infrastructure. Right? So it was really that delving out of government/military apparatus into the intelligence collection of critical infrastructure. And, again, back to your point, the government has a responsibility, in my mind, to advise and inform those companies that you have intelligence collection ongoing against your facilities or your business.

 

Prof. Jamil N. Jaffer:  Right. So at a minimum, one thing you might think of the government doing is is, “Look, okay, even if we’re going to leave the responsibility with the private sector because they’ve got the information, they own the systems, we’re not going to really put cyber guards at the border of the US internet even if you could identify that border to the US internet, which you can’t. Right? But if you could, we’re just not going to do what it takes to do that because that’ll cost a lot of money and be a lot of effort. And, frankly, we’d need a lot of surveillance the American people probably aren’t willing to accede to. Right? So we’re not going to do that. We’re going to put it back on the companies.”

 

But at a minimum, we should tell them, “Hey, we’re out there collecting intelligence ourselves. We got spies in foreign countries. We have cyber operations that we’re conducting. We see there may be a potential attack against you.” Right? And we’re going to let you know, “Hey, here’s what’s happening out in foreign space. You need to be prepared, be prepared to defend yourself. And, by the way, work with your colleagues in other parts of the industry to share that information and get it out there and protect one another.” So I get that.

 

But, I mean, is that -- is the government architected to do that? Can they share that kind of granular classified information with the private sector at the speed and scale they need to? And can they really operationalize that capability because it seems -- I mean, the government -- everybody has a hard time sharing classified information, right? Can they really do that at scale? Was that going to work?

 

William Evanina:  It’s a great question and a great setup to -- the answer is yes. We can. And we do it very effectively when it comes to counterterrorism. We do it very well. And we have what’s called a terror line. Right? So you could have a really sensitive, classified piece of intelligence that says, “Country X or Al-Qaeda, Al-Shabaab is targeting this building.” And then we can give a terror line to that building and say, “Hey, listen, you’re under” -- we need to do that type of activity for the nation-state threat actors because it’s very simple to do once you have that platform and framework in place, which I believe we do in counterterrorism. We just need to emulate that for nation- state threat actors.

 

Prof. Jamil N. Jaffer:  Well, so let’s talk about that. So about a year and a half ago, we had a major breach—the SolarWinds hack. It was targeting both the government and the private sector and very effective. They got through the private sector. And apparently, tons of computers, as I understand it, tons of systems in the government were breached. We may not even know how many systems were breached because they did a good job of hiding their tracks. They got authorized access. They may still be in the system. We’re trying to boot them all out, but we’re not sure.

 

Talk to us about how -- let’s say we were doing the thing you said. Right? Let’s say NCSC had all the money and the strategy and policy. We figure out who operationally should do it. We put those people out there. They’re working with industry hand-in-hand. And we fast forward to five years from now, and you’ve got all your wishes satisfied. Would we have stopped SolarWind? And, if so, how would that have -- how would that have worked?

 

William Evanina:  Yeah. Good question, Jamil. I think there’s two segments here. Number one, some of that you just referenced does happen ad hoc, whether they’re from NSA or FBI. The FBI has 56 field offices. They have private sector outreach coordinators that can do bits and pieces of that ad hoc and sometimes strategically sector by sector. CISA does it very well in the cyber perspective. Right? I would argue that most of those cyber activities are from nation-state threat actors. And that’s how NSA does it from time to time when it’s a really critical issue. But those are all ad hoc and not coordinated. So that’s number one.

 

Number two is I would proffer to you that on the SolarWinds side of things, early on, if we have the right collection emphasis messages and we’re able to identify that code development and nefarious capability overseas early, we can warn folks ahead of time if we are aggressively willing to declassify what we collect on the front end of things. Right? Sometimes, we just aren’t there yet with saying, “We see something that we think, three years from now, can be a problem.” Declassifying it is going to cause us a potential problem for how we source and method this information. I think we’re still stuck in the government in that matrix of, “Hmm, I’m not sure we want to.”

 

Prof. Jamil N. Jaffer:  Yeah. So I’ve been out for a little bit longer than you have, so I can sort of -- I’ll just say it, right? I mean, we live in other people’s computer systems and watch stuff they’re doing. So there’s a real possibility that somebody’s designing a hack against the United States. We might see it, and we might know it’s coming. Then the question becomes, “How do we tell American companies that we know this thing is potentially coming up against us? And here’s how to protect against it without revealing to the adversary, ‘Hey, we were in your systems. We saw what was happening. We know what’s going on?’” Right? So some of it is -- you said we got to declassify it. Right? But that’s a challenge because, one, the government doesn’t want to give up the fact that, “Hey, we know this thing,” because that might reveal the source and method of the collection, and we don’t want to blow that.

