Home Information Sharing & Analysis Prevention & Protection Preparedness & Response Research Commerce & Trade Travel Security Immigration
About the Department Open for Business Press Room
Current National Threat Level is elevated

The threat level in the airline sector is High or Orange. Read more.

Homeland Security 5 Year Anniversary 2003 - 2008, One Team, One Mission Securing the Homeland

Remarks by Homeland Security Secretary Michael Chertoff at the Chamber of Commerce on Cybersecurity

Release Date: October 14, 2008

For Immediate Release
Office of the Press Secretary
Contact 202-282-8010
Washington, D.C.

Secretary Chertoff:  Thank you for that very warm welcome.  I guess the message from that recitation of my career is I can’t hold a job very long.  Seriously, I would like to thank the Chamber for inviting me to discuss one of the most important initiatives we have ever undertaken at the department, and in the country, in the domain of homeland security.  This, of course, has to do with the issue of cybersecurity:  the protection of our information technology and its networks.

I have to say in fairness I have not been at the Chamber for sometime.  I know we have had some disagreements in the past on certain issues, including the thorny subject of illegal immigration.  I do believe there is a right way to solve the problem of illegal immigration and a wrong way and that part of the right way, although part of the answer, is enforcement.  I do believe we have to restore the public’s faith in the government’s commitment to hold the law, even if we may be arguing at the same time that the law ought to be changed.  We will continue, at least on my watch, to enforce the law. 

With respect to illegal immigration and illegal work, dare I say, based on the recent Pew Study -- effectively, I think, we are, in the first years since time immortal, that we have actually had no net increase in illegal immigration if one accepts this, I think, widely accredited study.  I am going to put that issue aside and our differences aside and turn to something on which I know we agree.

That is the importance of protecting our cyber infrastructure and dealing with the challenges of cybersecurity.  This is a major priority for this administration and I am convinced will be a major priority for the next administration.  In fact, this month is National Cyber Security Awareness month.  In recognition of this particular moment in time, the President has actually asked me to share a message from him to you.

As follows, “I send greetings to those observing Cyber Security Awareness Month.  Americans and American business rely on the Internet and protecting its infrastructure is essential to our economy, security, and way of life.  This month is an opportunity for citizens to learn how to guard themselves and their families, businesses, and information against online threats.  My administration has taken important steps to strengthen our defenses against cyber attacks.  In 2002 the Department of Homeland Security was created to help protect America, including online.  In 2003 the National Strategy to Secure Cyberspace created a framework to help prevent cyber attacks against America’s infrastructure, reduce vulnerability to cyber attacks, and minimize damage and recovery time from cyber attacks that do occur.  In January this year, my administration implemented the National Cyber Security Initiative to protect federal networks, and explore ways to assist industry in securing their infrastructure.  I appreciate all those dedicated to securing the Internet.  Your efforts play a key role on an important front of our nation’s security.  Laura and I send our best wishes.”

Unquestionably, cybersecurity is the issue that touches all of us both in our business capacities and as individuals in terms of the way our families deal with our own home computers.   It is an issue that will continue to be on the front burner through the next administration.  Unlike some other areas of homeland security, however, cybersecurity is not exclusively, or even largely, a federal responsibility, or something the federal government can impose on the rest of the nation. 

The federal government does not own the nation’s IT networks or communications infrastructure, nor would we want to force a burdensome and intrusive security regime on what is, clearly, one of the most fluid, dynamic, and reliable engines of our economy.  On the other hand, that doesn’t mean that cybersecurity is solely a private sector responsibility either.  While the vast majority of the nation’s cyber infrastructure is in private hands, the reality is that its benefits are so widely distributed across the public domain, and so integrated and interdependent in the various different sectors of our economy, that we face clear national security risks and consequences with respect to its protection.

No single person or entity controls the Internet or IT infrastructure.  There is no centralized node, or database, or entry point.  No single person, or company, or government can fully protect it.  On the other hand, the failure in even one company, or one link of the chain, can have a cascading effect of everybody else.  That is why protecting our IT systems and networks has to be a partnership in which all of us have to bear our share of responsibility.

