Where Industry and Security Intersect
What's New | Sitemap | Search
 |
| Under Secretary of Commerce Kenneth I. Juster |
Minister Sibal, distinguished guests, ladies and gentlemen. I am delighted to be here today to address the Indian-U.S. Information Security Summit. I am especially pleased that this conference is occurring at a time when our two countries have concluded Phase One of our Next Steps in Strategic Partnership initiative. As our two leaders, President Bush and Prime Minister Singh, have rightly declared, U.S.-India relations “have never been as close as they are at present.”
Information security – also known as cybersecurity – is one of the keys to unlocking the full potential of the trade and technology relationship between the United States and India. All levels of society today – from individuals, to companies, to governments – rely on information technology and information networks in their daily lives – to communicate, to manage activities, to transact business, and to provide essential services to the public. As commerce between the United States and India continues to expand, consumers and corporations will seek to ensure that their personal information and business proprietary data are secure, and that information services are reliable and protected. Without an adequate level of security, we run the risk of backlash among consumers and loss of confidence among business people, which could severely limit progress in our trade and technology relationship.
This conference provides an ideal venue to consider these issues and focus on best practices for improving cybersecurity policies in the public and private sectors. I want to thank the two principal sponsors who have organized this conference – the National Association of Software and Service Companies (NASSCOM) and the Information Technology Association of America (ITAA). In addition, I would like to recognize the support provided by the various ministries and departments of the Indian and U.S. governments that are participating in this conference. I might add that I am particularly pleased to be sharing the podium this afternoon with Minister Sibal. His brother, former Foreign Secretary Kanwal Sibal, joined me in November 2002 in launching the U.S.-India High Technology Cooperation Group, which has played an important role in promoting bilateral trade and, more broadly, U.S.-Indian relations. It augurs well for our success that Kanwal’s brother Kapil is now also a joint venture partner in this collaboration.
I would like to begin this afternoon by addressing the relationship between international trade and security. I will then focus on the critical of role of cybersecurity in the U.S.-India trade and technology relationship, on our joint efforts to enhance cybersecurity, and on the importance of working in partnership with private industry to develop and implement cybersecurity policies and practices.
As Under Secretary of Commerce in the U.S. Government, I oversee the Bureau of Industry and Security. As our name suggests, we are responsible for issues where business and security intersect. These include strategic trade controls, imports and foreign acquisitions that affect U.S. security, and industry compliance with international arms control agreements.
One of the basic truths that I have learned in managing these issues is that international trade can only flourish if it is built on a solid foundation of security. Indeed, in today’s world, trade and security are more closely intertwined than ever before. While globalization has brought increased trade and economic interaction, which have contributed to economic growth and the generation of wealth, it has also presented new threats and new risks. Many of the forces that drive globalization and facilitate commerce – such as our globally integrated information and communication networks, transportation systems, and financial networks – can also be used by criminals and terrorists to threaten our security and our economic well being. That is why trade and security must be pursued in tandem; they are and must be seen as complementary rather than competing mandates.
It is this principle – security as the foundation for trade – that drives the growing high-technology relationship between the United States and India. As the United States and India expand economic interaction, each partner must have confidence that the other will protect the privacy of personal and financial data, protect the rights of intellectual property holders, and not permit the diversion of sensitive goods and technologies to unauthorized destinations or inappropriate users. If these security concerns are properly addressed, then I firmly believe that we will continue to see an upward trajectory in our trade and technology relationship.
It is with this premise in mind that, in November 2002, our two governments, through then-Foreign Secretary Sibal and myself, formed the U.S.-India High Technology Cooperation Group – or the HTCG. This Group provides a forum for our governments to discuss strategic trade and security issues as well as trade facilitation measures. In the area of strategic trade, we are working to strengthen national export control systems while also reviewing U.S. export licensing processes and policies, so as to grant India expanded access to sophisticated U.S. technologies, consistent with our laws and international commitments. At the same time, we are seeking to create the appropriate economic environment for facilitating high-technology trade by identifying and lowering tariff and non-tariff barriers in India to such trade.
The HTCG works in partnership with each country’s private sector, which is in the best position to identify obstacles to high-technology commerce and propose specific policy changes. Our focus to date has been on information technology, life sciences, nanotechnology, and defense technology. Indeed, the idea for this conference on information security originated last November in Bangalore, at the time of our second private sector forum under the auspices of the High Technology Cooperation Group. This conference is, in effect, our third HTCG private sector forum, and Foreign Secretary Saran, my current HTCG co-chair, and I both eagerly await the policy recommendations that will come out of your discussions.
