| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security | Immigration |
The threat level in the airline sector is High or Orange. Read more.
Release Date: February 8, 2007
San Francisco, California
RSA Conference
(Remarks as Prepared)
Thank you art for that kind introduction. I look forward to the RSA conference every year and I am delighted to be here and see so many familiar faces in the audience.
And I also want to congratulate RSA for this very successful conference. It seems to me those letters – RSA – have come to signify more than just the company and its prominence in the security space. They’ve also come to signify this very conference, and the culture of security all of you have perpetuated year after year by coming here and driving market awareness of this critical mission. So thank you and congratulations to RSA, to Art Coviello, and to all of you.
Just 4 months ago before I started this assignment in government, I was, as many of you know, one of the industry faces looking onto this stage and doing my part to secure our cyber and communications networks. And now I’m here reaching back out to my community to convey to you a perspective I have been gaining about our joint security challenge. It’s a perspective that synthesizes the interests between the private sector and the government. That’s what I want to talk with you about today.
Here’s how I’d like to approach it – and I’m very eager to hear from you, too, as we move later into the town hall discussion. First, I will level set and describe what I see as the environment we’re in – the opportunities, the vulnerabilities, and the threats that it presents us. Then I want to briefly describe how my organization – the Office of Cyber Security and Telecommunications – is structured to meet those challenges. I’d then like to highlight my priority objectives, what we have done thus far, and finally, explore a few ideas about how you -- industry -- can partner with us to strengthen our national cyber and communications security.
Let me just say at the outset how honored I am to be appointed the first Assistant Secretary for Cyber Security and Telecommunications. As some of you know, I was one of the many industry leaders vocally supporting Secretary Chertoff’s creation of this position. The notion was that there should be in the government a focal point for driving national solutions for cyber and communications security across government and the private sector.
I just didn’t expect that the secretary would call on me to do the job. But I am honored that he did, because this senior level position shows the administration’s commitment to this national challenge, and it raises the visibility and influence to advance our mission.
And I am very humbled to be given the opportunity to serve our country. You know, before I came to government, I didn’t really have a full appreciation of the phrase—“serve our country.” But now I do. I take it very seriously. And I’ve also come to realize that when it comes to this mission – to cyber and communications security—you all, in this security industry – you’re serving the country too. With your innovation and with the partnership with government many of you have committed your companies to.
So, alright, let’s talk. Here’s how I see the cyber world—how I form the basis of my mission.
We live in a world that operates on a vast infrastructure of information and communications systems – an interconnected network that supports and operates virtually everything we do—and everything we need—to keep our economy growing and our citizens secure. Financial services, transportation, government, emergency services, online commerce, health care, manufacturing, and process control systems. These are all functions of a robust economy and are critical to the nation. IT and communications networks support these critical infrastructures and must be protected.
And how will we protect these networks? Frankly, it might not be getting any easier. In the next ten years or so, a single, advanced integrated IP network will likely be handling the majority of the world’s communications needs. This converged broadband network will extend well beyond local and long distance voice, video, and data. And it will support an ever-widening array of services across a billion connected devices globally. This proliferation of devices and applications within the converged networks – it’s going to create a breeding ground for security problems.
Now, the boundary between national and international networks is blurred as well. Security risks, threats and vulnerabilities are simply not localized to the national environment.
And you know, I’ve spent my career in industry defending and promoting globalization—its efficiencies, wealth production, economies of scale, its engine of competitiveness. But now that I’m in government, I have a new perspective. That is, the more this IT industry becomes globalized in the design, manufacturing, and outsourcing of products and services, the more opportunity there will be for vulnerabilities to be introduced somewhere along the supply chain. That is to say, global connectivity and access will enable attacks and vulnerability exploits from around the world, using a multitude of methods.
And this is happening now. You all know the litany as well as I do. We continue to see attacks in the form of denials of service, as we saw against the root servers on Tuesday, viruses, worms, trojans, phishing, pharming, botnets.