If you wanted an illustration on how important protecting interdependent systems are, and how important a partnership is with respect to trust, just look at what is going on in the financial area.  This has not been an IT problem, but it has been an all too dramatic illustration of what happens when there is a failure of trust across a large domain of institutions.  Much of the solution to this crisis is one that requires a partnership between the private sector and public sector.  I would argue that as we, hopefully, preempt any crisis in the area of our IT networks and the Internet, the only way do that is a joint effort in partnership between the private sector and all elements of government. 

Let me say there is also a very strong business case to be made for cybersecurity apart from the national security case.  Most companies understand their own interest in investing in security measures that will help shield them from attacks or disruption or will give them resilience to recover quickly if an attack occurs.  I would also venture to say customers’ trust can easily be lost in this day in age if the systems through which people do business with companies become degraded, or inoperable, or corrupted.  This element of trust and confidence, which is the very DNA of the Internet, is really the highest value of what allows us to function and take advantage of the very fluid and beneficial qualities of having a network 21st century world.

Today I would like to talk about the specific actions the federal government is proposing it takes to protect cyber infrastructure.  The private sector’s role in this effort and what you can do to help us protect cyber systems and cyber infrastructure.  First, let’s talk about threat.  You know, the Internet has been around for about two decades.  For about the same amount of time we have been dealing with cyber attacks.  Some people might be tempted to suggest that cyber attacks are merely a cost of doing business, a nuisance we have dealt with in the past and can deal with in the future, and there is no real reason to treat this as a concerted national priority.  I think that would be a very misguided approach and I am sure everyone here understands why. 

The fact is, because in the 21st century and our reliance on the Internet for everything we do, whether is the homework our kids do at school, or the business transactions we engage in in multi-billion dollar financial institutions, we have invented an era of new threats and greater vulnerabilities in the cyber domain.  I am sure everyone here understands the consequences of failure have become correspondingly greater and that is why we are at a moment now where we have to act with greater urgency and purpose than ever before.

The intelligence community has publicly stated its assessment that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the U.S. information infrastructure, or to use that infrastructure to collect intelligence and other kinds of information.  Nation states and criminal groups target our government and private sector information networks in order to gain competitive advantage in the commercial sector, as well as in the area of security.  Terrorist groups, including Al Qaeda, Hamas, and Hezbollah have expressed the desire to use cyber means to target the United States.  Criminal elements continue to show a growing and alarming sophistication in technical capability and targeting, and today operate a pervasive, mature economy in illicit cyber capabilities and services that are made available to anybody who is willing to pay.

As we have seen recently, cyber threats can impact both individuals and nations alike.  Let me give you two examples.  First, the Georgia-Russia conflict of earlier this year, perhaps the first instance of a military action with a cyber component.  Denial of service attacks launched from Russian IP addresses against Georgia occurred when we saw military action taken by Russians against the Georgian government.  Large swaths of Georgians could not access any information about what was happening in their country.  Government websites were defaced and the delivery of government information and services were curtailed.

A similar denial of service attacked was perpetrated in 2007.  On the criminal side of the house, earlier this summer in August I announced the largest ID cyber theft in history.  This was a Secret Service case involving 40 million credit card numbers that had been stolen from nine major retailers through a sophisticated, international scheme perpetrated through what they call “war driving.”  This involved capturing the wireless transmission of this information from point to point so it could then later be converted into data that could be used for criminal purposes.  This scheme led to millions of dollars being withdrawn from the bank accounts of innocent consumers all around the world.  As I said, it is the worse case of identity theft in U.S. history.

The reality is that cyber attacks aren’t decreasing.  They are increasing in frequency, sophistication, and scope and this has major implications for our national and economic security.  So, how do we protect ourselves from malicious activity whether it is criminal in nature, whether it is an extension of state power, whether it is government or commercial espionage, or whether it is routine hacking by people who are interested in showing their cyber hacking skills to their friends.  The answer is a comprehensive cybersecurity initiative. 