It is important to note that, since the HTCG was established, high-technology trade between the United States and India, including licensed trade, has grown substantially. For example, in our fiscal year 2002, which ran from October 2001 through September 2002, the U.S. Government approved 423 license applications for dual-use exports to India, valued at almost $27 million. We have just completed fiscal year 2004, and in the last two years since we established the High Technology Cooperation Group, we have seen these numbers increase dramatically. Indeed, for fiscal year 2004, we received more than twice as many license applications as in 2002, and our approval rate jumped from 84 percent to 90 percent. Thus, we approved 912 applications, and the overall value of licensed dual-use exports from the United States to India exceeded $90 million. This is more than triple the value of such exports just two years earlier.
Clearly, the establishment of the High Technology Cooperation Group has begun the process of building confidence between our two countries for increased trade in sophisticated dual-use goods and technologies, as we work together to enhance security.
At the same time, however, we realized that we needed to develop another process in order to address the broader strategic relationship between the United States and India, including in some of the most sensitive areas for potential cooperation.
That is why, in January of this year, President Bush and then-Prime Minister Vajpayee agreed to a strategic framework to expand cooperation in four specific areas important to both countries: high-technology trade, civilian space programs, civilian nuclear activities, and missile defense.
This strategic framework is known as the Next Steps in Strategic Partnership – or NSSP for short. It is designed to progress through a series of reciprocal steps that build on each other. It responds to India’s desire for increased access to U.S. technology for peaceful purposes by liberalizing trade in such technology in a manner that is consistent with U.S. nonproliferation laws and obligations, and does not contribute to India’s programs for nuclear weapons and their means of delivery.
The NSSP is grounded in the realization that what unites us is stronger than what divides us. It acknowledges India’s role as a major power, while appreciating that it takes time to build a lasting strategic partnership. It sets up a process to create and build upon successes, while establishing habits of cooperation that extend deep into the governmental fabric in both countries.
The September 21 meeting between President Bush and Prime Minister Singh celebrated the completion of the first phase of the NSSP. This included the implementation of measures to address proliferation issues and to ensure that U.S.-origin goods and technologies are used in accordance with U.S. export control requirements. These measures allowed the United States to make modifications to U.S. export licensing policies that will foster increased cooperation in commercial space programs and permit certain exports to power plants at safeguarded nuclear facilities. The specific modifications were as follows:
We believe that conclusion of Phase One will lead to significant economic benefits for both countries. In fact, these licensing modifications are expected to reduce the number of applications submitted for exports to ISRO subordinate entities by approximately 80 percent, and reduce the total number of applications for all dual-use exports to India by approximately 20 to 25 percent.
Equally important, the NSSP is designed to send a strong signal to the publics of both countries that our two governments are committed to moving forward through joint activity. Indeed, the United States and India realize that a genuine strategic partnership requires a strong commercial underpinning that builds trust and positive relationships throughout both societies. That is why the NSSP is combined with engagement with the private sector through the U.S.-India Economic Dialogue and the High Technology Cooperation Group, fora which together address a broad array of trade, economic, and security issues.
One of the important components for the expanding trade and technology relationship between the United States and India is cybersecurity. Cybersecurity involves the protection of information networks and computing assets. This includes (i)protecting sensitive information from unauthorized disclosure or interception, (ii)safeguarding the accuracy and completeness of information and software, and (iii) ensuring that information and vital services are available to users when required.
Many observers call the era in which we live the “Information Age” because our economies and our security are dependent on information technology. At the core of this global digital economy is the Internet, which is composed of millions of interconnected computer networks that power today’s marketplace. Businesses and consumers use the Internet to gather information, to purchase goods and services, and to handle financial transactions. Indeed, the ubiquity of the Internet has forced companies to reconsider business models, adopt new technologies, and seek efficiencies by leveraging their use of the Internet. Governments also rely on information technology and the information infrastructure to facilitate the delivery of essential services to the public.
