Secretary Mayorkas delivered the following remarks in his keynote address to the Munich Cyber Security Conference in Munich, Germany.
Good morning, and thank you very much.
In 1996, the prominent activist John Perry Barlow published his “Declaration of the Independence of Cyberspace”, a foundational document in this new realm’s history. Its preamble began: “Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.” Barlow’s sentiment carried the day at the inception of the digital revolution, where the rapid development of the information superhighway, unconstrained by geography and government, heralded a more democratic, egalitarian world.
Twenty-eight years later, the cyber landscape has changed dramatically: the technological advances are exponential, society is more connected, information is more accessible, and productivity has increased. So too, however, has the cyber threat landscape changed dramatically, humbling our initial idealism. Today, individual lapses in cybersecurity vigilance can have grave consequence – the nationwide disruption America experienced in the wake of the Colonial Pipeline ransomware attack signaled that quite clearly; computer viruses have changed the face of warfare; ransomware can cripple healthcare systems; foreign adversaries have weaponized cyberspace to undermine domestic stability; and much more.
Now, as we gather here in Munich, the rapid evolution and accessibility of artificial intelligence technology promises to accelerate both the development and risk of cyberspace. The world is on the cusp of a new era in the digital revolution. As both the public and private sectors prepare to enter it, our collective commitment to security must be on equal footing with our collective commitment to growth.
Industry must be a part of that collective. The failure of the past to address the social and security implications of raw technological progress will, with the advent of generative artificial intelligence, have dire consequences.
We must answer the question of how security and governance should be exercised on this modern digital landscape, in service of the world’s economic and social well-being. I am grateful to the Board and Directors of the Munich Cyber Security Conference for the opportunity to share my thoughts in response to this seminal question.
There are advocates who argue that the hands-off approach of nearly three decades ago, wherein technology progressed with remarkably little regulation, and individual actors subsequently shouldered immense levels of risk, has proven too dangerous. They argue that cyberspace today is a public good of incalculable value, with extraordinary potential to do harm – and that, like nuclear power or the automobile industry, a compulsory regulatory framework is required to ensure its continued security, trustworthiness, and usefulness. They also point out, correctly, that a laissez-faire model is not in the offing regardless. Both the United States and Europe have enacted, and are moving toward, greater cybersecurity-related regulation.
Conversely, there are those who contend that an approach that pits regulators against companies as adversaries, no matter how well-intentioned, risks stifling innovation and world-altering progress. They argue that the market is the best determinant of how important consumers and users view security. They, too, correctly point out that attempting to regulate every element of the design, development, and production process will quickly prove unproductive and unsustainable.
Neither approach is without merit, but neither approach is sufficient in-and-of itself to meet this moment. Instead, both are required.
We need to build a cyber ecosystem that balances and harmonizes the responsibility for security across both its regulatory and voluntary elements.
We need a new cyber-social compact – an agreement among all members of the digital society that our shared interest in security demands both regulation and individual responsibility, and a reciprocal commitment to meeting both imperatives. There is much the private sector, and the government, do not know, but a compact grounded in humility and cooperation can help light the way.
The cyber-social compact I envision is defined by three broad principles.
The first is burden-sharing.
For decades, while many companies focused on developing products with an understanding of and a responsibility for their security and societal implications, others did not devote enough time or attention during the design phase to mitigating vulnerabilities or considering the long-term implications of their products and services. Those responsibilities and risks, sometimes geopolitical in nature, are instead devolved downwards. In this mode, the customer winds up shouldering a disproportionate burden to keep all of us safe. This approach is unfair and unsustainable, and it will only grow more so in the years ahead.
Our cyber-social compact must address the disproportionate burden that the current system places on individuals and end users, and move the burden upstream, to developers. It is imperative that every company prioritizes security and resilience in their hardware manufacturing and software development – even when that priority runs counter to quick profitability.
This is the principle of “Secure by Design.” We in the Department of Homeland Security and across the federal government have worked proactively with technology providers and executives to entrench, but not compel, such design as an industry-wide obligation and goal to reach. But only government has the ability to establish a “Secure by Design” standard. Such an approach is essential to enabling all consumers to trust the safety and integrity of whatever technology they use, and to prevent companies from undermining crucial security measures for the sake of profit.
The second principle is baselining, the setting of minimum-security standards.
Under this approach, government works directly with the private sector to set a minimum acceptable threshold of requirements for cybersecurity. This enhances the security of the entire cyber ecosystem by relieving the individual consumer, who is often ill-equipped or unaware, of the sole responsibility – and it ensures that the long-term approach to regulation is adaptable, comprehensive, and feasible, while lowering the risk of destabilization.
