Adversaries can reconstruct classified information from unclassified data, warns White House official

TALLINN, ESTONIA — The proliferation of sensitive but unclassified information poses a major security challenge for NATO members, a White House official said on Wednesday, due to the ability for nation-state adversaries “to take seemingly disparate unclassified data elements and reconstruct classified information from them.”

Delivering a keynote opening the 15th annual International Conference on Cyber Conflict (CyCon) in Tallinn, the White House’s acting national cyber director, Kemba Walden, noted that protecting classified data had been an issue “of immense concern for decades” pre-dating digitalization.

While information technology has made protecting this data more difficult, “the fundamental tenets of working with cleared defense contractors to protect sensitive information has not changed,” Walden said.

But she warned it was a game-changer for cyber spies to have the ability to steal unclassified information and then use advanced data analysis techniques to reconstruct material with serious national security sensitivities for the target country.

“Thirty years ago, physically breaking into dozens of defense subcontractors’ offices to make off with reams of paper and then somehow making sense of it all would have been a massive intelligence operation. Today, it’s done in a matter of a few clicks,” Walden said.

Cyber thefts of defense contractor information and of very large datasets on the public — including from the credit reporting business Equifax and the U.S. Office of Personnel Management — have been attributed to hackers working for China.

William Evanina, the former top counterintelligence official in the U.S., told Foreign Policy magazine that Chinese technology companies were providing assistance to Beijing to process this bulk data and make it useful for China's intelligence services.

Walden said the U.S. was attempting to address the risks posed by an adversary combining data stolen from a wide range of smaller sources by introducing new contracting requirements “to ensure that anyone processing sensitive data, whether a first-tier supplier or a sixth-tier one, meet appropriate and necessary information security requirements.”

She cited the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), which is designed to harmonize the approach across the whole of the U.S. defense industrial base, including hundreds of thousands of suppliers.

“While we’re making progress, it is a very thorny challenge,” said Walden.