| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security | Immigration |
The threat level in the airline sector is High or Orange. Read more.
Release Date: December 11, 2007
New York, NY
(Remarks as prepared)
New York is such a fitting place to hold a security summit. With its storied history and thousands of financial institutions, it is the world's financial nucleus. All of you, as leaders in your respective companies and organizations, understand the full weight of your responsibilities to New York City itself, the nation, and quite honestly, the world. Because as Wall Street goes, so does the rest of the world. That is quite a responsibility to shoulder.
Yet you have continuously demonstrated your understanding and commitment to upholding this reputation. Time and again, whether facing a natural disaster or terrorist attack, you have found ways to ensure that roughly five and a half trillion dollars flows unabated through our financial systems each and every day. That's five and a half trillion dollars a day in activities that are critical to our citizens' basic needs and our Nation's economy.
It's the delivery of paychecks, utility bill payments, ATM withdrawals, and the over $733 million of Internet sales that occurred this past cyber Monday -- the first Monday after Thanksgiving, which is considered the most active online shopping day of the year.
As New Yorkers know, our adversaries will stop at nothing to destroy the infrastructures we have all worked so hard to build and protect. Whether they are cyber criminals, hacktivists, or nation states, our adversaries are pursuing ever more sophisticated and determined cyber attacks on U.S. government and private sector networks.
I'm watching as companies – household names with huge market capitalization and seemingly tremendous resources – expose their networks and data to infiltration and information theft. I'm seeing the same with government agencies on a regular basis. So we're all at risk, and we're all responsible. We have made some progress but there is much more we all have to do to protect our critical systems.
So let me tell you what we're doing at DHS to make the United States the most difficult and dangerous place in the world to conduct cyber crime. I think you will see that you each have a very important role to play in helping to make this happen.
Let me start with an overview of the threats as we see them at DHS. As you all know, the threats are real. Hackers are becoming more sophisticated and focused in their efforts. Criminal computer code is now written at the PhD level, and sold cheaply on the Internet.
Hackers are making massive efforts to compromise computer systems on a global scale. What was once a nuisance committed by various individuals years ago has now progressed into organized efforts by highly skilled professionals.
Today's professional hackers develop and sell malware toolkits to other criminals on the black market. In turn, the buyers of these toolkits can conduct online scams and spread malware more proficiently than ever before.
Why do they do this? Because cyber crime is big business. The number of hackers attacking banks worldwide jumped 81 percent over the past year. Botnets, spear phishing, key loggers, and other attacks make up the more-than-$100 billion global market for cyber-crime –¬ surpassing drug trafficking from a monetary perspective. Worst of all, the money obtained through cyber crime can be used to finance terrorism.
The numbers don't lie. From October 1, 2006, through September 30, 2007, our US-CERT— which I'll describe in more detail in a moment—handled more than 37,000 incidents, compared with almost 24,000 the year before. This increase can be attributed to not only more attacks on our public and private networks, but also better situational awareness levels and reporting rates.
I'll tell you now: many of these malicious attacks are designed to steal information and disrupt, deny access to, degrade or destroy critical federal or private sector information systems. Our adversaries are also seeking our intellectual capital and proprietary information, which we have spent years— and billions of dollars—developing.
Unfortunately, none of this will dissipate if we do not have the same level of organization and coordination that our adversaries are using against us. This dynamic underscores the absolute necessity for IT security and the importance of a nationwide call to secure cyberspace. It's something we can't afford not to do.
Our mission is clear. Securing the systems that maintain and operate critical infrastructures is vital to national security, public safety, and economic prosperity.
How do we do this? Collaboration and information sharing. It's a common theme in many of the speeches you hear because public/private partnerships, like InfraGard and the Financial Services and Multi-State Information Sharing and Analysis Centers (ISACs), are essential to protecting our critical infrastructures.
Let's be realistic. Private industry owns and operates more than 85 percent of the United States' critical infrastructures. That means the Federal Government cannot address cyber threats alone. Obviously, if a cyber attack occurs, the larger percentage of potential immediate victims will also be in the private sector. This includes the financial services industry. So not only does it make sense to collaborate with each other, it is an absolute necessity.
