| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security | Immigration |
The threat level in the airline sector is High or Orange. Read more.
Release Date: October 2, 2008
Washington, D.C.
National Press Club
Good morning. I'm really glad to be here and to see all of you and to feel the energy in the room. And on behalf of Secretary Michael Chertoff, Under Secretary Robert Jamison, and the dedicated men and women across the Department of Homeland Security, I want to welcome you to the launch of the Fifth National Cyber Security Awareness Month. Personally, my third awareness month with the Department of Homeland Security and I'm very proud to be a part of this.
And I particularly want to thank the dedicated staff at the National Cyber Security Division for all their work in partnership with the National Cyber Security Alliance to make this fifth awareness month a big success. We've got a lot planned for the month ahead, and I think we're going to make a lot of progress.
A great deal of effort, as I say, has gone into preparing for this month. And I thank each and every one of you who have played a part in organizing today's event. Indeed, I believe almost 40 state governors have issued proclamations announcing National Cyber Security Awareness Month as well. So this truly is a national effort.
Over the past five years we have seen breathtaking changes in the world of technology. Looking back, it's a wonder how we survived without technology that's now commonplace, whether it's PDAs or text messaging or social networking sites.
Back in 2004, at the inaugural Cyber Security Awareness Month, almost a third of the Americans polled believed they were more likely to be struck by lightning than to become a victim of a cyber attack or a security breach. The most common concern of corporate IT departments were spam and denial of service attacks.
The times really have changed. We're seeing now phishing, farming, botnets, Wi Fi, war dialing and domain server spoofing. And we're seeing coordinated cyber attacks against nation states.
So all of these issues have made cyber security a major concern from your home office to the front office, to the Oval Office. The next step is to make it a major priority for everyone.
IT systems and networks, as you all know, are the nervous system of our country's critical infrastructure. So just think of it. We depend on information technology for seemingly everything. Like managing food processing, water purification, electricity generation and distribution. Online banking, telephone transmission. Filing your news stories on time, reporters. Dispatching emergency services and keeping our nation safe.
So protecting cyberspace in my view is as important to our national interests as protecting our land and our sea borders. But it isn't easy. Now, more than ever, this challenge comes with a shared obligation, a civic responsibility.
Government, business, not-for-profits, educational institutions, parents, like me, students and citizens of all stripes, need to be a part of the solution.
We're only going to meet this challenge for securing cyberspace by working together. And getting that word out is what this month is all about. Since the National Cyber Security Division stood up five years ago, we've been working with our partners in government, industry and academia, to make cyber security a national priority and to reinforce our shared responsibility.
I'm truly grateful for the past two years that I've been here to Secretary Chertoff for his leadership and his personal commitment to helping make this happen.
In the past several years, we have progressively enhanced our defensive efforts. But those who are working to do us harm have also become more sophisticated and more targeted. And one of the things I find frustrating is that so many of the successful cyber incidents we see are the result of user error and negligence. Simply not being informed.
And the sober fact is that with the right tools, the knowledge, the resources, our cyber adversaries can steal identities and intellectual property. They can prevent access to essential services and information and they can disrupt the control systems which operate so much of our nation's critical infrastructure.
In the face of these threats there's simply no room for complacency. There's no excuse for ignorance. So at DHS, our mission is to coordinate the protection of the IT systems that maintain and operate the critical infrastructures that are vital to our national security and our economic security.
It's a demanding job. The men and women at NCSD and the US-CERT often work under the radar. Yet, every day they're making a profound contribution to our security.
They answer the call of duty 24 hours a day, seven days a week, 365 days a year. And I mean 365 days a year. Over the past 12 months we have been focusing our cyber security efforts in a number of key areas: enhancing our cyber response capabilities; strengthening federal networks and systems; sharing meaningful information with the people who need it and who can do something with it, and developing a range of tools to help organizations assess and improve their overall cyber security preparedness. Together with the public and private sector partners I can say that collectively we have made notable progress in each of these areas.
And I just want to walk through a few of our accomplishments for you to give you a sense of our progress. We have strengthened our efforts to integrate cyber security across the spectrum of critical sectors, through the sector specific plans that were released last year.
And because cyber security doesn't just apply to the IT sector, we stood up what's called the Cross Sector Cyber Security Working Group, to address cyber risks across the 18 critical infrastructure sectors.
We created a cyber security vulnerability assessment tool that helps public and private sector organizations evaluate the security of their systems and take the necessary steps to reduce their cyber risks and vulnerabilities.
Similarly, and more specifically, we developed a control systems cyber security self assessment tool for those critical infrastructure owners and operators to assess and strengthen the security of their control systems. Whether it's water purification, chemical manufacturing, electricity generation and distribution.
And recognizing the challenges of evaluating the competencies of the IT security workforce, we produced the IT Security Essential Body of Knowledge.
Our state government partners recognize the value of using this framework to enhance their own efforts. And we're currently piloting a program with several states to examine how they can leverage the IT EBK to address their IT security workforce needs.
In fact, the final IT Security EBK is now available at the US-CERT website. Go to it at http://www.us-cert.gov/ITSecurityEBK/. Also we've assisted several states, such as Delaware, Massachusetts and Vermont in their first ever cyber security exercise.
Those exercises demonstrated how interlinked cyber and physical security are and the importance of good relationships among those charged with protecting us.
We continue to build many relationships with many universities that are leading the way in cyber security, research and teaching. There are now 94 centers of academic excellence across 38 states.
That's very impressive. Our Scholarship for Service program continues to attract bright students to become the country's next generation of cyber defenders. Currently there are 200 students enrolled in the program.
