San Jose State University
San Jose, Calif.
Remarks as Prepared
Thank you for the introduction President Qayoumi. I'm happy to be here at San Jose State University, an institution which has produced many of the innovative thinkers and doers of the cyber age. It's no exaggeration to say that Silicon Valley – and indeed our society – would not look the same were it not for this campus. Some of our nation's great tech companies -- including Intel and Oracle – had their origins right here, in the minds of San Jose State students or alumni.
By the way, I am an alumnus of Santa Clara University just down the road. So this is a bit of a homecoming for me, too. So it is entirely fitting that we chose San Jose State to summarize our current efforts to secure the cyber domain, including building a world-class cyber workforce at DHS.
Of course, few of us need to be reminded of the impact that the cyber revolution has had on our lives. From the kitchen table to the classroom, from business transactions to essential government operations and services, cybersecurity is an issue that impacts all of us. Whether you checked your smartphone this morning to read the news or signed-on to your bank account online or used a GPS system to make sure you didn't get lost on your way here … we all rely on these devices and the networks on which they run.
As more and more daily functions rely on digital systems, the importance and necessity of protecting our computers, mobile devices, and networks will only continue to increase.
And this isn't just an issue for consumers. While the vast majority of the nation's cyber infrastructure resides in private hands, the national security and economic risks associated with these assets are so profound that their protection is of national importance. To minimize the risk of a successful cyber attack, we need everyone, including our industry partners, the general public, and yes, our partners in academia, to do their part.
Evolving Threat Landscape
The cyber domain has become inseparable from our daily lives. And while this increased connectivity has led to amazing transformations and global advances across society, it also has increased the importance and complexity of our shared risk. Cyber attacks can be carried out by individuals, criminal and terrorist organizations, and even by nation states. They can exploit vulnerabilities in cyberspace to steal money, intellectual property, or information. In some cases they can disrupt, threaten, or destroy the availability of critical services such as electric power and running water.
Cyber attacks have increased significantly over the last decade. Indeed, they have increased significantly over the three-plus years I've served as DHS Secretary. Threats in the cyber domain encompass a broad range of activities, from targeted spear-phishing attacks, to malware, to denial of service, to intrusions into the control systems of government networks and systems that manage critical infrastructure.
Here is a quick sense of scale. Just last year, DHS's U.S. Computer Emergency Readiness Team (US-CERT), which is our 24 hour watch and warning center, responded to more than 106,000 incident reports, and released more than 5,000 actionable cybersecurity alerts and information products to our public and private sector partners.
We should not assume that attacks target only our government or corporate networks either. These crimes can have real-life victims and human consequences. We've all heard of hackers stealing credit card numbers, and other types of banking and financial fraud. But we also face cybercrimes that include the exploitation of children.
Last year, for example, Attorney General Eric Holder and I announced charges against 72 individuals for their participation in an international criminal network dedicated to the sexual abuse of children and the creation and dissemination of graphic images and videos of child sexual abuse. A number of these were children under age 12, some much younger.
The DHS Mission in Cyberspace
So how do we address these threats? Moreover, how do we address them across a distributed network that is largely controlled by the private sector, and yet, touches every single one of us – from large companies to individual users of the Internet?
We do it by fostering a culture of shared responsibility, engaging all levels of society, and working with key stakeholders to make cyberspace as safe and secure as possible.
DHS has some very important responsibilities with respect to cybersecurity. While the Department of Defense has the responsibility to protect the military – or dot.mil – networks, DHS is responsible for securing federal civilian government networks – the dot.gov domain –in partnership with federal agencies.
To protect these networks, we are doing a number of things: We are deploying programs to detect and block intrusions of government networks. The reason is clear: the faster we can detect an intrusion – or even an attempt – the faster we can respond to it and therefore mitigate any potential damage.
But we are planning to do even more. In fact our Fiscal Year 2013 budget includes significant new funding to support federal civilian departments and agencies in developing capabilities that will improve their cybersecurity posture and thwart advanced, persistent cyber threats.In addition, DHS is responsible for coordinating the national response to significant cyber incidents and for creating and maintaining a common operational picture for cyberspace across the government.
This means making sure our nation has a well-conceived, coordinated plan for how we respond to a major cyber attack. Over the past few years we have worked across government and with the private sector to develop the nation's first Cyber Incident Response Plan, which defines roles and responsibilities, and which we have used as the basis for two national exercises.