At DHS, one of our best information sharing mechanisms is the United States Computer Emergency Readiness Team, or US-CERT. The nation's cyber watch and warning center, US-CERT coordinates the defense against and response to cyber attacks in coordination with the private sector.
It also analyzes and reduces cyber threats and vulnerabilities, disseminates cyber threat warning information, and manages incident response activities with a wide range of stakeholders. US-CERT's activities allow us to see potential trends and coordinate appropriate deterrence and response activities across sectors.
A prime example of this occurred just last month when the US-CERT served as the key data gathering and distribution center for a potential cyber threat to both government and private sector systems maintaining critical infrastructures.
By taking advantage of its information-sharing relationships, US-CERT distributed a notice defining the malicious activity and addressing how partners could detect and prevent it from affecting their networks. This directly strengthened the security and resilience of our nation's critical infrastructures.
The key lesson here is that by sharing our knowledge, we can better protect our nation. But we also know that this information sharing relationship is not as mature yet as it can be.
The feedback we received from our private sector partners after this information notice was, overall, very positive and appreciative.
But it included a reminder that such notices would be more useful if DHS could provide more threat-based context – that is, what is the nature of these attacks? Where do they come from? What is their intent?
Well, we continue to be limited in what we can share with partners who don't have appropriate security clearances, (indeed that's an issue within the U.S. government agencies as well). And we have to find better, quicker ways to get you relevant information that you can act on.
And, from our perspective, when we provide you information you already have, we realize both sides need to better calibrate our exchange of information so we make most effective use of our limited time and resources.
So we're learning, and we're working to improve our information sharing. That's one of InfraGard's key tenets and the ultimate goal for all our actions.
As we move into the discussion portion of this event, I'm very interested to hear your ideas about other ways we can share useful and relevant information between sectors.
In addition to sharing information with its public and private partners, one of US-CERT's most important responsibilities is increasing the Federal Government's awareness of its own network activity.
We know from our friends in law enforcement that situational awareness is the primary method a beat cop uses to protect a neighborhood. As I'm sure Joe can recall from his days on the force, a veteran officer works to deter crime wherever possible and catches criminals by understanding their environment, watching for trends and patterns, and knowing the rhythms of the community.
We know the same is true for cyber first responders. So we created an early warning system that watches for malicious patterns in network traffic and notes irregular activity. Just as in neighborhood policing, out-of-the-ordinary events or activities can tip off agency cyber responders to potential trouble.
EINSTEIN, as it is known, is that early warning system. It monitors participating agencies' network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting this information, EINSTEIN gives our analysts a big-picture view of potentially malicious activity on federal networks.
Prior to EINSTEIN, it took cyber security responders four to five days to gather and share critical data on federal government computer security risks. Today, we can produce that information in as little as four to five hours.
By analyzing network traffic for potential cyber threats before they can exploit vulnerabilities, EINSTEIN makes it more difficult, more time consuming, and more expensive for cyber criminals to reach and impact their intended targets. EINSTEIN provides us with unique traffic pattern analysis that US-CERT, as appropriate, can share with its partners. Now another program that exemplifies knowledge sharing in action is the National Vulnerability Database.
Sponsored by my office and the National Institute of Standards and Technology (NIST), the National Vulnerability Database or NVD puts the more than 28,000 known cyber security vulnerabilities into a single publicly available resource. NIST analysts then score them according to the severity of their risk.
Accessed at a rate of 48 million hits a year, the NVD's data enables all organizations to automate their vulnerability management, security measurement, and compliance activities through a series of security checklists and metrics.
Recently, your colleagues in the payment card industry recognized the value of the database to their cyber risk management efforts. Last June, the industry's data security standards required that all credit card processing vendors use the National Vulnerability Database to evaluate the security of their payment systems.
Essentially, it says that vendors must ensure that their systems do not include vulnerabilities that score higher than a pre-determined NVD number. This greatly enhances the security of every credit card transaction, prevents disruptions of key operating systems, and protects consumer information.