Estimates of the direct financial losses due to phishing alone exceed $1 billion annually.
This is what we’re concerned about at DHS – and especially about how these attacks could find their way not just into our cyber and communications infrastructures, but into our physical infrastructures, through their control systems. These attacks could come from anywhere; through anyone. This is what we at DHS – and I know you—are dedicated against.
This month marks the four-year anniversary of the national strategy to secure cyberspace, the foundation by which we have built our public and private efforts to address the cyber challenge. In the past four years we have collectively made great strides, in my opinion, toward securing our networks, reducing our vulnerabilities, raising awareness, and improving our response capability. But the cyber threat we face continues to evolve and much work remains to be done.
Make no mistake: our networks and systems are vulnerable and exposed. Our adversaries are sophisticated, nimble and organized and they will stop at nothing to achieve their motives, which include economic gain or damage, espionage, revenge, publicity.
The evidence shows that attacks on our infrastructure are growing in sophistication and frequency. In FY2006, our cyber security operations center, United States Computer Emergency Readiness Team (US-CERT), received over 23,000 incident reports from public and private sources. We’ve nearly reached that number in just the first quarter of FY07 alone. And those are just the incidents that are reported to us.
Some of this increase can likely be attributed to higher awareness levels and reporting rates; however, much of it is due to the growing scale of the threats we face from both domestic and international sources.
Unauthorized network access into one provider’s network can easily lead to exploitation of an interconnected network and its associated services; it is an example of the exploitation of the weakest link that can threaten the network’s integrity and service continuity.
Our US-CERT estimates that there are more than 3000 active botnet command and control channels representing literally millions of high jacked computers. These botnets are used to launch denial of service attacks, distribute spam, compromise data, and steal identities, all without users even knowing they are victims.
So that’s the less-than-rosy picture. What are we doing about it? What do we need to do about it?
Let me give you a quick overview of my organization and how it’s structured to manage the challenge. Broadly speaking, the Office of Cyber Security and Telecommunications—or CS&T – helps to ensure the security, integrity, reliability and availability of our information and communications networks. This responsibility is vested in three organizations within my office:
The National Cyber Security Division, which fosters a public-private partnership for cyber security awareness, risk management and mitigation; and information sharing and incident response.
The National Communications System, which ensures that the government and our nation have access to communications in times of national emergency.
And, the Office of Emergency Communications, which sets national policy, standards, practices and technical assistance for emergency, interoperable communications for federal, state and local first responders. The OEC, just created by the Congress last August, is set to go online by March 31.
The fact that we have both cyber security and communications on our watch is a central element of our strategy. And we have the leadership team in place to execute that strategy.
I described to you earlier the convergence taking place between the information and communications networks – the evolution we’re seeing from circuit switched networks to next generation, IP, packet-based networks. The “cyber” is the information and instructions that flow through and, increasingly, control, the pipes. The pipes constitute the “communications”. They’re really inseparable. CS&T is organizing to reflect that convergence, so that our policies and techniques for ensuring the security of our information and communication networks are functionally aligned.
Now, my priorities. You know, I’ve spent the last four months getting it all to crystallize. I’ve been doing a lot of listening and observing. I’ve certainly seen that the challenge is formidable. My newest staff member came into my office after his first week of introductory briefings and said he felt like a 60-watt bulb on 100 watt circuit. I was sympathetic. After my first week, I felt like a laptop taking a download from a supercomputer. But at the end of the day, I think we’ve processed this great current of information into a coherent mission. This is what we have to do:
First, prepare and deter. This means all enterprises – government, commercial, academic and non-profit – need to systematically assess their network vulnerabilities and take steps to fix them – to deter attacks. Our networks by and large are all interdependent, so this has to be a collaborative effort, based on sharing information about what we find and how we deter. We are all too interdependent to do this independently.
Second, respond. Our operational strike force – the US-CERT – is the government’s hub for situational awareness and incident response. We’re not doing it all ourselves, but leveraging the operational capabilities of other government, international and private sector CERTs. We need to continue to build this capability across government and across all the critical infrastructures, so that we can coordinate response to a cyber attack of potentially national significance.