 

So in a practical sense, Bill, how do we -- how does the government make those decisions about what to declassify and what not to or when to do it? And is there a realistic way to make that faster, better, more efficient, work with the private sector so that we, in fact, do get ahead of these things? Or are we -- I mean, it sounds like you might be worried that it just takes too long, and we protect the information so well that we ultimately miss the forest through the trees, and systems end up getting hacked, and we have potential problems in our critical infrastructure. Even though we may have even known what was going to happen, we just couldn’t share it. I mean, that seems -- if that happens, Bill, we’re going to be back in the 9/11 scenario, where people -- there’s going to be a lot of retrospective looking back and being like, “You knew this thing and didn’t tell anybody?” Right? I mean, that’s going to be a real problem. Is that potentially where we are? And, if so, how do we get ahead of that, knowing that’s potentially where we are?

 

William Evanina:  And, too, it’s a pendulum for sure. And there’s times where we do it very successfully in the government. There’s times where we maybe are a little hesitant, and there are times where we just can’t. I mean, I think you look at the list of buckets. Let’s look recently what the US government was able to do with getting information out on invasion of Ukraine before the invasion to help Ukrainians out—more importantly, to help the world out as to what we were seeing. And I would say the old adage, “Damn the torpedo,” and say, “Listen, whatever we’re --we’re collecting it, and we’re going to let people know to save lives.” Right? So we can’t do it when we want to do it. And we do do it successfully piecemeal when it’s important.

 

And who do we tell? The CEO, the general counsel of that particular company? We let them know. My concern is how to do that more macroly. If you look at what CISA and the FBI does very successfully on these joint bulletins on cyber related events—cyber related, whether it be malware, they do it successfully. I would like to see that success happen more macroly in terms of nefarious activity of nation-state threat actors in the ecosystem, say, of economic espionage, malign foreign influence. Or what are they trying to do on supply chain? A bigger apparatus than just the ones and zeroes.

 

Prof. Jamil N. Jaffer:  Right. Okay. Well, I guess that makes sense to me. So, if we’re going down this road of this real close collaboration between government and industry, is there stuff that the government needs from industry to make it better and to make its collections more efficient and more effective? And how do we get that information, too, from industry? Is that the case that there’s still -- like, what would the government -- what would be the government needs from industry towards this partnership?

 

William Evanina:  Yeah. Great question. And there’s places and pockets where it works really well, Jamil. I’ll proffer the financial services sector, the energy sector, and to some part, the telecommunication sectors really work closely with the government organisms that are built to help them. The ISACs that are built really do a good job of sharing that information both ways in terms of back and forth. Now, it gets really tricky when the government doesn’t want to get in the knickers of those private sector companies. Right? And the financial services sector will share what they need to share, but they are the best collectors.

 

And if you put it in private -- in the really current events with tech companies -- tech companies collect more than anybody. Right? So where’s that sweet spot for going back and forth and having them share with the government what they know? And, again, the hard part there is what makes America great is that clear bifurcation between the government and the private sector. But from a threat perspective, that sharing is really, really important. And I would proffer to you again, we do it very well when it comes to terrorism.

 

Prof. Jamil N. Jaffer:  Yeah. I mean, because we learned the lesson. We learned what happens when you don’t share information. I mean, what happened, 9/11 -- might be even worth reminding people of the story since it’s been 20-plus years since that. Right? We knew that a couple of the Al-Qaeda operatives that flew those planes into those buildings on that day, we knew they were terrorists—in particular, Nawaf Al-Hazmi and Khalid al-Mihdhar. Right? The CIA was onto them. They watched them. They surveilled them at a meeting in Malaysia, in Kuala Lumpur. The CIA also knew that they had valid passports to travel to the United States. Nobody bothered to tell the FBI, which was doing an investigation with respect to the USS Cole bombing. In fact, there was some conversation about whether that information should be shared and whether it could be shared.