While the Information Age has brought innovation, economic growth, and a higher quality of life, it has also spawned new and unique vulnerabilities. Computer systems and networks create new avenues for malicious actors – ranging from hackers and common criminals to foreign intelligence agencies and international terrorists – who can do damage to all of us. In an age when entire industries – such as telecommunications, banking and finance, transportation, and energy – rely on information technology, we are now vulnerable to cyber attacks and cyber terrorism, including viruses, malicious code, denial of services attacks, and identity theft.
In fact, while a cyber attack would not, of course, be considered a weapon of mass destruction, it can be thought of as a weapon of mass disruption. One person with relatively little training, inexpensive equipment, and access to the Internet has the potential to disable an entire network or infrastructure. The financial and other costs related to such attacks are enormous.
Corporations are on the front lines of the Information Age, and they routinely face the threat of cyber attack. According to a survey released in September of this year of over 8,000 information security professionals in 62 countries that was conducted by PricewaterhouseCoopers and CIO magazine, 69 percent of the respondents reported that their organizations had experienced downtime related to security breaches, with 37 percent reporting downtime of more than four hours. About 28 percent of the respondents reported damages from such security breaches, with 5 percent reporting damages of more than $500,000. While hackers had perpetrated the bulk of the attacks, the survey found that current employees had caused 28 percent of the breaches and former employees had been responsible for 21 percent of the breaches.
The U.S. Government recognizes the threat of these vulnerabilities to our economy and security, and has developed a national strategy to address them. In February 2003, the Bush Administration released its National Strategy to Secure Cyberspace, which seeks to marshal government and private sector resources to prevent cyber attacks on America’s critical infrastructures, reduce national vulnerability to such attacks, and minimize damage and recovery time from attacks that do occur. The Administration identified five national priority areas for our government’s attention: first, a national cybersecurity response system; second, a national cyberspace security threat and vulnerability reduction program; third, a national cyberspace security awareness and training program; fourth, securing government’s cyberspace; and fifth, national security and international cyberspace security cooperation.
This conference provides a valuable opportunity to focus particular attention on the last priority – the need for international cooperation. Such cooperation is essential because there are no boundaries in cyberspace. The vulnerabilities of the Information Age transcend national borders. Our information and communications infrastructures are converging into a seamless global network. This means that, as we transmit proprietary business data, sensitive personal information, and protected intellectual property back and forth between our countries, it is critical that we work together to coordinate and implement cybersecurity strategies and policies. This is essential for the growth of the global digital economy
The United States welcomes India as a vital partner in addressing such global cybersecurity issues. Our two economies are becoming increasingly interconnected with the growth of computer software development in both countries, as well as the growing trend in utilizing information technology-related services in each other’s country. According to NASSCOM, India’s information technology sector generated $12.5 billion in exports during the past fiscal year. Many of these services are provided to U.S. firms and consumers. And the United States clearly provides information technology services to India. For instance, a significant portion of the $3.3 billion in U.S. service exports to India in 2002 was related to services involving information technology. As these trends continue, the United States and India must work together to ensure a secure environment for information exchanges, commercial transactions, and software development.
In light of our growing interdependence in information technology, President Bush and then-Prime Minister Vajpayee agreed in November 2001 to establish the U.S.-India Cyberterrorism Initiative. Since that time, our two governments have worked closely to address cybersecurity issues. In April 2002, the two governments convened a meeting in New Delhi of the U.S.-India Cybersecurity Forum, and discussed ways to better coordinate joint cybersecurity activities regarding standards, legal and law enforcement issues, defense, and infrastructure protection.
Through this framework, the United States seeks to work with India to develop appropriate standards for cybersecurity and to strengthen national laws and enforcement capabilities. While we favor a regulatory approach that is not excessive or burdensome on legitimate businesses and consumers, we also believe it is important that national laws on cyber crime be harmonized, so that hackers and others do not move from country to country in search of lax enforcement and non-existent penalties. For that reason, we believe that the Council of Europe’s Convention on Cybercrime provides a useful model to follow, as it sets forth principles for strengthening national laws concerning cyber crimes and encouraging international cooperation on the investigation of such crimes. We urge India’s adherence to the principles in this Convention.
We also hope that our two governments can establish 24/7 watch and warning capabilities in order to help prevent and, if necessary, recover from incidents in which security is compromised. We anticipate that these and other topics will be open for discussion when we host the next meeting of the U.S.-India Cybersecurity Forum in November in Washington, D.C.