From the government’s perspective, the first things we need to do are ensure that our own house is in order.  That our federal civilian networks are adequately protected.  That means we have to be able to look across the government and civilian domains, just as the defense department looks across the military domains, and asses what the vulnerabilities are, reduce the points of vulnerability, put into effect the kinds of tools and regimes that will reduce or eliminate the possibility of attack, and then using a 24-7 monitoring capability, make sure that we are constantly staying ahead of an evolving adversary.

I want to make it clear that although people tend to think about this issue from the most sophisticated hacking attacks or assaults launched over the Internet, in fact there is a wide variety of places from which the threat can be mounted.  To be sure hacking and penetration over the Internet is an important part of the threat and therefore something we need to tend to in terms of defense.  We also have to continue supply chain security.  What is being embedded in our hardware or our software at the time it is created and before it is sold to us.  This is particularly difficult in a global environment where the various components of what make up a finished product might be produced at various places around the world where quality control is not 100 percent.

There was a story in the newspaper over the weekend about people whose bank account information was being stolen because, embedded on some of the computers being used, wasn’t a code that was put there by hackers, but was manufactured into the boards and the chips.  Little trap doors that allowed the collection of information and the rerouting of it overseas.  So, that is the second potential attack vector.  The hardware and software that is part of the architecture of our systems.

Finally, we need to be concerned about the insider threat.  It is the lowest tech threat, but somebody coming with a thumb drive and downloading sensitive information, including passwords, or planting something that enables someone to capture information and send it back over the Internet.  That can cause as much damage as a classic hacking attack coming over the Internet itself.

With all these things in mind, the focus of our cyber initiative are: establishing good lines of defense over the internet; defending against all these threats whether it comes through the network, by way of the supply chain, or an insider; and shaping the future environment by educating the next generation of cyber professionals and producing leap ahead technologies that allow us to stay ahead of the adversary.

I also want to emphasize, because we are dealing with communications and the Internet, traditionally a very open architecture and a culture of freedom, we have to be exceptionally focused on the need to make sure privacy and civil liberties considerations are at the center of our efforts.  We are not interested in what is done in some parts of the world where the government sits over the Internet and tries to control what people see.  That is not the model we are seeking to emulate here and that is why we want to be very clear in everything that we do.  Perhaps in more than any other domain, we need to be privacy and civil liberties sensitive.

Let me talk about the major elements of the strategy bearing in mind these major focus elements – establishing lines of defense, defending against the full range of threats, and shaping the future environment.  First, as it relates to the government we recognize there are, literally, a thousand connection points between our government domains, civilian domains, and the Internet and we need to limit that number of access points so we can begin to get a handle on the threats that are coming through those access points and build a series of capable defenses.  So, even now we are in the process of reducing the number of connections, over time the number of connections between government systems and the Internet so we can better secure and reduce the vulnerabilities in a much smaller number then say we had six months ago.

We need to expand our U.S. capability and our national cybersecurity capability to provide oversight, accreditation, and validation across the government civilian domains to make sure everybody has in place the appropriate levels of security, both in terms of what they permit into the Internet and how they handle their systems in their own departments and agencies.  We have established a National Cyber Security Center to coordinate across a number of individual agency cybersecurity centers to provide crosscutting situational awareness and to make sure we’re coordinating among the various cyber centers that operate in various kinds of government domains. 

Once we have reduced the number of entryways, we need to find better ways to mount defenses at these bridges.  We currently have an intrusion detection system called Einstein.  I might use an analogy from the physical world.  If you think of television programs like “CSI New York” or “CSI Miami”, our current system is a passive intrusion detection system that comes after the fact.  In other words, we learn there has been a malicious intrusion, we get the information about what we can about the signature and the code, and then we disseminate that information.  It is a little bit like sending your crime scene investigators in after the crime has been committed to try and collect the evidence and give warning the next time.

