San Francisco
Moscone Center
Thank you for inviting me to speak here today. I’m excited to be speaking at the largest cybersecurity conference in the world.
Cybersecurity is a major priority for my boss President Obama. It is a major priority for his entire Administration. It is a top priority for the Department of Homeland Security. For me personally, as Secretary, advancing my Department’s cybersecurity capability is one of my top goals in office.
The Department of Homeland Security was formed in 2002, in the wake of 9/11. Counterterrorism is our cornerstone mission. But, the reality is that in 2015, cybersecurity has become a mission of equal importance.
My message to you today is this: government does not have all the answers or all the talent. Cybersecurity must be a partnership between government and the private sector. We need each other, and we must work together. There are things government can do for you, and there are things we need you to do for us.
In private law practice, where I have spent most of my professional life, I was a service provider to private clients. I bring that attitude to cybersecurity.
I am enthusiastic and proud about the direction we are headed.
Under the leadership of Under Secretary Suzanne Spaulding and Deputy Under Secretary Phyllis Schneck, the former chief technology officer at McAfee, we are building an agile and responsive cybersecurity capability.
The Department of Homeland Security is the U.S. government’s central interface with the private sector in responding to and mitigating cyber threats. We are also responsible for the security of the federal civilian .gov world.
Central to our efforts is our National Cybersecurity and Communications Integration Center, or the “NCCIC.”
The NCCIC is a busy place.
In Fiscal Year 2014 alone, the NCCIC received over 97,000 cyber incident reports from the private and government sectors, and issued nearly 12,000 cyber alerts or warnings.
Almost continually, an NCCIC team is in the field, making what is in effect a house call on a company to assess a significant cyber incident and helping them fix it. For certain diagnoses, we bring in more doctors, from the NSA, the FBI, or other agencies, to assist.
The NCCIC identifies numerous vulnerabilities. Last year, across dozens and dozens of departments and agencies of the U.S. government, we identified 265 instances of the Heartbleed vulnerability, and in a three-week period reduced them to two. Last year we helped the private and government sectors address Shellshock, BlackEnergy, Havex, BackOff Point of Sale, Lenovo SuperFish, and other vulnerabilities.
My goal is to see the NCCIC move to an even higher and better level.
I am in the hunt to hire a new NCCIC director. I am personally participating in efforts to find a recognized all-star in the cybersecurity field, and I believe we are going to hire such a person soon.
We are realigning reporting relationships so that the NCCIC director has a direct reporting and information sharing line to me, the Secretary. This is the importance I place on the NCCIC in our cybersecurity mission.
We are enabling the NCCIC to provide near real-time automated information sharing to the private sector. I have directed our team to go full throttle on this. As you know, cybersecurity is about speed.
Last week the NCCIC deployed the capability to automate publication of cyber threat indicators in a machine-readable format. We reached this major milestone five weeks ahead of deadline. Today we are sharing indicators with an initial set of companies and are in the process of adding others.
Later this year, we will be in a position to begin to accept cyber threat indicators from the private sector in automated near real-time format.
We have set up the NCCIC as your primary pathway to provide cyber threat indicators to the U.S. government. Yes, the government is trying to make it easy for you.
Today I am pleased to announce that the Department of Homeland Security is also finalizing plans to open up a satellite office in Silicon Valley, to serve as another point of contact with our friends here. We want to strengthen critical relationships in Silicon Valley and ensure that the government and the private sector benefit from each other’s research and development.
And we want to convince some of the talented workforce here in Silicon Valley to come to Washington.
The new United States Digital Service provides the option for talent to flow and rotate between private industry and our government teams. This will build capacity on all fronts. I hope some of you listening will consider a tour of service for your country.
Congress is poised to help us in cybersecurity.
Late last year Congress passed the National Cybersecurity Protection Act, which codifies into law that the NCCIC is the federal civilian interface with the private sector for cybersecurity. Late last year, Congress also passed legislation to help DHS hire and pay a highly-skilled cybersecurity workforce.
We want to go further. In January President Obama came to the NCCIC and announced that his Administration supports additional laws to establish the NCCIC as the primary portal through which the private sector should pass cyber threat indicators.
To encourage the private sector to share cyber threat indicators with the NCCIC, the President also announced that we now support legislation that will provide protection from civil and criminal liability to those who share cyber threat indicators with the NCCIC.
President Obama has proposed and supports a national data breach reporting system, in lieu of the existing patchwork of state laws on the subject. He has proposed and supports enhanced criminal penalties for cybercrime.
But, we are not just waiting for Congress to legislate.