The value of the NVD is not limited to the credit card processing industry. If you haven't investigated the potential beneficial uses of this program in your companies, I strongly encourage you to do so immediately. You can access it by going to US-CERT's homepage (www.USCERT.gov) and searching for “NVD.”
The NVD is a wonderful example of an industry-lead adoption of a valuable government tool. And it also underscores our role in the federal government, to provide resources that help all of you do your jobs more effectively.
Let's move to another example of collaboration and information sharing. You know, in many ways, the enemy is already at the gate. So if we are going to secure cyberspace, we must marshal our defenses, learn from each other, and work together as never before. I'm a true believer in the phrase, “you play how you train.” This is why exercises are critical to our national and financial security.
InfraGard members already understand this. The Vermont InfraGard is a key planner in the state of Vermont's first ever cyber exercise, which my office is helping to design and implement. The lessons learned from next month's exercise will aid in the development of a cyber annex to the state of Vermont's emergency operations plan.
At the national level, we are actively planning for the March 2008 national cyber exercise, Cyber Storm II, which follows the highly successful cyber storm I held in February 2006. This exercise examines our response and coordination mechanisms against a simulated cyber event affecting international, federal, state, and local governments, and the private sector.
By organizing and executing an exercise such as cyber storm, DHS is able to test our planning, information sharing and response to attack scenarios, assess our strengths and weaknesses in those areas, and learn how to improve response capabilities.
I am thrilled that the financial services sector, through the financial services ISAC, is once again fully engaged in the planning and execution of the cyber storm exercise.
Their participation in the exercise demonstrates their firm commitment to cyber preparedness and I hope sends a signal to other sectors that cyber security measures need to be taken seriously.
Throughout the country, at every level of government and within the private sector, people are dedicating themselves to ending cyber crime. To do this at CS&C it's necessary for my office to engage in robust collaboration and information sharing with our law enforcement partners. We do this through a liaison office in the US-CERT, which houses liaison officers from the U.S. Secret Service and FBI.
For example, maintaining the necessary division of authorities, US-CERT and the FBI worked closely together to identify and investigate cyber criminals and threats during Operation Bot Roast II. An ongoing and coordinated initiative, Operation Bot Roast finds and captures the criminals that overtake people's computers to conduct criminal activities.
Since it began last June, the FBI, with US-CERT's technical input, captured eight individuals responsible for infecting over one million compromised computers. We estimate the economic loss to be at more than $20 million to date. As the investigation continues, I have no doubt those numbers will increase.
At DHS, we know that online payment systems are profitable money makers for criminals. A recent 24-month Secret Service investigation of e-gold, an online payment system favored by criminals, resulted in the seizure of over $16 million.
In Miami, a Secret Service's cyber crime fraud investigation recovered more than 200,000 stolen credit card account numbers at a potential loss exceeding $75 million.
And here in New York, a Secret Service investigation with the Manhattan District Attorney's office led to the indictment of 17 people and a company called Western Express, a digital currency transmittal service.
The defendants are facing charges related to global trafficking in stolen credit card numbers, cyber crime, and identity theft. Based on the over 1.3 terabytes of digital evidence it obtained from search warrants and subpoenas, the Secret Service estimates that approximately $15 million flowed through Western Express' digital currency accounts. Additional judicial action is ongoing with respect to targets identified overseas.
We're starting to really hurt the criminals. Eventually, they are going to realize that it is just too expensive – both financially and in potential jail time – to “conduct business” in the United States.
In addition to catching the criminals, my office also works closely with the Departments of Justice and Defense to prepare for and, if necessary, respond to a national-level cyber incident. As co-chairs of the National Cyber Response Coordination Group (NCRCG), we work with 19 different federal agencies, including the FBI and the Secret Service, to ensure that the full range and weight of the Federal Government's cyber capabilities are deployed in a coordinated and effective fashion.
For example, the NCRCG recently convened to address and respond to the denial of service attack against the government of Estonia, a NATO ally. Additionally, the NCRCG will be an active participant in Cyber Storm II.