 

Ultimately, Nawaf Al-Hazmi, Khalid al-Mihdhar come to the US in their actual names that we knew. Nawaf Al-Hazmi sort of shockingly lived in San Diego, was in the phone book. If you go to the 9/11 museum in New York, you can see the phone book from San Diego, California, where he’s there under his actual true name. And by the time we figured this out, it was too late, and those planes were flying into buildings. And so, we learned that lesson in a catastrophic way—3,000 Americans dead. We see a similar problem—it sounds like you’re telling us, Bill—on the counterintelligence side when it comes these economic and larger national security threats, maybe not planes flying into buildings, but the economic version of that and the national security version of that. They may get these secrets. Right?

 

And it doesn’t sound like we’re quite there. So I know you recently testified before the Senate on this issue. The Senate did an investigation and issued a report. You testified about your old agency. Talk to us about some of what came out in that report. Talk to us about what your views are on what can be done differently with respect to NCSC and the larger counterintelligence staff. Where should we head from here? By the way, just a reminder for the audience—I do see one question already in the Q&A—please put more questions in here. In about five/ten minutes, we’ll turn to your questions. So if you got questions for me or for Bill about these issues in particular or other issues that are related, throw them in there, and we’ll come over to them.

 

So, Bill, what do you think about that? I mean, what are the -- how should we be thinking about the larger operation of the government in your old agency and things that could be done differently or better?

 

William Evanina:  Yeah, Jamil. Just amplifying your statements on 9/11—and I was an FBI agent back in New Jersey at the time with Flight 93—and as you reference what the CIA was doing overseas, at the same time, the FBI had intelligence failures with respect to these Saudis taking flight lessons. Right? So there was that, I would say, bicoastal OCONUS/CONUS failure of intelligence sharing. Right? And so --

 

Prof. Jamil N. Jaffer:  Right. And in effect, though, I mean, if I remember correctly, there was an internal conversation about FBI about sharing information of the intelligence side to the criminal side. And somebody had shown this amazing email that says, “One day, someday, because we created this wall, people are going to die, and everyone’s going to look back and say, ‘Why did we -- why didn’t we share this information?’” And, in fact, that’s exactly what came to pass.

 

William Evanina:  Right. So leveraging that and everything we learned from 9/11 to -- we’re all part of that, painfully as it was -- my proffer to the Senate and to Congress is that we are in a terrorism event right now. It’s a slow, methodical event, mostly by the Communist Party of China, but others, to bleed us. And, again, you mentioned the 600—I did, too—the $600 billion a year. That’s a lot of money. But that’s just what we know. Right? That doesn’t include the malign foreign influence and the legitimate economic efforts the Chinese use here in the US that has nefarious capabilities.

 

I’ll bring up, too, Huawei, right? You have Huawei. You have TikTok, and now you have the ZPMC cranes that are all over our ports. Those are legitimate economic venues for which also have dual-use capability for intelligence collection. To me, we need to be as aggressive and assertive with these issues as we are with counterterrorism. Right? But the problem is we don’t feel the pain of this damage that’s done. Right? It’s not something that’s fungible. We don’t go to memorial services. We don’t have family members who die. It’s a very slow, methodical, I would say, bleeding of the American sociological and economic ecosystems. And I do think that we have to look at it that way as we move forward to defend ourselves for the next 5 years, 10 years, and 20 years.

 

Prof. Jamil N. Jaffer:  Well, so let’s talk about that. I mean, I do feel like the American people had a little bit of a wake-up call in the last couple of years. We went through the pandemic, and we saw how reliant we are on China, for example, on PPE—personal protective equipment, masks and the like. We also found out how reliant we are on China for pharmaceutical precursors to create the vaccines we needed to—that we relied on them for a lot of this material. We’ve heard a lot of talk in the last few months and the last year about semiconductors, supply chain shortages. We’ve heard about critical minerals and how reliant we are on China for key minerals that are part of the EV transition, like cobalt and nickel. So I think the American people are starting to hear that message, and that message is starting to resonate. Right? And they also see the way that the Chinese government, the Chinese Communist Party, treats their own people in turning a million Muslims in the Xinjiang province, the way they treat democracy actors of Hong Kong, the threats they make against our friends in Taiwan. Right?

 

So I think the American people are starting to figure it out. But is it really going to take a catastrophic event before we get our stuff together, Bill? Or do you see an opportunity? I mean, the Senate’s obviously on top of this. Right? They’re asking questions. They’re bringing you up to testify. They’re writing this report. Is there the possibility that we get some sort of movement? And, if so, in your ideal world, what does that movement look like? Is it a bigger NCSC? Is it more authority? Is it more responsibility? Is it a change in the way the FBI or the CIA operates? What’s needed here?