We need to move to the next level, which is Einstein 2.0, which we are currently in the process of beginning to deploy.  That is a real-time intrusion detection capability.  It doesn’t wait until after the crime is committed.  Using information and tools we were able to get from across the federal government, it enables us to detect, in real time, if an attack is underway.  It is a little bit like moving from the policemen who investigate the crime after the fact, to the policemen who is actually standing, watching people go by on the road and the highway, and when the policemen sees a suspicious character he or she calls into the potential target and warns them there is a suspicious character on the way.  You’re asking me here, you have a cop who sees a suspicious character why doesn’t he just stop him and arrest him on the spot?  And that is Einstein 3.0.  That is where we move from intrusion detection, to intrusion prevention.  That is a system that we are currently working to develop which would allow us when we see and detect malicious code, or other indications of an attack, to actually stop it cold before it permeates and infects our systems.  So that is the first element of creating lines of defense.  Reducing the entry points and building better capabilities to protect, and ultimately prevent, penetration.

The next focus area, which is defending against full spectrum threats, includes protecting the global supply chain, working with the private sector to have better validation about the source of critical elements of software and hardware, particularly for those systems where we have high value information that we want to protect and secure.  At the same time old-fashioned counter intelligence – working with our government systems to make sure we are preventing people from committing old-fashioned espionage against us, stealing our data, stealing our passwords, stealing our capabilities, or implanting in our systems trap doors that can be used against us.

Finally, the third focus element, shaping the future environment, we are working across the government domain to help recruit and build the next generation of cybersecurity professionals.  That is going to be mean, in particular, working with the private sector to boost cyber education, training and recruitment, as well as working to fund leap-ahead technology and game changing capabilities that will enable us to increase our cybersecurity.

Some months back I was out in Silicon Valley.  Someone was saying to me that part of the problem is, when people graduate from college or graduate school their focus tends not to be on technology, but developing new systems that are faster, move more readily vertically and horizontally, and are quicker at processing data.  It seems that cybersecurity has become a little bit of a stepchild.  I am going to suggest that that is going to change in the very near future, if it hasn’t changed already.

Ultimately, the value of the Internet and all the commerce and activity that occurs on the Internet, will only succeed in multiplying, if people are confident that they will not lose their crown jewels when they play in cyberspace.  It is easy to manage the systems for purchasing goods or getting on eBay, or exchanging information would become much less appealing if there were more and more stories about people losing their most secure information, their most secure financial data every time they get onto the Internet.

So, my belief is that more and more, the issue of cybersecurity is going to be a cutting-edge area in which smart kids are going to realize there is a great future because there is going to be an incredible demand to keep security up with the increasing exponential growth of the Internet as a tool of commerce, as well as a tool of social networking.  Here is where private sector cooperation is particularly critical.  A lot of this work is going to be done with you and we want to make sure you are focused on this. 

This brings me to the last element of the strategy which is how do we work with the private sector to secure not only our own networks, but to help you to secure your networks.  We have a structure in place that allows us to do this at DHS and as you all know it is the National Infrastructure Protection Plan.  It is a model in which we have 18 sectors of the national economy we have identified, we work with sector coordinating councils, representatives of industry, and government coordinating councils to set goals and priorities and exchange information about security as it relates to the particular sector we are talking about.  Recognizing, for example, the needs of the financial community are very different from that of the commercial real estate sector or the communication sector. 

What we have done is go back to these sectors and we have asked under each of these plans that industry and government look at cyber risks and mitigations.  We are going to bring all this together through our cross-sector Cyber Security Working Group, looking in particular at interdependencies, information sharing, and cyber issues that affect multiple sectors or cut across all the sectors.  We are going to explore options to share Einstein, or similar capabilities including capabilities drawn from across the entire government, with interested industry partners.

I want to be clear; this is an invitation, not a mandate.  We are not in the business of telling the private sector you must do this, you must let us in, we are going to sit on top of you.  That would be the easiest way to alienate most of the people who use the Internet.  What we are going to do is offer a service, offer an invitation.  For those in the private sector who want to take us up on this, we are going to work to see how we can best mesh with your particular industry architecture to give you some of the benefit of our capabilities, but in a way that doesn’t interfere with your basic processes, or better yet, alienate the trust of your customers and your consumers and get them to be concerned about their own privacy and civil liberties.

Finally, we need to work with the private sector to put together metrics to make sure we can chart our progress and to particularly focus on how we can mitigate the risks that are apparent in the globalization of the commercial technology industry.  How do we help you build standards that enable the private sector to gauge the integrity of which systems you are buying.  A way that doesn’t impede the flow of congress, but gives business consumers and even private consumers the confidence that they know what they are getting.

