Good morning. Thank you very much Ann and thanks to all of you for allowing me to share a few thoughts with you.
I want to start by quoting the astronomer and author Clifford Stoll who wrote the following in an article in Newsweek Magazine 20 years ago: “Visionaries see a future of telecommuting workers, interactive libraries and multimedia classrooms. They speak of electronic town meetings and virtual communities. Commerce and business will shift from offices and malls to networks and modems and freedom of digital networks will make government more democratic. Baloney. The truth is no online database will replace your daily newspaper, no CD-ROM can take the place of a competent teacher, and no computer network will change the way government works.” I’m sure he’s grateful he never bet on football.
So obviously the cyber world directs, guides and supports us in so much of what we do, not only of course in the government but throughout the private sector and as Michael commented just a few minutes ago, the cyber threat is equally prevalent and only growing.
And so what exactly do we do about it? There are a number of possible solutions. But the one thing I would like to focus on, the one effort that we care so deeply about in the Department of Homeland Security is the sharing of information. And information sharing raises a number of different questions and what I would like to do is share some thoughts with you with respect to each one. With whom do we share information? For what purpose? What is the value proposition of sharing information? And what is the guard against exposure?
Let me first speak to the first question, with whom do we share information? And I think critically, one compelling answer is with each other. Michael spoke of the Information Sharing and Analysis Centers, which are sector-specific and by virtue of the President’s Executive Order earlier this year, we’ve also created the construct of the Information Sharing and Analysis Organizations which allow companies to share information with one another and raise their collective cybersecurity.
And I know you hear from Tom Fanning, the Chief Executive Officer of one of the most prominent electricity companies in our nation, who I think is quite frankly is a leader in developing a cyber ecosystem within his sector and a prominent proponent of information sharing for the collective good.
One of course shares with law enforcement, the Federal Bureau of Investigation, the United States Secret Service, and in some instances Homeland Security Investigations. And then one has the option of sharing with the civilian part of the Department of Homeland Security. We are defined as a civilian department within the government architecture and we have our US-CERT and ICS-CERT teams, our computer response teams, and a center that works with the private sector in receiving and sharing information.
For what purpose? Each one of these different elements of information sharing can serve a different purpose. Of course when one shares with law enforcement one is really dealing with the accountability mechanism, the function of government to investigate and prosecute the perpetrators and in the cyberspace this is very critical because the actor is traditionally not a one-time actor but a recidivist and the ability to hold an actor accountable prevents that actor from engaging in the same conduct in the future.
The other is remediation. The curative effect. Cleansing the system. Patching the network. And hopefully guarding against the same harm inflicted on another occasion. And by the way these are not necessarily exclusive with one another but they are sometimes distinct in separate channels. And I think what I have sensed in speaking publicly on this subject of information sharing is that companies sometimes feel a tension with cooperating with enforcement on the one hand and perhaps cooperating within government’s remedial efforts on the other. And just as the private sector feels that tension, quite frankly the discussions are going within the government about that very same tension.
In what instance and in what circumstances is it actually most effective in the service of the public to actually share information in the first instance with those authorities that can provide remedial resources and help a company or an industry address a threat from a patch and vulnerability exposure perspective?
And what we are talking about within the government is actually developing an architecture for the delivery of a prioritization scheme and developing criteria that will help us within the government decide how best we collectively should respond to a particular incident and the consequences of each stream are sometimes distinct.
The Administration has spoken and if one is aware of the Administration’s position with respect to the Cybersecurity Information Sharing Act which is now working its way through the legislature.
The Administration has said that the Department of Homeland Security should be the primary portal. The civilian department should be the primary portal and then it will disseminate the information it receives to its government partners for their discrete purposes. And one can see that in the discussion of the legislative language. The Administration supports the term, the Department will be through its NCCIC, the Department will be the portal rather than a portal and the Department is developing, we are developing the capability to share information across the government in near real time in an automated form.
And therein lies another critical component of the legislative language, whether we share that information in real time or whether we share it in near real time. And the reason why we, and supported by the Administration, believe profoundly that that term “near real time” is so critical because it allows us to scrub in automated form personally identifiable information and other information that carries with it significant privacy interests that do not necessarily serve the discrete interests of the enforcement or investigative communities.
And we will develop and we are developing that near real time information sharing mechanism in automated form but we will preserve the right to have the human eye evaluate those cases that present unique legal or other privacy challenges. And so, we, the Administration, believe that the Department of Homeland Security should be the portal.
What is the value proposition? As I mentioned in the sharing of information of course one can bring an accountability regime to bear upon the perpetrator, but the real overarching goal from a public good perspective is the following: that the harm that one company suffers today will not be a harm that another company suffers tomorrow.