 

William Evanina:  Well, Jamil, there’s two good questions there. Number one, yes, I believe it’s going to take a big event. Right? So as we see, and you referenced --

 

Prof. Jamil N. Jaffer:  What I wish you were going to say was -- I wish you would say no.

 

William Evanina:  No. It’s going to take -- because where’s the pain threshold for all these breaches, right? Where do we feel the pain? The companies, for the most part, they get breached. They have a small dip on their stock, and they get back at it. Right? And so, the ransomware is at its ungodly high. Right? So my thing is—what I’d fear most—is this coming winter, we have a massive electrical grid issue, gas and oil pipeline issue, that we directly tie to a nation-state threat actor—North Korea, Cuba, China—and that people don’t have heat, people die, and it’s a supply chain issue. It’s a critical infrastructure issue, and it’s also an economic issue. But it’s a China issue. It’s a Russia issue. And, to me, that’s going to be where the pain is because people will actually die, and we’re not prepared for that.

 

Now, the FBI will come in afterwards, and they’ll investigate this thoroughly with their law enforcement and their partners as well as CISA will do the cyber part of it. And the NERC and FERC, all those things will happen piecemeal because that’s what they do greatly. But overarching, there’s not one government organization that’s going to be able to advise and inform to protect those things because we are America.

 

Secondarily, I’ll say to your last point, why should it take that type of pain and suffering for us to understand that our nation-state threat actors, like China, are just as bad as a terrorist? Right? I’m not sure why we have to get there, but I’m afraid. Let’s look at the issue this past week in North Carolina with the electrical substation being shot up, right?

 

Prof. Jamil N. Jaffer:  Right.

 

William Evanina:  Forty-five thousand people don’t have electricity. It’s in North Carolina. What if it was in San Francisco or New York City and you had a million people --

 

Prof. Jamil N. Jaffer:  Some people might be happy.

 

William Evanina:  Right, yeah. So then you have massive looting, and you have all kinds of chaos. People panic.

 

Prof. Jamil N. Jaffer:  Right.

 

William Evanina:  It wasn’t that hard for people to do what they did. And if we end up tying it to a nation-state threat actor, there’s going to be really, really great cause for concern and people asking for this being an act of war.

 

Prof. Jamil N. Jaffer:  Yeah. No, that’s a great point. We have a lot of questions now. Apparently, my entreaty to folks to put questions in the chat room worked. We’ve got seven questions, so let me bring in some of the questions that actually relate to what we’re talking about right now. So Charles Gorder [sp] asks, “What recommendations do you have, Bill, to improve the analysis of all these different threads of intelligence that are coming in from various places?” Right? How do we connect the dots in this case? You drew the analogy to counterterrorism, and the NCTC, and a lot of this was created to connect those dots. Can NCSC play that role? Has it played that whole role historically? And should it play that role going forward? And, if so, what does it need to do that?

 

William Evanina:  That was a great question. And let’s say, yes. I think NCSC felt -- to respect the fact that I had that job. Right? So scalability is the problem. Right? So NCSC always served as that organization that had one foot in the intelligence community and was also able to drive that threat of intelligence to the private sector effectively. Right? So I think it has the capability to do that. But I think the key here is getting that intelligence collection out of the IC into the private sector is not as easy as it sounds. Right? And I think there has to be a conduit. And, again, look at CISA—I keep drawing connections to CISA—CISA’s a big, really important part of DHS, but they’re not part of the intelligence community. So they have to rely on INA and DHS to provide them from classified information. So there is a gap here, so to speak, with getting real-time actual intelligence to the private sector more effectively and officially than we do now.

 

Prof. Jamil N. Jaffer:  So let’s talk about that. So Stephen Harris [sp] has a question about that. So it’s a great point. I think we can all agree that it probably isn’t happening as fast or as quick as it needs to or as comprehensively as it needs to, right? So Stephen wants to know, “Is intelligence sharing where it should be?” And the answer clearly is -- I think your answer’s no. How do we get it to where it needs to be? What do we need to do? Is it more clearances for the private sector? Is it more rapid declassification? Is it give somebody the job of connecting the dots and then sharing it? How can we move that ball today? If you could wave a magic wand and money weren’t an issue—neither of which is true—how would you get intelligence sharing where it needs to be?