And finally: build awareness. Home users, private companies and non-profits, and government—all need to be aware of their responsibilities for securing our networks. It’s a cliché but it’s true: we’re only as strong as our weakest link. Building awareness is my job and it’s your job. You all in the security industry know this better than anyone.
Now, I want to get specific on the first two priorities. Over the next year I will be spending considerable time on the following:
And I want to spend the next few minutes drilling down one step further about the second action item – our partnership with you, the private sector. This is I think what is most relevant to us today.
I said a little while ago that you in the security sector share my mission; you’re serving our country. How so?
First: preparedness: many of the companies attending here, and the associations representing them, have participated over the past year in a process in Washington called the National Infrastructure Protection Plan. There are a lot of plans in Washington; this one is going to stick. This is a framework called for by a presidential directive that brings together industry and government to assess our infrastructure vulnerabilities, evaluate the risk, and take steps to mitigate those vulnerabilities according to a risk management model.
That plan was then broken down into sector-specific plans. The development of these plans was again a collaboration between the major industry and government stakeholders to commit to steps and milestones to strengthen and protect key assets and functions. The sectors with whom my office in DHS partners are the IT and Communications sectors. The mission is cyber and communications security. These sectors have organized themselves into strategic policy units called Sector Coordinating Councils, and operational units called ISACS – Information Sharing and Analysis Centers. You will meet their leaders in the next segment of this town hall.
These organizations are populated by a number of household names in the IT and communications sectors by many of you; they have dedicated their resources and expertise to tackling a very challenging job. I know how challenging -- I was an industry representative helping to stand up the IT sector coordinating council in 2005-2006. And we knew we needed to do this because the private sector owns and operates 90% of the critical infrastructures, and it’s up to the private sector, to you all, not just DHS, to secure those networks.
So these are dedicated companies that have calculated and confirmed the business value of their involvement in this process – the return on investment. This is the point. They’ve calculated that the cost of inaction is just too high and the collective benefits accruing from a stronger security posture nationally is worth organizing for. Many companies who have not participated in this formal process have nevertheless made impressive strides toward implementing such risk management programs, and I applaud you, and I invite you to participate in this national effort. Other companies are at varying stages of such a process.
So: this is my first message to you: any company that operates a network, that manages proprietary and business sensitive information, that connects to the public networks – should seriously consider participating in the it and sector coordinating councils and the IT and communications ISAC’s. Please join with your industry colleagues, and with DHS, to implement the sector specific plans, and engage in the operational strike force—the ISACs —for protecting our networks.
The fruits of your labors – the IT and communications sector specific plans -- were signed off by the industry leaders last month. Over the next year, it is time to implement them, so to those who haven’t yet participated, you’re just in time to jump in with both feet. We’ll tell you more how to do that in a few minutes.
My second message to you: we have many good references for how we implement those plans – references, standards, best practices, generated collaboratively over the past several years by the government and private sector – such as the National Cyber Security Partnership, and Florida congressman Adam Putnam’s Corporate Information Security Working Group. These groups, populated by some of the most knowledgeable companies, associations, and professional groups, considered an array of improvements in security standards, governance and best practices, as well as software assurance, situational awareness, incident response, and incentives for generating more investment in security technology and practices.
You know, there hasn’t been a shortage of solutions; there was just a lack of leadership and will. It is time to put those recommendations to work and I am here to push us all to see that hard work to fruition.
Just for example, what if every organization committed to invest in the fundamental building blocks – the virtuous cycle -- of security -- something we can all agree on:
There are numerous references for how to do this, as I alluded to before – ISO 17799, guidance from the national institute of standards and technology, TechNet’s CEO security guidance, the National Cyber Security Partnership’s corporate security governance recommendations, which, by the way, was co-chaired by Art Coviello in 2004. Those are just a few. Those are ready for action.