The minimum-security standards should be principles- and performance- or outcome-based, rather than prescriptive — with respect to design. Designs can too rapidly change. They should also be set cognizant of the reality that a one-size-fits-all approach is unworkable and ill-fitting, especially given variations in use, structure, capabilities, and resources.
One way to inform a baseline is by leveraging common frameworks published by the International Standards Organization, the National Institute for Standards and Technology, and our Department’s Cybersecurity and Infrastructure Security Agency, or CISA.
The Department of Homeland Security has utilized these frameworks as tools to inform voluntary cybersecurity practices as well as regulatory requirements. Our United States Transportation Security Administration, or TSA, for example, utilizes both regulatory and non-regulatory approaches to working with stakeholders to strengthen their cybersecurity posture. Following extensive collaboration with aviation partners, rapport-building with industry, and feedback from stakeholders, TSA issued cybersecurity requirements for airport and aircraft operators, and passenger and freight railroad carriers, as part of our Department’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure – an effort that we work very closely with [Deputy National Security Advisor] Anne Neuberger on. These require TSA-regulated entities to develop and take measures to improve their cybersecurity resilience, and prevent disruption and degradation to their infrastructure. The regulations are performance based and variable according to the risk profile and capability of the entity.
These steps can work: a 2022 report by the cybersecurity company Dragos cited TSA Security Directives as likely having a direct correlation to a significant improvement in the security of our country’s oil and natural gas sector.
The final principle of the cyber-social compact is a commitment to move at the speed of business.
Back in 1996, Barlow disparaged the governments of the industrial world as “weary giants of flesh and steel.” In the modern cyber landscape, government must instead be agile and adaptive.
The correctly-held concern with regulatory action is that it can stifle innovation and progress. Advances are being achieved at such a fast pace, yet the regulatory apparatus is slow, cumbersome, and certainly not nimble.
Yet, need that be so? Why are we complacent with a regulatory architecture that was designed decades ago; that is fundamentally not tailored to a specific industry, and is, instead, too much a one-size-fits-all model of governance?
I propose that we design a new regulatory architecture for the technology sector – one that has, among others, the following qualities:
First, the regulations are promulgated in line with the social compact, the product of intense engagement and partnership with the technology companies themselves.
Second, the speed with which they can be implemented is vastly accelerated, so that they can more ably meet the moment in a rapidly-evolving and dynamic environment.
Third, and relatedly, that they be easily adaptable and modified to address the changes afoot or imminent.
And, fourth, and leveraging the baseline approach I spoke of earlier, the regulations need not be unduly prescriptive but rather advance the security framework that will guide our security forward.
If government is to be a valuable and valued partner, a force for progress in all regards necessary, it must prove itself — in this case, build itself — as capable of keeping pace with the companies and their technologies that are helping to design the future.
I realize that some may favor a more prescriptive, even a more aggressive, approach to government regulation. I do not think that is an effective approach. It is one that will undermine the key foundation of the social compact that is required to succeed: in a world in which we cannot regulate, or prescribe, every aspect of technological development, one must rely on voluntary investments and commitments as well. Undue compulsion risks breeding adversity between the public and private sectors, and adversity chills the very volunteerism upon which we rely. Fundamentally, to succeed in innovating and in securing our cyber ecosystem, we must be partners.
At the same time, we also cannot afford to be laissez-faire about the future. That has been our general approach for the past three decades, and the results are clear: despite years of effort, our cyber systems are still too unsecured, too prone to attack, too dependent on the actions of each individual user – and cybersecurity is only as good as its weakest link. Government has an essential role to play in raising that bar. Industry has proven it will not do it alone.
A hybrid, collaborative approach, built upon our shared interest in security, is essential to building and sustaining a cyber ecosystem that is able to evolve and expand, yet remain trustworthy and therefore useful. A new cyber social compact is required.
Forums like this – the Munich Cyber Security Conference – provide an important opportunity to discuss and refine these approaches, respectfully and as allies. I look forward to this critical work with all of you.
But we all need to step up, and step up now. I leave you with this final point: the imperative of dual responsibility is not a matter of the future. It is a matter of the present, of now. The pace of innovation is accelerating, and each of us — industry and government alike — must fulfill our respective responsibilities immediately in order to guard against a future that we will have built but did not intend. Government has its role to play, and industry has its own. Responsible citizenship extends to both.
Together, we can continue to build the safe, secure society all of our constituents and customers deserve and require.
Thank you.
###