In addition to protecting civilian government networks, DHS must also work with owners and operators of critical infrastructure to help them secure their own networks by conducting risk assessments and then recommending actions to fill gaps and mitigate risks. "Critical infrastructure" means key systems and assets upon which Americans rely, such as the financial sector, the power grid, water systems, and transportation networks.
As I noted, we share threat information with the private sector through US-CERT to help raise overall awareness of potential cyber threats and the actions we can take to address them. To combat cyber crime, we also leverage the skills and resources of DHS components such as the Secret Service, ICE, and CBP, and we work closely with the FBI on individual cybercrime investigations.
Last year, for example, the Secret Service led an investigation that identified a person who had breached a Federal Reserve Bank computer server as part of a scheme to commit fraud. After analyzing this individual's computer, we found credit card data worth about $200 million. And on Cyber Monday 2011, one of the busiest online shopping days of the year, ICE and our partners shut down 150 websites selling counterfeit goods.
Our work extends internationally as well. In today's high tech security and commercial environments, we have to focus beyond just the physical movement of goods and people across our borders.
We are working with our international law enforcement partners to share expertise and resources to combat electronic crimes such as identity and intellectual property theft, network intrusions, and a range of financial crimes. For example, the Secret Service has Electronic Crimes Task Forces in Rome and London, and, now, a new office in Tallinn, Estonia, to help counter cyber crime originating from Eastern Europe.
Need for Legislation
As much as we are doing, we must do even more. To this end, Congress has before it several pieces of proposed legislation designed to address emerging cyber threats. The proposal the Administration supports is a bipartisan bill sponsored by Senators Lieberman, Collins, Rockefeller, and Feinstein, and is known as the Cyber Security Act of 2012.
Under current law, Congress gave DHS significant cyber authorities, and we inherited a patchwork of others. But we've reached a point where the current threat outpaces our existing amalgam of laws, and so we are working with Congress to make some changes to the law. Specifically, the Cyber Security Act of 2012 would establish baseline performance standards for the nation's critical core infrastructure.
This is infrastructure that all of us – every business, every household, every individual – rely on every day: our utilities, financial institutions and communications systems, to name just a few.
The legislature would leave to the infrastructure owners themselves the decisions as to how to satisfy those performance standards. It removes barriers to information sharing between the federal government, industry, and state, local, tribal and territorial governments in order that we may more quickly respond to and mitigate any cyber threat or intrusion. And, importantly, the legislation would help us attract and retain cybersecurity professionals to execute this complex and challenging mission by adding flexibility to the current personnel laws.
The other approaches don't provide the comprehensive set of tools we need to protect critical networks, and actually undo progress that has already been made. For instance, relying solely on voluntary information sharing without establishing basic standards for core critical infrastructure will simply not be sufficient.
I know that some have argued that the market is adequately adjusting to cybersecurity threats, vulnerabilities, and risks. But the current market incentives for security are simply out of line with the level of cyber risk, and the increasing sophistication of cyber attacks.
Need for a Cybersecurity Workforce
That leads me to my next point, which is how we can more broadly engage each of you – students, educators, researchers, engineers, and the larger academic community – in our nation's cybersecurity efforts. To meet the challenges I've discussed, DHS needs a world-class cybersecurity team – a strong, dependable pipeline for the future.
And I'm here today to tell you how we are building that team. Through our Cybersecurity Workforce Initiative, we are hiring a diverse group of cybersecurity professionals to secure the nation's digital assets, critical infrastructure, and key resources.
That includes computer engineers, scientists, analysts, and IT specialists. In fact, since Fiscal Year 2008, our National Cyber Security Division has grown by more than 600 percent. And President Obama has asked Congress for a 74 percent increase in the DHS cyber budget in Fiscal Year 2013, recognizing the national needs in this arena.
We are also building strong cybersecurity career paths within the Department, and in partnership with other government agencies. To accomplish this critical task, we have created a number of very competitive scholarship, fellowship, and internship programs to attract top talent.
And to retain, and continually train, our top talent, we're moving quickly to create growth opportunities for our cyber staff. Just last month, we launched a pilot program with the Naval Postgraduate School in Monterrey through which a select group of employees can earn a Master's of Science in Cyber Systems and Operations via distance learning.
