Written by Thomas Langer
Once more, I was given the privilege to have a candid conversation with the Defense Counterintelligence and Security Agency (DCSA) and interview Assistant Director David Stapleton, who is responsible for the Critical Technology Protection (CTP) mission. You can read more about his impressive background and experience in his official biography here.
We appreciate Assistant Director Stapleton for graciously taking the time to share his vision for protecting our nation’s most critical assets.
Tom Langer (TL): Assistant Director Stapleton, welcome to this new role and thank you for taking time out of your busy schedule to speak with us. We are grateful for your past and continued service to the nation, and also compliment you on such an impressive career in both industry and government. Let me begin by asking how that varied experience shapes your approach to the critical technology protection mission at DCSA?
Assistant Director David Stapleton (DS): Tom, thank you for the opportunity to contribute to this blog and thank you for that question. Our backgrounds and experience certainly shape all of our work views, and my focus is to bring an interdisciplinary approach to critical technology protection from across academia, business, and the military. In particular, we are really focused on a holistic perspective to the mission that leverages the inherent incentives of these stakeholders to protect critical technology. That is NOT to say that I believe it was done poorly in the past or had the wrong focus. I am always bothered by “leaders” who cheapen the hard work of predecessors in an effort to make their efforts look more impactful. There are tremendous resources, authorities, and people at DCSA, who have been mobilized against our strategic adversaries. I greatly appreciate the security professionals we have at DCSA and across the interagency. They are all dedicated to the mission of protecting this nation’s security, and I just hope to bring additional perspective that helps better contextualize our work within the larger strategic imperatives across economics and global competition. The DCSA workforce certainly understands that their work really impacts our nation’s security and its future. That impact is what keeps us all highly motivated (and caffeinated) on a daily basis.
TL: Over the past few years, there have been a number of initiatives to reformat the security vulnerability assessments within industry to identify critical technologies and risk-rate those technologies and prioritize assessments accordingly. Given the change in DCSA leadership, the growth of the agency, mission reset and, of course, the way COVID-19 changed how industry and DCSA interface, what will industry assessments look like when a new normal returns?
DS: DSS in Transition, and later, Risk-Based Industrial Security Oversight, both taught us a great deal. We took the best of those lessons and recently trained the workforce on the Enhanced Security Vulnerability Assessment or ESVA. This ESVA is what we will be doing when a new normal returns. This ESVA will offer consistency, scalability, and flexibility to assess NISPOM compliance and elevate security awareness within industry C-suites of the risk posed by threats to facilities and classified contract performance. We are, and will remain, focused on the protection of critical technologies resident in industry. The process is a highly flexible and proactive approach that starts with intelligence, a new comprehensive self-inspection, and when necessary, a Standard Practice and Procedures document. While leading our oversight efforts, our expectations will be elevated. We expect our team to step up to our responsibility to the taxpayer by holding our stakeholders accountable. Industry can and should expect from DCSA that they will receive the same response, regardless of who they speak with within CTP or DCSA. When necessary, we will invalidate industry partners who are not willing or able to meet the standard. That standard is there to ensure that the participants who are doing the right thing are rewarded with a fair and level playing field that will not be knowingly or unknowingly exploited by those who do not meet the standard.
TL: During a late October NDIA Round Table, you noted that most companies in the “DOD Ecosystem” do not have adequate national security screening. One suggestion was to incentivize companies to take this on. How have recent events impacted this effort and the other priorities for DCSA?
DS: I am not sure if you are hinting at a specific event, but recent security lapses in both government and industry have underscored the importance of investing in security programs. These have historically been seen as cost centers, but they are really preserving the sources of revenue and offer a quantifiable return on investment. Additionally, emerging government policy and fresh public law (116-92 Sec 847) have actually accelerated development of a pair of capabilities at DCSA to review the Defense Industrial Base (DIB) security programs/ownership profiles. This mandate should highlight a company’s dedication to security and incentivize them to invest further in their security to meet the intent of the programs.
TL: The counterintelligence (CI) mission for your agency is a large one indeed. You’ve had a lot of experience in counterterrorism and counter narcoterrorism, developing a deep knowledge of what works and what doesn’t. As we asked Director Lietzau last year in this blog, what more can industry do to assist you in this mission and secondly, what are your expectations for industry in tackling the threats within their own companies?