What if we all did that? I would wager we would see dramatic and measurable improvement in our national defenses against cyber criminals, terrorists and hackers. Many organizations are doing this. Many are not. There must not be any more delay.
I’d like us all, and our friends in the congress, to spend the next year considering what incentives -- legislated or commercialized –will drive investment in security technology and practices.
So, I’ve talked about preparedness. Now a final word about response. The DHS operational partnership with the private sector is now more important than ever, as the increase of zero-day and coordinated attacks strain our ability to ward off catastrophic effects. What is needed is for us to work side by side, preparing and responding, side by side.
So, I am excited to report that this month, my US-CERT will be co-locating its watch and warning personnel with those from the Communications ISAC, known as the National Coordinating Center for Telecommunications. We expect soon to include representatives from the IT-ISAC as well, so that we can have a collaborative, real time and trusted information sharing environment that enables us to see what’s happening on our networks and take immediate steps to fend off attacks. In time, we expect to strengthen this capability with other sectoral ISAC’s, so that we will have a synthesized, cross-sectoral view and incident response capability.
We are also working to refine written documentation establishing a concept of operations – for how the US-CERT and our industry partners combine forces during an incident. And we will bring in partners from other agencies as well, particularly the Defense Department’s Joint Task Force for Global Network operations, which has a robust capability for watch, warning and response.
And then we exercise. And drill. And exercise again. Our first major international exercise was called Cyber Storm, last February. We are now planning and training for Cyber Storm II, to be held in March of 2008. Those exercises bring together federal and state government players, private sector, and international partners, to respond to multiple scenarios so we can assess our planning and response capability, and our areas needing improvement. This strengthens us. We’re quite serious about this effort.
Okay, let me summarize here in a way that makes sense to me and which I hope does to you too:
It’s important to look at the CS&T mission for cyber and communications security in the context of the overall DHS mission, and how they are aligned.
The DHS mission is to:
1. “Continue to protect our nation from dangerous people”: this includes addressing malicious actors and related activity that may emanate from other countries or, may access U.S. networks from anywhere in the world.
The DHS mission is to:
2. “Continue to protect our nation from dangerous goods”: this includes exploit tools, such as worms, viruses, denial of service attacks, and various forms of malware that may emanate from anywhere in the world.
The DHS mission is to:
3. “Secure critical infrastructures”: this includes all-hazards preparation and deterrence. It means owners, operators, and users collaborate in risk management.
And, the DHS mission is to maintain a:
4. “Nimble and effective emergency response system and culture of preparedness”: this includes all-hazards response capabilities of the owners, operators and users.
In closing, I like to think of our joint mission of security as -- a network:
First, it’s a network of technology and systems. To you I say:
DHS pledges to work with you to keep that innovation network -- working.
Security is also a network of defenders:
Join the industry groups that have stepped up – the Sector Coordinating Councils for Policy and Preparedness; and the Information Sharing and Analysis Centers for operational information sharing and response. They’re integral partners to DHS. We’re all vulnerable and we need to partner.
And on that point, security is a network of partners – government and private sector.
Use our US-CERT – that’s U.S. - hyphen - CERT - dot – gov—or this week, booth 636—to be the information link for industry – across all sectors and ISAC’s that participate.
I’ve described the US-CERT earlier: this is the link that allows the defenders to send and receive network intelligence, so we can correlate anomalous activity, and take steps to mitigate against impending threats.
That way, we’re forewarned, forearmed and linked up to respond in the event a major incident occurs. This is the defenders’ network and it includes your government partners, your government customers. We’re in this together.
But we need you to play hard, because there’s another network out there, actually many networks, and they’re malicious, technologically sophisticated and well organized. They’re out to get your money; they’re out to steal vital information; and they’re out to disrupt our operations.
We’re all part of the solution. We are all part of this interconnected network.
Together we can strengthen our defenses, reduce our vulnerabilities, and maintain our way of life.
Thank you.
This page was last reviewed/modified on February 8, 2007.