Effective cyber and communications risk management requires us to be prepared for a national crisis beyond those caused by terrorists or criminals. Now, I've talked a lot about cyber viruses. But we still have to contend with the more traditional biological virus – that is, the potential effects of a public health crisis, such as an outbreak of pandemic flu.
The spread of pandemic disease across the U.S. will be rapid and unpredictable. We estimate that as much as 40 percent of the workforce will be unable to report to work during peak periods of an outbreak – and you don't get to pick which 40 percent that could be.
Naturally, telecommuting will be a key mechanism to keeping our businesses and government operational during a pandemic flu.
Preparing for the increase in telecommuting is a demonstration of public-private collaboration in action. A working group led by my one of my components— the National Communications System—and including experts from the Federal Reserve Board, the Department of the Treasury, the Financial and Banking Information Infrastructure Committee, and the Financial Services Sector Coordinating Council, meets monthly to plan for the potential communications consequences of a pandemic influenza.
What the working group found is that, while the telecommunications backbone is unlikely to experience congestion, the so-called last mile – to the home and the enterprise – could experience disruptive congestion. But it concluded that this disruption could be mitigated if certain safeguards and practices are implemented by enterprises and telecommuters.
In collaboration with major internet service providers (ISPs), telecommunications carriers, and equipment and service vendors, the working group developed the following best practices that we strongly encourage businesses and government agencies to consider:
Implementing these practices will help reduce significant impacts on our nation's economy. All of us must do everything possible to keep our nation operating and delivering critical services under even the most challenging circumstances.
I consider everyone in this room today a key partner in the effort to strengthen our nation's cyber infrastructure. You understand that the Internet, and the many enterprise networks that depend on it, is one of the central platforms for business operations, supply chain management, and business continuity.
However, I'm more concerned about the people who aren't in this room because, as a recent business roundtable report suggests, they don't understand that this is a matter of their own business survival. Cyberspace is a profitable marketplace and enabler of market activity. But if businesses, whether in the financial services sector or otherwise, haven't made the investment in the people, processes, and technologies that will keep them operational in a crisis, our economy, in fact our very way of life, is at stake. We can't let this happen.
So here's what we all need to do.
First, memorize US-CERT's website address – www.USCERT.gov – and give it to everyone who needs it. Tell your partner organizations and businesses to sign up for the cyber security alerts and to report any potential cyber incident, threat, or attack they find.
We can only act upon the information we know about. The information our partners provide increases our understanding and awareness of the health of the overall cyber infrastructure and improves our response and protective measures.
Second, encourage your partners to participate in public-private partnerships like InfraGard and the financial services ISAC. These collaborations act as force multipliers for increasing awareness of cyber security challenges as well as implementing actionable and enduring solutions.
Additionally, they serve as an easily accessible mechanism to educate people on how cyber vulnerabilities can have real world consequences to our physical infrastructures.
Finally, encourage your colleagues to make security a part of their everyday business operations. It doesn't take long for cyber events to have real world consequences. Have them look at every step of their business lifecycle—from system configuration to in-house software development—to see if common security practices are being followed and that response plans are prepared accordingly. Help them realize that when they build a culture of security within their organizations they make great strides in ensuring the resilience of their business operations.
Laws such as Sarbanes-Oxley, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA) place a fiduciary responsibility on them to ensure the security of their customers' information and their systems. However, in reality, these recommendations are simply the right thing to do for their companies, their customers, their fellow citizens, and the nation as a whole. So let's work together to make it happen.
Before I close, I would like to make one last comment. Thank you for your commitment to cyber security and your active participation in InfraGard. I have had a chance to work with members across the country and know what an important role you all play in our cyber security awareness efforts.
I urge you to use the time at this meeting to learn as much as you can, and then share your knowledge with your colleagues, professional networks, friends and families.
Cyber security is a complex problem, yes, but the dangers are easily understood, and the solution is simple: you can't guard all of cyberspace, but you can protect your piece of it.
###
This page was last reviewed/modified on December 11, 2007.