US flag signifying that this is a United States Federal Government website   Official website of the Department of Homeland Security

Remarks by Secretary of Homeland Security Jeh Johnson at The White House Cybersecurity Framework Event

Release Date: 
February 12, 2014

The White House
Washington, D.C.

Cybersecurity is one of the most important missions of the Department of Homeland Security.  Cybersecurity is a matter of homeland security.

As I said in a speech last week, one of the key goals of advancing this Nation’s cybersecurity is building trust and relationships between the government and the private sector. Part of that effort includes heightening awareness about the cybersecurity threat, in plain and simple terms the public can appreciate.  

On April 16 of last year, someone carried out an armed, physical attack on an electrical substation in Northern California that provides power to the Silicon Valley and surrounding cities. The perpetrators used high powered rifles to fire shots at 17 large electrical transformers.  With some sort of crude cutting device, they also severed two sets of telecommunications lines near the substation, in an attempt to prevent 911 calls and systems from alerting operators of the attack on the transformers. 

What the public needs to understand is that today the disruption of a critical public service like an electrical substation need not occur with guns and knives. A cyber attack could cause similar, and in some cases far greater, damage by taking several facilities offline simultaneously, and potentially leaving millions of Americans in the dark. 

One year ago today President Obama signed Executive Order 13636 (on critical infrastructure cybersecurity) and issued President Policy Directive 21 (on strengthening the security and resilience of critical infrastructure). 

The Executive Order called for the government to work with the private sector to develop a set of voluntary guidelines, or best practices, for improving cybersecurity.   Over the last year, drafts of that set of guidelines were presented to our partners in government, the private sector and the privacy advocacy community for their input. 

After this extensive consultation, we are today making available to the full public this set of guidelines -- which we call the “Cybersecurity Framework.” 

And, so that the private sector may fully adopt this Framework, we are today also announcing the Critical Infrastructure Cyber Community (C3) -- or “C-cubed” -- Voluntary Program. We are announcing this program today, but it is also actually being stood up today.  

The C3 program gives companies that provide critical services like cell phones, email, banking, energy, and state and local governments, direct access to cybersecurity experts within the Department of Homeland Security who have knowledge about specific threats we face, ways to counter those threats, and how, over the long term, we can design and build systems that are less vulnerable to cyber threats. 

C3 is also available for immediate advice and assistance in the event of an actual cyber attack. 

The advantages of the C3 program is that it is provided by DHS at no cost, and is set up as a single point of access to cybersecurity experts across DHS for those who need help.   

For example, say a small bank is replacing its computer systems that contain the account records of its customers.  The bank can now work with DHS before they even start the process of buying that new system and figure out how to set it up, and ensure that they have considered their cybersecurity risks.

An example of the type of service being offered by DHS, that can be accessed through the C3, is something called the “Cyber Resilience Review,” which is a tool that helps organizations of all sizes evaluate the strengths and weaknesses of their cyber systems and conduct a risk-assessment at absolutely no-cost.  To date, DHS has already facilitated more than 300 of these assessments, both in-person and in coordination with owners and operators of critical networks -- helping everyone from banks to local governments identify and address weaknesses.

Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are.  We are all connected online and a vulnerability in one place can cause a problem in many other places.  So everyone needs to work on this: government officials and business leaders, security professionals and utility owners and operators. 

I thank our many colleagues and friends for getting us to this point and we look forward to working with you to achieve the important goals before us today.  Thank you.

 ###

Review Date: 
February 12, 2014
Back to Top