 

William Evanina:  Well, there’s a whole litany of things, but I would start real quickly -- authorities have to be expanded to allow that to happen from the intelligence community more effectively and working with their partners. Two, I think there has to be a real clear dialog with the private sector and, again, against, I would say, the top 10 critical infrastructure sectors. What do you actually need from the government? Right? There needs to be that conversation. Instead of just throwing more noise at them, what do they actually need in real-time collection to be able to protect what they build, IDA, and manufacture? Right? So I think that has to happen more effectively. And I do think NCSC has the capability of doing that or an organization like NCSC who doesn’t have a primary other mission to be in that counterintelligence space. Right? There needs to be that organization that’s not recruiting spies/protecting from spies.

 

Prof. Jamil N. Jaffer:  Yeah. So you need a separate, independent agency and you keep mentioning CISA. That’s the new Cyber and Infrastructure Security Agency that lives inside of DHS but has some measure of independence. It’s got this charter. It’s got a budget. Right? So it may not have quite the independence that you’d want for this new revitalize NCSC. But CISA, at some level, is a model for what you’re talking about?

 

William Evanina:  Yes, it is. And I think when the Homeland Security Committee and the Congress made CISA very quickly, it had all the right intentions. And I think CISA has grown into an amazing apparatus that does what they do very well. I think going back, they just need to be included some more authorities to be able to drive some of the things from a cyber policy and to cyber directives to be able to force folks to do things and reporting. So that’ll come, but I think -- keep in mind, CISA’s pretty new here. But I do think they’re on the right path. They need to be added to more authorities. And I think -- but remember -- I don’t know this to be true, Jamil, but I would proffer that the majority of what CISA does is in the nation-state threat actor realm. Right? So is it really a cyber organization, or could it really be jeweled as a counterintelligence apparatus with cyber being the modality for which it operates in?

 

Prof. Jamil N. Jaffer:  And then you’d want another organization operative across the other modalities. Is that the theory?

 

William Evanina:  No. I think we don’t need to create any more organizations. Right? I think that’s not what I’m -- I would proffer. And like I told the Senate, I think NCSC has the authorities already—“We do what we want to do.” It’s just the scalability and resource issue. And I see it -- we look at NCSC versus NCTC, NCTC’s, I don't know, five/six times the size of NCSC. So at some point, as a government organization, we have to realize that the nation-state threat is important, and we have to reallocate some of those resources or at least make them commensurate with the threat.

 

Prof. Jamil N. Jaffer:  Yeah. Eric Biles [sp] asks the question -- you’ve now mentioned a couple times NCTC and the important role that it plays—the National Counterterrorism Center. Eric wants to know whether NCSC—your organization, the National Counterintelligence and Security Center -- how does it work with NCTC? Do they work closely together? And, given that their missions may overlap at critical places, how much overlap is there, and what are the key differences between those two organizations?

 

William Evanina:  Well, that’s a great question, Eric. They overlap almost -- not a lot. Right? So there’s very little. I mean, they are really germane. So their mission obviously to prevent terrorism -- I would say the last couple years, they’ve really refocused to the domestic threat, the lone wolf, the homegrown violent extremist. Where NCSC’s predominantly to protect the domestic landscape against China, Russia, Iran, North Korea. Right? They are separate. Now, unless there is a country out there that has an aggressive terrorist organization with and utilized by the intelligence apparatus, we would overlap. But the employees, the analysts, the leadership work really closely every day in terms of the big picture protecting our homeland.

 

Prof. Jamil N. Jaffer:  Got it. Got it. All right. So Tom Palmer is interested in knowing whether satellite warfare is relevant at all to this topic. And is there an overlap between the cyber threat that you have from nation states, the satellite threat? Is there some combination there? And what’s the relationship, if any, of all those things—satellite, cyber—to this counterintelligence issue that you’ve raised?

 

William Evanina:  That’s a great question, and it was one of the points I was going to bring up earlier. But when you look at, specifically, what the Communist Party of China is doing, I would put their threat aggressiveness in three buckets—in 5G, which is the whole Huawei issue; currently, now, the crane issue from supply chain—the ZPMC cranes; third would be space. Right? Their aggressive action in getting satellites at multiple orbits and getting licenses and patents for those places clearly drives a threat to, not only Department of Defense, Space Force, MRO, NGA, and to facilitate not only their 5G and space at the threshold level and in space, but also the movement of hypersonics around the globe.