Just as we are increasingly concerned in a global environment about the food we eat, and the toys we give to our children, and you all know what I am talking about because it is in the news all the time.  I submit to you that we have to be equally concerned about the software and hardware we are brining into our homes and our businesses for precisely the same reason.  Therefore, we have to have precisely the same kind of approach to ensure we are validating what it is we are buying and what are the ingredients of the systems we are bringing into our own places of business and homes.

In short, we have put together a comprehensive strategy to address cyber threats.  The president has strongly endorsed it and has pushed us very hard in moving forward to implement it.  This will not happen overnight, it is a multi-year effort.  It will require a great deal of interagency and private sector coordination.  We have made a lot of progress, both in getting our own house in order and consulting with the private sector and we stand ready to work with you to get this done as rapidly as possible.  We encourage you to continue to work with us through these established channels we have used in securing infrastructure in the physical world.  Namely, the Critical Infrastructure Advisory Council and the Cross Sector Cyber Security Working Group and the individual sector coordinating councils we have under the net.

The bottom line is, we have a common interest, time is short, the people who want to interfere with our systems have been very busy, they will continue to refine their tools.  We have some very good tools in our defense, but they’re not going to do us a lot of good if they sit on the shelf.  We ought to make sure we polish them up and deploy them as effectively as possible. 

I know your being here is a commitment to your understanding and dedication to this issue.  I think it is a front burner issue, clearly, for the next administration.  I ask for you help and support as we move this forward as rapidly as possible.  Thank you.

Question:  Mr. Secretary, first, thank you very much for being here.  Bob Connors with Raytheon Company.  The private sector understands the risks and is investing a lot of energy in cybersecurity.  The concern we all have is the tens of millions of folks out there with home computers.  They don’t get it; they don’t want to get it.  Certainly, when you talk about the potential for them to lose money because their bank accounts may get compromised, they might start paying attention.

How do we reach out to them?  How are we going to help them understand what the risk is?

Secretary Chertoff:  That is a great question because, not to belabor the financial crisis, it is a great example of if ordinary consumers and citizens lose confidence in the system, business suffers and business fails.  Part of the reason we are doing Cyber Security Month and part of the reason the president has put this message out is to try to get this out there into the public domain.  We all have to participate in this educational process.  Part of it is doing it with our own employees, making sure they take it home.  I would like to see us get it into the school.  I am a believer that when you get kids harnessed into projects like fire safety or recycling, their little engines or propaganda at home.  Kids ought to be taught this in school that if you don’t operate your systems with a reasonable amount of security and integrity, you are going to lose your system, you are going to lose your game. 

This is clearly a major national effort.  Part of what we have to do is devise systems that are easy to use.  There is a tough balance here.  If we tell people at home that they have to change their password every week, we are going to lose those people.  One of the things that I have suggested, is that we should step outside the box for a minute and look at some of the vulnerabilities we might reduce by changing the entire way we do business.  For example, many people are concerned, in terms of identity theft, about their social security numbers.  I ask myself the question, why do we care about that?  Can’t we find a way to make the social security number no longer important as an identifying tool to conduct business?  If you couldn’t conduct business over the Internet using your social security number, if your social security number was not accepted as a validator for transactions, then losing the number would not make a difference.

I would like to suggest that part of the problem we face is not a cybersecurity problem; it is an identity management problem.  That means we have to revisit the architecture to validating how we identify people as trusted individuals for purposes of either transaction business, getting on airplanes, or even crossing borders.  If we move to a system which has a combination of authenticating capabilities, not just a number or some kind of confidential information, but also a biometric and maybe a token, if we can change the architecture of identity management then most of the concern we have about losing information will disappear because it won’t be of value any longer.  That wouldn’t help the business with confidential trade data, but it would take away the concern that people have when they conduct business over the Internet.

To me, in many ways, cybersecurity is an invitation to look more generally at how we use information in the 21st century and whether we can’t rethink some of the architecture so that are vulnerabilities are reduced.