That's just one example of a robust effort at DHS to engage and partner with colleges and universities, as well as the private sector, across the country. And I'm happy to say we have a great connection to San Jose State University through our sponsorship of the U.S. Cyber Challenge. The U.S. Cyber Challenge is a program that works with academic and private sector partners to identify and develop cybersecurity talent to meet our growing needs. One part of the Cyber Challenge involves intensive summer camp experiences for the best and brightest cyber talent. And San Jose State University will be hosting one of these camps this August for 100 lucky students.
These students will participate in training sessions and exercises on topics ranging from network intrusion detection to forensics. Classes will be taught by leading industry professionals, faculty members from various universities, security practitioners across industries and the U.S. government. The camp will culminate with a "capture the flag" competition in which campers use their newly acquired knowledge to battle live attacks from hackers. Not only exciting, but a lot different from the camps I remember!
DHS is also supporting Centers of Academic Excellence around the country to cultivate a growing number of professionals with expertise in various disciplines, including cybersecurity. We are extending the scope of cyber education beyond the federal workplace through the National Initiative for Cybersecurity Education – or NICE - to include the public, as well as students in kindergarten through post-graduate school. And we have launched a DHS Loaned Executive Program designed to attract top professionals in the scientific and cyber fields.
And if I can make a pitch: DHS is a great place to come to work to help move this vision forward. We are a new department. It is a place where all of us – including you have the opportunity to make a positive impact for your country. We see these opportunities not just as promising careers, but as opportunities to contribute to something larger – to contribute to public service. DHS needs more people like you to join a new generation of Americans in the fight against the new generation of threats to our homeland.
Cybersecurity as a Shared Responsibility
All of us, from the most casual internet users to the most highly-trained experts, share in the responsibility to learn about cybersecurity and to do more, individually and collectively. We need industry to redouble its efforts to increase the reliability and quality of the products that enter the global supply chain.
We need primary and secondary schools to teach safe online habits to students from an early age. And we need colleges and universities to make cybersecurity a multidisciplinary pursuit so that we have policymakers who understand technology, and also technologists who understand policymaking. It should not be unusual for a top computer scientist to take leave from academia or the private sector and spend a couple of years in government – hopefully, at DHS – working on solving important technological problems.
Perhaps, most importantly, we need the general public to be more aware of the threats unsafe cyber behavior poses to our way of life, as well as more knowledgeable about where to get information to protect themselves. In 2010, we launched a national campaign – "Stop|Think|Connect" – to cultivate the basic habits and skills that everyone should adopt to keep our cyber networks safe.
Our message begins with a simple concept: to ensure cybersecurity for all of us, each of us must play our part. We know it only takes a single infected computer to potentially infect thousands and perhaps millions of others. Everyone should make basic cybersecurity practices as reflexive as putting on a seatbelt – using antivirus software, being careful which websites you visit, not opening emails or attachments that look suspicious. These basic measures can improve both our individual and our collective safety online.
Our nation has come together to meet great challenges before. During WWII, when our economy was mobilized for war, the American people found a way to feed themselves by growing 40 percent of all the vegetables we needed in 20 million Victory Gardens.
In the early years of the Cold War, Americans all knew where the closest fallout shelter was, and we kept children indoors when polio outbreaks were the biggest threat to public health. In those times, Americans understood what was at stake; they understood that they had to contribute; and they knew that their efforts would make a difference, in ways large and small.
But we're confronting some new realities here and we need some new thinking and new energy. Together, we can – and we will – maintain a cyberspace that is safe and resilient, and that remains a source of tremendous opportunity and growth for years and years to come.
As the Secretary of Homeland Security, I strongly encourage you to join us as we pursue our mission … because it is urgent, it is worthwhile, and it will undoubtedly impact our nation's economic vitality and way of life for generations.
As I look out into an auditorium of students, educators, and professionals, I am encouraged by your enthusiasm for these issues and am convinced that we must draw on your tremendous creativity, energy, and optimism to do something unlike what we've ever done before. These are complex and long-term challenges. That should not be a reason for despair, however. It should motivate us to work and think and collaborate in new ways. Albert Einstein once said, "It's not that I'm so smart. It's just that I stay with problems longer." That hints at the determination we must bring to one of today's hardest challenges.
And I'm proud that DHS is welcoming talented individuals right now with that kind of determination … while offering an opportunity to serve our nation as well. Thank you.