 

So I think that is a counterintelligence issue similar to what CFIUS is in terms of protecting foreign investment in the US. Big picture, they’re all countering foreign intelligence collection and promulgation around the US. So, to me, they’re all part of this apparatus, and space is the currently new frontier we face, specifically when it comes to the Communist Party of China.

 

Prof. Jamil N. Jaffer:  Gotcha. That makes sense. Well, great question, Tom. So one of our other attendees wants to know more about the potential threat that we might have for this information sharing because we talked a lot about the need to share information. Right? And this came up post 9/11 as well. Right? Not everybody trusts our government. Right? We, as Americans, come from a background of we didn’t trust the British government and [inaudible 44:51]. That's why we have those first ten amendments in the Constitution—the protections of our privacy and civil liberties. And he’s concerned about this sharing of information between -- he or she is concerned about the sharing between intelligence and domestic law enforcement.

 

Should we be worried about too much information sharing? And how much should we be worried about that internal -- even to the insider threat actor? Right? What about the Chelsea Manning threat? Right? When we have folks like that that might reveal classified information—Edward Snowden, who was in there, has now become a Russian citizen, traitor that he is—talk to us about how we should think about privacy and civil liberties as we’re talking about more and more information sharing.

 

William Evanina:  Well, the whole dichotomy with respect to the gray space between privacy and civil liberties and security is one that will be talked about forever. Right? And again—and I’m not going to apologize for being on the government’s side of that—we need to overshare. And sometimes, we need to sacrifice a little privacy for the protection, not only of our nation, but our systems, our data, and our people. Right? That just comes with it. Right? When you get your security clearance, you give up a lot of rights for that security clearance, and you can become an insider threat. Or you go online, and you do something nefarious on a government computer, you pay the penalty.

 

Now, we are not doing as good as we should be doing in that respect. But I’ll also proffer to that question that, if you look at the last four years, some of the most destructive thefts of intellectual property and trade secrets came from the insider threat in the private sector. You could just go on DOJ’s website and Google. Right? From Harvard to MIT to General Electric to a million different companies that have lost their IP—and those companies have lost those business capabilities around the world—that insider threat was able to affect their nefarious activity because sometimes they weren’t being watched carefully enough by that company because of privacy and civil liberty issues. So it is a really, really difficult discussion that will go on for the next decade.

 

Prof. Jamil N. Jaffer:  Yeah. That’s really interesting. So another one of our attendees is interested in knowing about this TikTok issue. Right? I mentioned it. How do we balance this potential interference in private enterprise with TikTok, which is -- we debate whether TikTok’s a privately owned company or not, they claim to be a privately owned company in China, but we know how the Chinese government operates. There is some discussion about -- we’ve seen a lot of people -- Mike Pompeo has tweeted about it. Right? Tom Cotton has tweeted about it. We know the FBI director has raised the issue about TikTok and its collection of Americans’ personal data. Right? How concerned should we be about TikTok? What’s the real threat? And should we be worried if we’re monkeying around, even if it is a Chinese company? The private sector is sort of saying, “Hey, we’re going to ban a private company from selling their goods in the United States.”

 

William Evanina:  To me, TikTok is current, relevant, and it’s really important for tech right now because listen, there’s no doubt that it’s a Communist Party of China company, right? Tencent, ByteDance, those companies -- or ByteDance, who owns TikTok, is partnered with the Communist Party of China. So for them to say it’s a private company is just false. I do think --

 

[Crosstalk]

 

Prof. Jamil N. Jaffer:  What do you mean by that? When you say they’re partnered with the government of China, what does that mean realistically?

 

William Evanina:  So in 2017, China reinforced some of those laws that said, “If you are a company that is Chinese here in China or around the world, you are obligated to provide anything and anything we want from a data perspective.” And it was very specific to, not only the company, but to CISO, the CIO, the general counsel. So that data flow from Alibaba, ByteDance, Tencent has always been proven to be a free flow of data to the Communist Party intelligence apparatuses.

 

Prof. Jamil N. Jaffer:  Yeah. But can I ask you a question about that? A lot of people say -- a lot of people say, “Okay, yeah, I got that, Bill. I got it. The Chinese government taking all this data, right?” But we have laws that require Google and Facebook to give information to American -- that require American companies that give information to the US government. Isn’t that the same thing, or is there a fundamental difference between one case -- the Chinese Communist Party’s judge, jury, and executioner. There’s no limitation. In the US, we have courts and oversight and Congress. I mean, is it the same thing, or is there a fundamental difference in these operations?