DS: I appreciate the idea and willingness for industry to assist. This is an important concept, and we do see shared responsibilities and partnership as core to our mission. When industry has difficulty complying, we expect you to notify us immediately and will work through any challenges in good faith, but we must have accountability if we are to defeat near-peer adversaries. The stakes are too high to simply express our desire…we need to always back up our words with actions.
TL: Leaving the politics aside, a change in administrations always brings about changes in missions and national priorities. By the time this blog goes live, we’ll likely have a new Secretary of Defense and new leaders in the Intelligence Community (IC). What priorities do you see emerging for DCSA and what can industry do to help you?
DS: I believe our priorities in DCSA will largely remain the same and that the fight against our adversaries remains collaborative and bipartisan. Our mission statement is that we are “America’s Gatekeeper.” Through due diligence, industry engagement, counterintelligence support, and education, we secure the trustworthiness of the United States Government’s workforce, the integrity of its cleared contractor support, and the uncompromised nature of its technologies, services, and supply chains. I don’t see that mission changing because those services are vitally important, no matter who occupies the government’s senior leadership positions. We know that highly effective security is challenging, but we know that the cost yields a return on investment for the medium and long-term prosperity of industry and our nation.
TL: I know there are limitations about what you can openly discuss regarding the recent major technology hack, but is there anything industry should be doing or looking for in our own organizations in response to such a significant event?
DS: I assume you are referencing the SolarWinds hack. Industry can help by recognizing the threat and taking the extra steps to undertake due diligence regarding services and products. We are working extensively to develop methods to better support industry. At the end of the day, many of these supply chains originate from countries of concern, and HOW you acquire these products and services can be important. When you buy from companies with ties to a country of concern, you make their jobs of being able to target your company and organizations that much easier. You may have a quantifiable savings in the moment that you purchase those products or services, but at immeasurable costs to your company from sophisticated actors. It is essential to be a careful and informed buyer of all of your services and products.
TL: One hot topic on everyone’s mind is how DCSA will assess and rate facilities in the defense industrial base. There continues to be a lot of discussion about the ratings process and how they will be determined. Can you offer any insight?
DS: Our team is working on this now and we will roll it out with the new ESVA process. We believe that the security rating enhancements have outlived their usefulness, so we have looked closely at the work that was done with the security rating score. We applaud this effort, but it ended up being way too complicated, and outside of the scope of our area of expertise. As I previously mentioned, we want a rating process which is fair, transparent, and consistent, yet adaptive.
TL: Public/private sector collaboration is playing an increasingly important role in protecting our national security interests. The private sector remains the hub of innovation for critical technology, and government must work hand-in-hand with its industry partners to ensure the U.S. retains our military and economic advantages. Do you have any recommendations for private industry as to how they can best collaborate with DCSA to achieve this mutual goal?
DS: Take seriously the security of your intellectual property, services, and products. Stay aware of the threats to our national security and be an informed buyer of products that are not sourced by our adversaries. Use the security courses and training programs provided by our Center for the Development of Security Excellence (CDSE) to learn security best practices. And, when they are available, participate in future DCSA programs that will provide certifications for industry for having effective security programs.
TL: Are there any final thoughts or requests you would like to share with industry partners to help support the DoD/DCSA mission?
DS: We have all got to realize that we are in a fight with adversaries who intend to dominate us in all domains of national power. Access to the massive spending from our nation’s consumers is allowing our adversaries to gain revenue from within our own markets to supplant us in critical technologies, while also introducing immeasurable costs in our supply chain. Consumers and industry are on the front lines of that fight because where we purchase our goods and services will provide the revenue that will determine the fate of the free world.
TL: I would be remiss not to ask you, as a former goalie for Georgetown University Soccer, do you have a favorite Premier League team?
DS: All that matters to me are the men’s and women’s U.S. national teams, USA Olympic teams and Georgetown soccer teams. The experience at Georgetown taught me to follow your passion, work your hardest, and that anything in life is possible. Just be ready when your moment arrives.
TL: Thank you again for taking the time to share such valuable insight and information with us. We look forward to partnering with you and supporting the DCSA mission.
About the Author
Mr. Thomas Langer has a 30-year track record as an industry security executive, including 20 years with BAE Systems, and will be periodically sharing his knowledge on crucial, relevant topics here on this Blog page. Learn more about Thomas here.