Because the sharing of information with respect to the harm that befalls a company today, if one shares that information across one’s industry and even more broadly then the cyber threat indicator information will enable other companies to guard against that very same harm and to develop the defenses to prevent it from inflicting harm again. And that is how we raise the bar of the cyber hygiene ecosystem collectively.
We actually advocate that the cyber threat indicator really should no longer be a commodity that is sold in the marketplace. There are many capabilities that could be sold for profit and of course so many of you engage in the acquisition of those resources and those capabilities. The defense, the perimeter defense mechanisms, the defense in-depth mechanisms, but the cyber threat indicator, if we can get to a place where those are not sold as unique commodities among limited partners but shared widely but as a public good we think the greater good will best be served.
What exactly is the guard against public exposure? Many companies are hesitant to share information with the government because of the liability that could follow. Well of course the Cybersecurity Information Sharing Act presents a legislative proposal that presents a liability protection for the sharing of information with the government.
Certainly from a privacy perspective, I should share with you, that in the Department of Homeland Security when that information is shared with us in so far as it impacts critical infrastructure, we are actually prevented from releasing it under the Freedom of Information Act and also prevented from sharing it with regulators. And so liability protection that the current legislation captures is one way of guarding against exposure.
If I can share with you a bit of commentary, I was a prosecutor for 12 years, a trial prosecutor in the federal system as an Assistant United States Attorney for nine years and as the United States Attorney for three, and so I’m very familiar with pursuing liability and seeking to impose liability before a trier of fact.
In the cybersecurity realm, I observe something that I think is very odd to which I am not accustomed and I think some policy debate needs to occur more robustly around this following fact: that what I observed is an increasing pursuit of corporate liability for inadequate cybersecurity regimes within a company without there being yet a clearly defined standard of care.
And that’s not necessarily true in every aspect of industry, but it is certainly true in quite a number of aspects and quite a number of sectors and business endeavors. It just seems odd to me that the crucible of the courtroom is the place where case by case a standard of liability will be defined.
What is the necessary prerequisite to really engender a greater level of information sharing within the private sector and specific to our interests in the Department of Homeland Security? What will it take for us to really develop a culture where private industry feels comfortable, feels confident, and feels that value is added in sharing information with the government?
I think that in the post-Snowden environment there is a chasm between the private sector and the government and that is a chasm of distrust and I think that what we have to do is we have to shrink that chasm and we have to build a bridge so that it really becomes a thing of the past. And until we overcome at least the level of distrust that exists or has existed over the past few years, I think we are going to have an uphill battle.
And I will share with you, I spoke a few months ago in Las Vegas at a conference of ethical hackers and I know that conjures quite an image, but there were two things that they spoke of that they felt were militating against the development of a greater level of trust that I was asking for.
One is the battle over encryption. We in parts of the federal government and certainly in the intelligence community and investigative community we call it going dark where we lose lines of communication that have a criminal purpose to them, or worse in terms of the public harm, a terrorist element to them and we lose the ability to see those communications and respond in a safeguarding manner. And that is deeply troubling to us.
And at the very same time we understand the extraordinary value of encryption. We understand that encryption has been, is not a recent phenomenon, but is an avenue that has been built and is being built over many years and we understand its societal and public value. And so the battle around, and battle is too strong a word, but the debate around encryption has trust development ramifications that we need to work through. I think we, quite frankly, have well identified the challenge, have well identified the problem, but need still to develop a solution.
Also and lastly the trust coefficient is not facilitated or strengthened by virtue of the Wassenaar Agreement, an international agreement that we signed to prevent the proliferation of cyber technology and cyber research and knowledge for improper purposes.
And I think in trying to thwart a public harm, we created an architecture that imposes upon a public good, and the dissemination of research and knowledge in technology for good, for good purposes. And I think that we have to take a look at the Wassenaar Agreement and we are revisiting its scope and impact upon the interests that we seek to further and promote.
My hope is that the legislation that is currently passing through Congress or working its way through Congress, passes and the trust deficit that we have experienced over the past few years is addressed favorably. And most critically, it is addressed through experience; through the experience of the private sector sharing information with the government, with the government being able to disseminate information broadly throughout the country, and everyone realizing through that experience that the government brings value to the collective cybersecurity of the corporate world, the private sector, and our nation as a whole.
And it is through that experience and that value proposition that the trust grows throughout the weeks and the months and the years ahead. And with that I thank you very much for allowing me to share some thoughts with you. Thank you.
Deputy Secretary Mayorkas delivers remarks on the Department’s cybersecurity efforts at the 4th Annual Cybersecurity Summit hosted by the U.S. Chamber of Commerce (DHS Photo/ Barry Bahler)