 

William Evanina:  Great question, Jamil. We could talk about this for four hours. It’s not even close. Right? So, as Americans, we grew up in this country. Clearly, there’s a difference between the government, the private sector, and the criminal organizations. In China, they’re all the same. Right? So the Alibaba, Tencent, ByteDance -- those people who were running those companies have brothers and sisters and aunts in the politburo—in the Chinese government. Right? So they work together. In the US, yes. Can the government ask via a court-authorized document, a subpoena, or search warrant for Jamil’s records very specific?

 

Yes, they can. And they will get very specific information which is asked for through a court order, which means you have to have an agent or an officer go to a US attorney and get approved. And then you go to a judge and get that signed. Yes, that happens all the time. But that’s very specific law enforcement action. Not the case in China or in Russia or Iran, where you are obligated to provide that information.

 

Back to TikTok. To me, the issue is, as much as I’ve been saying this online and members of the bipartisan efforts on the Hill -- and I think the Biden administration has said, “Yeah, it’s a problem,” but no one’s feeling that pain, Jamil. No one’s feeling the pain. My son’s not allowed to have TikTok because I walked him through the process of why it's a problem and how we can go from his phone to my phone. We need to have an education campaign about why TikTok is a problem more than just talking points on the internet.

 

Prof. Jamil N. Jaffer:  Yeah. Well, Bill, it’s funny you talk about TikTok. My son’s the same way. I made clear to him there’s no [inaudible 50:34], but he knows. Right? He’s on top of it. But just the other day, he made his Christmas list, and he put a drone on it. It’s a DJI drone. And I said, “We’ve already talked about this. You know better.” I mean, these drones have cameras on them. They’re flying around all -- I mean, this is a real problem, too. It’s not just TikTok, right?

 

William Evanina:  Right. So, Jamil, I think what you just said there, I think, is going to go back to the germane point of this discussion. And it’s going to sound corny, but the government really needs a robust sales and marketing team that can talk about these issues to the American people, not only explain what the threat is, but why it matters. Why is Amazon Alexa -- if you don’t treat it right, why is it a problem in your home? Right? What is the safety or lack of safety on internet things with respect to China and Russia? I think NCSC or something like that could really build that apparatus and scalable, but the government needs to be more effective in doing these things and telling the American people what these real-time threats are that are germane to today with our society or interests because we’re not doing that effectively.

 

Prof. Jamil N. Jaffer:  Yeah. So, Bill, one of our -- folks, we’re down to the last eight minutes, so please, if you do have more questions, throw them in the chat feature, and we’ll go and try to get as many of them as we can. So Tom Palmer asks -- you had mentioned the potential -- there’s a potential takedown of significant critical infrastructure systems. If internet and cell service are disabled, Tom wants to know, “Can our defense agencies and the executive branch still communicate in a scenario where the typical internet and cell service are down?”

 

William Evanina:  To some degree, yes.

 

[Crosstalk]

 

Prof. Jamil N. Jaffer:  I think I’ve stepped carefully -- yeah. I think I stepped carefully here.

 

William Evanina:  Yes. To some degree, yes. To some degree, no. And I’m not going to get too much into this and the classified. We’ve come a long way since 9/11. But more importantly, we’ll just take the government and defense department away. My concern would be first responders, emergency services, state and local governments. Can they communicate and respond effectively if their communication systems are down or energy is down? To me, if you look at what happens in a hurricane or a massive tornado—and that is now caused by a nation-state threat actor—are we able to communicate and live in that space?

 

Prof. Jamil N. Jaffer:  Yeah. No, that makes a lot of sense. What another one of our attendees asks the question about -- again, we’re going back to this information-sharing construct. Right? And a concern about information sharing is that some of these agencies, the SEC for example, has regulatory authority, and they might use information sharing to bring regulatory proceedings. They might file lawsuits. Private actors, if the information comes out, the government has very broad FOIA obligations. Right? They might bring proceedings, either regulatory or litigation, against companies that challenge their disclosures or use that information against them. Is there a worry about the adverse consequences to the American private sector that, ultimately, not only harms the companies, but also damages the ability and the willingness of people to collaborate with the government? What about that? Is that a worry in this space?