Governments, of course, can only do so much, because so many of our information systems and networks are owned and operated by the private sector. Accordingly, the cornerstone of our national cybersecurity strategy, as well as our cybersecurity initiatives with India, is an effective partnership with industry. After all, industry is in the best position to identify threats and vulnerabilities, articulate the need for security and protection of assets, and share ideas and best practices for the development of cybersecurity technologies, policies, and programs.
This conference is a significant and concrete step toward building an effective public-private partnership. I am confident that by bringing together representatives from government and industry in both countries to discuss best practices, we can increase our cooperation in fighting cyber crime and cyber terrorism, and ensure the security of our information infrastructure.
Let me therefore share with you briefly my views on some of the steps that industry can take to address the global challenges of cybersecurity – steps that hopefully will be relevant to your discussions during this conference.
First, government and industry must encourage the adoption of a global culture of security by working to institutionalize a proactive commitment to information security. What are the most important elements of such a commitment? Certainly, technology is one key element. Organizations must ensure that they have implemented anti-virus software, firewalls, strong encryption and authentication, patch management, and tools for intrusion detection. And these tools must be kept up to date and properly configured.
But technology is not the only element. Too often, the assumption is made that improving cybersecurity and fighting cyber crime can be done with technology alone. That assumption is wrong. Just as the best alarm system will not protect a building if the alarm code is compromised, a network will not be secure if passwords are given out freely or individuals responsible for handing sensitive data are not properly trained or screened. Issues of good process and good people, therefore, are every bit as important as having the right technology.
Indeed, it is critical at every stage that each of us as individuals take responsibility for cybersecurity. As consumers, we must be willing to take a few practical steps to safeguard our experience online. As employees, we must take training and follow company procedures. And as managers, we must be willing to invest in the development of comprehensive security measures and continuously educate all employees in them. Some have called these practices sensible “cyber hygiene.” With cyber hygiene practices in place, consumers, employees, and companies can more effectively use existing technologies. Governments can also play a part by encouraging cyber hygiene and cyber ethics among its citizens from an early age. Once we get the “people-process-technology” equation right, we will have gone a long way to implementing effective cybersecurity practices across organizations.
In addition to broadly encouraging a culture of security, governmental and private organizations must recognize that security encompasses more than just our own “internal” efforts. We must also focus on “external” security issues, such as the way in which suppliers, customers, and corporate partners protect their systems, supply chains, and data. Where necessary, an organization must work with partners to implement or improve cybersecurity policies and practices. We are only as secure as the weakest link in our information network.
Security should also be incorporated into all aspects of information and communications technology as a routine matter. You would not purchase a car, and then separately buy the brakes or the steering wheel. Well, the same should be the case with cybersecurity. Ideally, we should not have to purchase security measures as an add-on to our technology. Instead, they should be incorporated into that technology.
Indeed, security should be included in the technical and procedural aspects of developing and fielding systems and networks. Organizations must also put resources into information security research. In the end, it is cheaper and easier to design, develop, implement, and maintain cybersecurity programs than it is to lose time, money, productivity, and possibly customers in trying to make adjustments after incidents or security breaches occur.
Finally, the private sector must cooperate with law enforcement, which is the key to holding cyber criminals accountable for their actions. Some businesses and individuals are not aware that cyber theft, intrusions, and compromises can be reported to law enforcement and subsequently prosecuted. Others may believe that information security compromises are routine and cannot be avoided. Organizations should educate their employees about the dangers of cyber crimes and incidents, and must cooperate with law enforcement in prosecuting cyber criminals. In addition, where laws criminalizing the misuse of information technologies do not exist or are not up to date, governments should be encouraged to adopt or modernize such laws. A comprehensive legal framework and effective enforcement capability are necessary elements of a nation’s strategy to secure cyberspace.
With the conclusion of Phase One of the Next Steps in Strategic Partnership initiative and our ongoing dialogue under the High Technology Cooperation Group, the United States and India have charted a robust and unequivocal course of strategic partnership that will benefit both countries. The private sector has an important role in translating these government initiatives into concrete joint activity at the business-to-business and people-to-people levels. While government can create the appropriate environment for commercial activity, it is up to private businesses, organizations, and individuals in both countries to reach out and build relationships. As part of this process, to truly unlock the potential of the U.S.-India trade and technology relationship, our governments and publics must work as partners to secure the information networks, systems, and infrastructures that drive the economic activity between our two countries.
Thank you.