When John Brennan became director of the CIA in 2013, he set out to bust the silos and cultural blockades that prevented the smooth flow of information among agency groups and their partners around the world. Much has changed since then, Brennan said on Wednesday, as now government agencies are better able to connect data points in a way that could have prevented the 9/11 terrorist attacks.
“If the same data points that were available prior to 9/11 were available today, there never would have been a 9/11,” Brennan told attendees at the SecureAuth Intersection 2018 conference at the Watergate Hotel in Washington DC.
The irony of the conference location, where the country’s “most notorious privacy breach” occurred, was not lost on the former CIA director, who noted that technology differentiates the Nixon-era break-in from large-scale breaches today.
Speaking to the vast attack landscape that organizations and individuals face and underscoring the importance of assuring and verifying identity, Brennan pointed to his own personal encounter with hackers – the teenaged Crackas With Attitude gang that used social engineering techniques to hack his dormant AOL account in 2015. “They presented themselves as technicians to my ISP,” said Brennan, joking that “the most embarrassing part was that people thought I was still using AOL.”
Last April, a British teenage hacker was sentenced to two years in prison for his role in the hack.
Post-September 11, President George W. Bush authorized the intelligence community to put together a new integration center where they could share intelligence – a complex that eventually became the headquarters of the National Counterterrorism Center. Brennan was that organization’s first director, from 2003-2005, but the IT systems were there “not robust enough to integrate these systems” from different organizations, said Brennan. Under his desk at the facility, “I had about eight servers or so that were there... trying to do a search against the different systems that were not compatible.”
After a stint in the private sector, Brennan was called back into government by President Barack Obama, first as assistant to the president for Homeland Security in 2009, and then later as CIA director in 2013. But he was frustrated with what he found at the CIA – silos and cultural barriers to information.
“…When I got to the agency, one of the first things I did was to order up a cybersecurity review, because coming back to the agency, I felt as though the security responsibility, particularly in the digital environment, was rather scattered,” said Brennan, added that this condition impeded “the ability to leverage capabilities and expertise within the organization.”
Noting how integral the digital and cyber environment had become to the agency, “I wanted to make sure that the overarching enterprise architecture of the CIA’s digital environment was one that was able to be leveraged in a very timely and efficient manner, but at the same time... protected,” Brennan further explained.
The challenge was immense, especially considering he was heading a geographically dispersed workforce charged with the global responsibility of protecting national security and the lives of individuals.
Indeed, Brennan said his second go-round with the U.S. government installed in him a “Socratic wisdom,” as he began to “understand just how difficult and challenging it is in order to secure” the cyber domain, “an environment that doesn’t respect sovereign borders, an environment that really does require there to be tremendous, tremendous engagement on the part of government and the private sector, if we’re going to take full advantage of it.”
To this end, a key solution for many government and private-sector organizations is the concept of identity and access management technology, said Brennan, as it helps them strategically restrict access to certain systems and data based on their rules of data governance.
Also at the conference, Brennan renewed his call for Congress to form an independent commission – like the 9/11 Commission and the Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism – to thoroughly assess evolving cyber risks and determine ways to make cyber more secure, and also determine what the role of government should be in overseeing the internet.