 

William Evanina:  It is, Jamil. It’s a great question. And I was part of these discussions years ago when we started the conversation of mandatory reporting and can the SEC or military component use that information against you. To me, it’s an easy fix. You just put it in legislation that it can’t be. Right? It’s just really simple. So to say, “Hey, if you were doing the right thing by notifying your regulatory agency or the FBI or CISA you’ve been breached, then you’re going to be held harmless from regulatory action.” That’s the simple fix.

 

Prof. Jamil N. Jaffer:  Or litigation.

 

William Evanina:  Or litigation. It’s four sentences in the legislation. That’s an easy win for me.

 

Prof. Jamil N. Jaffer:  Yeah. That’s a great point. We spent a lot of time thinking about this on the cyber information sharing front back in 2010 when we were at the first information-sharing bill, and we provided that kind of liability protection. Unfortunately, between the negotiation between the Senate and the House, when they finalized that bill in 2015, some of that language got pulled out. And now, you wonder why, if there’s regulatory and liability exposure and potential litigation, every lawyer who’s on this call is going to advise their client, “Do as little as possible. Wait as long as possible,” not because you don’t like the government, not because you’re trying to help the country, but if they’re going to expose me to regulation or litigation, I’m not going to give you everything you want. I’m going to give you as little as I have to. Right? I’m going to do --

 

[Crosstalk]

 

William Evanina:  It’s a bad business decision.

 

Prof. Jamil N. Jaffer:  -- [Inaudible 54:34] no more.

 

William Evanina:  Yes, it’s a bad business decision. Your general counsel will say to report if we’re not protected. Right? And, to me, back to your 2010 analogy, lobbyists got involved because litigators have a lot of power, and they don’t want to lose space in that compendium to be able to litigate. So, to me, legislation can happen very quickly with a paragraph saying you’ve been held harmless from regulatory action or litigation if you do the right things in reporting in a timely manner.

 

Prof. Jamil N. Jaffer:  Yeah. No, I mean, I tell you, the biggest opponents of regulatory liability protection for companies doing the right thing -- and, by the way, we had an exemption where you’re clearly doing something wrong knowingly. But the biggest opponents of that were the trial lawyers who want to bring massive litigation and make attorney’s fees off of this stuff. So I totally hear you on that.

 

      So we’ve got one last question. Our last question is going to be from David Chu. David asks about the Colonial Pipeline case. And he says, “Look, in that case, the government was able to recover some of the ransom that was paid. Is this a new capability, and would that be available to other folks who are affected by ransomware attacks?”

 

William Evanina:  Well, David, good question. And part of my business and what I’m out there telling clients is that paying a ransom is a business decision. Right? And now, the ransom now is different than what it was three years ago when you were going to get your power turned on or your systems back up. Now, it’s about data—the theft of your data. We’ll give you your data back, maybe, if you pay the ransom. My only admonition would be, if you’re going to make a risk-based decision to pay the ransom, have the FBI right next to you when you do it. So they are probably running at a 50 percent clip of success rate of getting your money back. So, if you’re going to make the business decision to pay it, have the FBI there right next to you so they can track that money and hopefully get it back to you in the future.

 

Prof. Jamil N. Jaffer:  Awesome. Well, Bill, look, what a great conversation. Thank you for bringing this issue to our attention. Really appreciate you spending the time with us. Folks, Bill Evanina, the head of the Evanina Group and the former Director of the National Counterterrorism -- sorry -- Counterintelligence Security Center. Bill, thanks for your service, and thanks for all you do.

 

William Evanina:  My pleasure, Jamil. And thanks for everyone that’s been listening as well as being on here, and as well as thanks for The Federalist Society to be able to put this on to have these conversations. It’s a really good dialog with not a lot of concrete answers, but awareness is the most important part of the cure.

 

Prof. Jamil N. Jaffer:  Jack, over to you.

 

Jack Capizzi:  Thanks a lot, Jamil. Well, with that, on behalf of The Federalist Society, I want to thank both Bill and Jamil for the benefit of their valuable time and expertise today and for our audience for joining us as well. We always will be willing to hear listener feedback by email at [email protected]. As always, keep an eye on our website for upcoming webinars. Later today, at 3:00 Eastern, we have one on the Courthouse Steps Oral Arguments in the Moore v. Harper case in the Supreme Court. And with that, thank you all for joining us today. We are adjourned.