The President has been active in issuing a number of executive orders and actions to strengthen cybersecurity.
In February 2013, the President signed an Executive Order to promote information sharing and cybersecurity best practices, by the creation of the Department of Commerce’s “Cybersecurity Framework” and the Department of Homeland Security’s C3 voluntary program.
In February 2015, the President signed an Executive Order directing the Secretary of Homeland Security – that’s me – to encourage the further development of private Information Sharing and Analysis Organizations, or “ISAOs.”
In February the President also directed the creation of a Cyber Threat Intelligence Integration Center to be a national intelligence center that “connects the dots” related to foreign cyber threats.
Just a few days ago President Obama signed an Executive Order which authorizes the Secretary of Treasury to impose financial sanctions on those who engage in malicious cyber-enabled activities that are a threat to national security, foreign policy, economic health, or the financial stability of our country.
Two weeks ago I was in Beijing and met with the Minister of Public Security and the Minister of Cyberspace Administration of the People’s Republic of China. Though we have sharp differences with the Chinese Government, particularly when it comes to the theft of confidential business information and proprietary technology through cyber intrusions, we and the Chinese recognize the need to make progress on a range of cyber-related issues. As the two largest economies in the world, the U.S. and China have a vested interest in working together to address shared cyber threats, and making progress on our differences.
We have therefore agreed to further cybersecurity discussions. I believe this will allow us to make progress on cybercrime and other shared threats.
The Department of Homeland Security also has a major law enforcement role in cybersecurity.
The Secret Service is known for the protection of our nation’s leaders. The Secret Service is actually a law enforcement agency, originally formed by Abraham Lincoln in 1865 to investigate bank crime. This mission has evolved over the years to include the investigation of cybercrime.
In February of this year the Secret Service was the lead investigative agency responsible for bringing to justice one of America’s most wanted cybercriminal suspects, Vladimir Drinkman.
Homeland Security Investigations is also involved in hunting down cybercrime.
The United States Coast Guard is involved in cybersecurity – by working to protect our maritime transportation system – a system that contributes $650 billion annually to the Nation’s gross domestic product and sustains more than 13 million jobs – from cyber related threats.
These are some of the things your government is doing in cybersecurity.
Now, there are several things I ask you to think about.
First, we are all only as strong as our weakest link. You know this, as well as I do. The most sophisticated companies and government agencies with the best cybersecurity remain vulnerable to the most basic act of spear-phishing, if just one of our employees opens just one wrong email or attachment.
The same is true of companies with whom you do business and are linked with on the internet. There are wide differences in the level of sophistication in American business when it comes to cybersecurity. Yet we are all increasingly interconnected. This is why I am glad to see on the program for this RSA conference a session on “Combating Cyber Risk in the Supply Chain.”
Those of us at this conference must leave here and encourage others to practice good “cyber hygiene.”
Second, I want you to know that, when it comes to the government’s cybersecurity responsibility, I am determined to root out any turf battles between government agencies. I am encouraging my people within Homeland Security to work in a cooperative and selfless fashion with our interagency partners at the FBI, NSA, Defense, Treasury, Justice and Commerce.
Now, finally, I have an ask: for your indulgence and your understanding on the subject of encryption.
The Department of Homeland Security has both the cybersecurity mission and a law enforcement/counterterrorism mission for the American people. We have feet in both camps. I therefore believe I have a good perspective on this issue.
The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security.
Let me be clear: I understand the importance of what encryption brings to privacy. But, imagine the problems if, well after the advent of the telephone, the warrant authority of the government to investigate crime had extended only to the U.S. mail.
Our inability to access encrypted information poses public safety challenges.
In fact, encryption is making it harder for your government to find criminal activity, and potential terrorist activity.
We in government know that a solution to this dilemma must take full account of the privacy rights and expectations of the American public, the state of the technology, and the cybersecurity of American businesses.
We need your help to find the solution.
Homeland security itself is a balance – a balance between the basic, physical security of the American people and the liberties and freedoms we cherish as Americans.
I tell audiences that I can build you a perfectly safe city on a hill, but it will constitute a prison. Two days ago, at the 20th anniversary of the bombing in Oklahoma City that killed 168 people, I said that terrorism of any type cannot succeed if the people refuse to be terrorized.
In the name of homeland security, we can build more walls, erect more screening devices, interrogate more people, and make everybody suspicious of each other, but we should not do this at the cost of who we are as a nation of people who cherish privacy and freedom to travel, celebrate our diversity, and who are not afraid.
In the final analysis, these are the things that constitute our greatest homeland security.
Thank you for listening to me.
# # #