Since 2002, nearly 750 students have graduated and gone to work for over 130 different agencies and sub agencies.
In fact, our own Mischel Kwon, in the room here somewhere, the Director of the US-CERT, is an alumnus of this program.
Finally, we also led the national, the second national cyber exercise known as Cyber Storm 2. Many of you participated in that. That was in March. Bringing together more than 2,000 security practitioners, representing over 100 partner organizations from federal, state, local and international government and private and industry.
But perhaps the most prominent example of our commitment to securing cyberspace is the Cyber Initiative, a long term endeavor that extends beyond a single administration or even a single generation.
At the national level, the Cyber Initiative focuses on three areas: establishing a front line of defense by reducing vulnerabilities and preventing network intrusions; defending against a full spectrum of threats through intelligence and supply chain security, and taking cyber security research and development to the next level through workforce education and leap ahead technologies.
Under the direction of Under Secretary Jamison, DHS has the lead responsibility under the Cyber Initiative for synchronizing efforts to protect all federal networks and systems.
We've also been working with partners in industry to secure critical infrastructure. And we'll be focusing an increasing amount of energy there. In the short term, we're planning to increase our public/private information sharing using the sector partnership framework that was developed under the National Infrastructure Protection Plan.
In the longer term, we're looking for new ways to strengthen cyber security across the private sector, working with partners through the NIPP framework, the National Infrastructure Protection Plan. And we'll increasingly be able to identify and resolve cyber threats before they spread.
We also need to beef up our bench strength by educating the cyber defenders of tomorrow and recruiting top IT security talent. At NCSD we're rapidly expanding our own workforce to do just that.
Finally, we are exploring a rotational program to foster workplace exchange between the public and private sectors so that we gain mutual benefit from each other's expertise.
I came to the department from the private sector and I have found this experience one of the most rewarding of my life. So this is the important point: As the Cyber Initiative moves forward we are committed to sharing more information with our industry partners and the general public. We have to. Because they are key partners. All of you are key partners in our shared mission.
So where does that leave us? We've come a long way. But there's always more to do. There always will be more to do. I'm realistic about the dangers that we face but also optimistic about our ability to deter them, as we fortify the commitment of our security partners within and outside of government, domestically and internationally.
I'm also thankful for the support of Congress, from both sides of the aisle, especially Senators Rockefeller and Bennett, for their resolution. They've equipped NCSD and US-CERT with the resources necessary to meet the evolving cyber challenges we face.
By the numbers, since 2004 Congress has increased NCSD's cyber security budget from 66 million to 313 million in FY '09. That's almost 400 percent, and a very measurable recognition of the importance of the cyber security mission and the imperative that DHS lead that coordinated effort.
Thanks to the continuous support of Secretary Chertoff and the White House and congressional leaders, we have other compelling measures of our efforts.
For example, we've grown our NCSD staff from just 48 in 2007 to what we expect to be well over 100 in 2009. We've strengthened cyber incident reporting and response. In 2005, the US-CERT received 4,000 cyber reports. In FY '08 we received more than 71,000 incident reports. That's an increase of almost 1700 percent. That's a sign of both increased awareness and increasing threats and an increasing understanding that DHS US-CERT is the focal point for coordinating that information sharing.
We've provided on site incidence response to 44 federal departments and agencies and also tripled the number of unique subscribers to U.S. cyber security alerts and bulletins and reports since 2004. We've achieved more than a 10 fold increase in the number of visitors to the US-CERT website.
So far, in 2008, more than 53 million visitors have logged on to www.uscert.gov to educate themselves on the latest cyber attacks and vulnerabilities and the steps that they can take to protect themselves and their organizations.
Finally, we've expanding our US-CERT portal, a secure channel to share information across federal government departments. We've expanded that to over 4300 active members.
Through each of these measures we have reinforced the value of NCSD's and US-CERT's role as the national focal point for cyber security, which leads us to today, and I will close.
Cyber Security Awareness Month is an important component of the Department's overall efforts to instill a culture of preparedness in the cyber infrastructure. We'll spend the next five weeks working to place cyber security front and center on everyone's agenda.
Just as the opportunity of living in a democracy carries with it responsibilities of citizenship, so does being a part of the online world. Democracies fail without the active participation of their citizenry. Cyberspace fails when hackers and criminals are allowed to navigate our systems with impunity.
Your government cannot secure cyberspace alone. Neither can your bank. Neither can your school or your favorite social networking site or your utility company. And you can't secure cyberspace alone either.
The one way we can address this challenge is by building and cultivating a culture of cyber citizenship, one in which we recognize our shared responsibility and take action for securing our part of cyberspace. So in honor of Cyber Security Awareness Month, I'd like to conclude my remarks with a call to action to all computer users.
First, stay informed. Educate yourself and others on cyber security threats and vulnerabilities such as phishing and botnets. You don't need to know how to write code to take reasonable precautions with technology. There are a number of very useful sites online to do just that. Go to www.uscert.gov and www.staysafeonline.org and www.onguardonline.gov.
Second, take action. Awareness is only valuable if you apply what you know. Learn and practice the specific actions you can take to protect yourself and your family. This includes installing and updating your anti virus software, turning on your computer's firewall and not opening unsolicited e mails or links. You'll hear more about that from Adam Rak with Symantec shortly.
And, third, remain vigilant. Report any cyber incidents, threats or attacks to your Internet service provider, to your employer's IT department, or the United States Computer Emergency Readiness Team at www.uscert.gov.
With our united effort, we can take back the Internet and show hackers and cyber criminals the recycle bin. So thank you all very much.
# # #
This page was last reviewed/modified on October 2, 2008.