Question:  Mr. Secretary, Shannon Kellogg with the EMC Corporation.  You mentioned at the beginning of your speech some of the international facets we are dealing with here.  Can you explore that a little bit more, what we can do both as the public sector and the private sector to coordinate, more effectively, the international link in the global scope of the threats?

Secretary Chertoff:  I think one of the great challenges we face as much as any industry, the computer industry is truly global.  The components and the elements that go into your software and hardware come from all over the world.  I want to put this delicately, but you can’t presume in every country they treat commercial interest and national interest as completely separate.  In our country we are used to the fact that people go about their business and the general rule is they are going to pursue their highest economic value.  They are not serving the government’s national security purposes.  In some countries, the line between what is government and what is commercial is not that clear.  It creates a challenge for us.  How do we deal with a world of free trade, open architecture, open systems, open movement of components and yet recognize at each stage of the supply chain there is a vulnerability.

I think where we can work with the private sector is to come up with ways to validate the integrity of the software and hardware that we are relying upon in systems that have a high value, in terms of intrusion.  Obviously, for your game boy it doesn’t matter very much because we’re not really worried people are going to be stealing your video games.  But if you have a high value system, you want to know there are no trap doors or malicious code bombs sitting in your system that might be broadcasting home. 

I think the private sector, especially people in the IT community, have begun a series of initiatives looking at how you inject quality control in the process.  Again, I don’t think the government is going to set up the equivalent of the FDA for computer components, but I do think we can work with the private sector in both encourage this kind of activity and helping enable this kind of activity in validating the hardware and the software.

Question:  Thank you, Mr. Secretary.  Albert Wynn with Dickstein Shapiro.  Do you envision the Safety Act being expanded so that business liability would not be as great?  Secondly, with respect to the partnership that you described, how is that going to be financed and what is the financial implication for business?

Secretary Chertoff:  I think the Safety Act is an important and useful tool in terms of promoting this activity.  Much in the same way we use the Safety Act with respect to all kinds of technology with respect to physical security, I see no reason why the Safety Act is not available for purposes of security that affects the cyber world, whether it is better hardware or software. 

In terms of financing, we are going to finance our part of this.  I don’t see this as a grant program.  This is a program where healthy self-interest will motivate companies to invest themselves.  Let me be honest with you, from liability standpoint I lived through Y2K and during my period as judge had a couple of cases of insurance coverage during Y2K failures.  I have no doubt that lawyers are going to tell their clients that it very much benefits them, as a matter of their own liability protection, to make an investment in the security of cyber systems particularly when a collapse of those systems is going to have collateral effects on everybody else.

I don’t see this as a government grant program, but I do see it as a program where we can exchange information.  Where there is value in kind that we can provide in a structured way that will help the private sector.  I also think that things like the Safety Act can be enabling for this kind of initiative.

Question:  I just want to ask you what DHS has done to protect the information that the private sector is supplying to DHS through online systems.  I am asking this because I am interested in the information that high-risk chemical facilities have submitted to you through your online system and how do we know that that information is secure.

Secretary Chertoff:  Generally, we do pay a lot of attention to securing our own systems.  I am happy to say a grade that government -- I hate it when they grade you, I figured I was done with this in elementary school.  It is worse in Washington because people that grade you are often -- it is like the parent of your competitor.  We do get graded on our security systems and I do think a few years ago we were getting a low grade, two years ago we got a D, last year we got a B+, this year our internal security systems are going to be better than last year’s.

I think we are getting our own house in order, but in a larger sense by reducing the number of entry points to the domains and by putting in a more robust set of protections for detections and prevention, that is going to protect our data.

In terms of particular chemical data, we commit to keeping this confidential.  That is one of the reasons we resist efforts to pass the laws that would make it subject to the Freedom of Information Act.  We think it is important to have laws that protect confidentiality for this kind of information.  Sometimes we get pushback from the press which seems to feel we should be putting it all out there so people can see for themselves where the risks are.  The danger is when we put it out there, it ends up being read in caves somewhere in South Asia as well as on your home computer.  We are going to continue to fight to keep this kind of information confidential and out of the public domain.

###

This page was last reviewed/modified on October 14, 2008.