On October 6, 2021, Secretary of Homeland Security Alejandro N. Mayorkas delivered a keynote address at the 12th Annual Billington CyberSecurity Summit. His remarks are below:
Thank you very much for the introduction and for the invitation to speak at the Billington Cybersecurity Summit. Thank you all for joining us today.
As you know, cybersecurity poses one of the greatest challenges facing our Nation. The last year and a half has powerfully demonstrated what’s at stake.
Last March, schools and students, stores and consumers, companies and employees, houses of worship and congregants had to shift their operations online in almost an instant.
The internet became essential, allowing us stay in touch with loved ones, enabling remote work, and ensuring continued innovation across industries.
At the same time, ransomware attacks disrupted already-strained hospitals, schools, food suppliers, and pipelines in addition to many other organizations that provide critical services. These attacks revealed that what is at stake is not simply the way we communicate or the way we work, but the way we live.
A couple of weeks ago, at the BlackHat conference, I talked about how cybersecurity is now a central piece of our geopolitics, shaping our future online and offline and generating repercussions that impact our economy, our security, our democracy, and the exercise of fundamental rights for decades to come.
That’s why cybersecurity has been a top priority for the Biden-Harris Administration from the start. Together with partners from across every level of government and the private sector, we are working to defend a digital future that is free and secure.
Over the course of my eight months in office, DHS has taken a series of bold actions to lead the charge on this front. I’ll describe a few of them today.
First, we are strengthening the Department’s Cybersecurity and Infrastructure Security Agency, or CISA as it is commonly known, as the nation’s cybersecurity quarterback. Jen Easterly, who is the new Director of CISA, has had a distinguished career in government and the U.S. military, as well as in the private sector. She exemplifies the impressive talent we have brought to DHS to advance many of our key cybersecurity priorities and tackle related challenges. You will hear more from Jen and about CISA tomorrow.
Second, we are breaking out of cyber silos to strengthen national cybersecurity resilience.
We are doing this by elevating and integrating cybersecurity across agencies, sectors, and within DHS, leveraging CISA’s expertise and experience wherever possible.
At DHS, this work also includes TSA, the Coast Guard, FEMA, the Secret Service, and ICE.
To move from vision to action, DHS has undertaken a series of 60-day sprints. The idea is straightforward: let’s turbocharge our leadership on cybersecurity by issuing a series of challenges to ourselves – and commit to hard deadlines for results.
We launched the first sprint in March, focused on elevating the fight against ransomware at home and around the world. We now have an entire whole-of-government effort dedicated to this challenge and we developed StopRansomware.gov, which is the first website that pools federal resources to help individuals and organizations of all sizes mitigate their risk against this threat.
The second sprint focused on ensuring DHS can recruit, retain, and develop a diverse, top-tier cybersecurity workforce. This resulted in the largest and most successful cybersecurity hiring effort in our Department’s history and paved the way for the near-term launch of the DHS Cybersecurity Service on November 15th, which will increase access to public service careers in cybersecurity.
The third sprint centered on increasing the cybersecurity of our Industrial Control Systems, including pipelines and the electricity sector, a necessity driven home by the Colonial Pipeline ransomware attack. Along every step of the way, the Department has been working hand-in-glove with the White House, other federal partners, and the private sector to increase adoption of CISA’s guidance and services to protect critical infrastructure.
The fourth sprint focuses on the cybersecurity of the transportation sector. It launched in September and is ongoing so I will briefly highlight our activities in greater detail.
Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security.
The maritime transportation system is comprised of hundreds of ports and shipyards, 25,000 miles of waterways, and 20,000 bridges, pipelines, and undersea cables. Roughly a quarter of America’s GDP flows through it – that amounts to approximately $5.4 trillion annually.
This network is the connective tissue between consumers, manufacturers, farmers, and domestic and international markets – and the Coast Guard is responsible for protecting it against cyber threats.
Over the summer, the Coast Guard released a new Cyber Strategic Outlook, its first update since 2015, and it is now integrating cyber risk management into vessel and facility safety, and security planning and operations.
The Coast Guard is also deploying cybersecurity specialists to major U.S. ports to oversee assessments, evaluate plans, and lead preparedness and response activities.
Starting this month, more than 2,300 maritime entities must submit a dedicated cyber plan to the Coast Guard; address any cybersecurity vulnerabilities identified in their Facility Security Assessments; and outline the owner or operator’s cybersecurity mitigation measures.
These facilities and vessels are required to report cyber incidents. The Coast Guard and CISA work closely together to respond to cyber incident reports, assess and mitigate risks to critical infrastructure, and provide oversight and technical support to industry.
At the same time, with most global trade transported on foreign ships, the Coast Guard is working with the International Maritime Organization and member countries to ensure that global cargo and passenger vessels conduct cyber risk assessments and develop mitigation plans under their existing safety management system.
These rules came into effect earlier this year, and they are now being implemented onboard ships calling at every American port.
As we combat cyber threats on our seas, we are also focusing on what is happening by land and air.
TSA’s broad responsibilities cover security at our airports, highways and traffic management systems, pipelines, mass transit terminals and hubs, and subways and metros that carry billions of passengers every year.
Our freight rail system is essential not only to our economic well-being, but also to the ability of our military to move equipment from “Fort to Port” when needed.
In the aftermath of the Colonial attack, TSA issued two new security directives designed to strengthen the security of our nation’s pipelines, requiring pipeline owners and operators to designate a cybersecurity coordinator, report cyber incidents to CISA within 12 hours, implement a number of basic hygiene measures, develop contingency plans in the event of a cyber attack, and subject their systems to robust vulnerability testing.
Applying lessons learned from that experience, TSA is now laying the foundation for a more secure and resilient aviation and surface transportation sector.
To strengthen the cybersecurity of our railroads and rail transit, TSA will issue a new security directive this year that will cover higher-risk railroad and rail transit entities and require them to identify a cybersecurity point person; report incidents to CISA; and put together a contingency and recovery plan in case they become a victim of malicious cyber activity. We are coordinating and consulting with industry as we develop all of these plans.
For lower-risk surface entities, TSA will issue separate guidance that encourages, rather than requires, these entities to take the same measures. Reducing cybersecurity risk is in every organization’s self-interest, especially considering the indiscriminate nature of ransomware.
Beyond the most urgent and important measures required by the security directive, TSA is initiating a rulemaking process to develop a longer-term regime to strengthen cybersecurity and resilience in the transportation sector.
To maximize industry input and inform this rulemaking process, TSA will issue an information circular recommending the completion of a cybersecurity self-assessment.
Mirroring these steps, TSA has begun updating its aviation security program. By the close of this sprint, TSA will require critical U.S. airport operators, passenger aircraft operators, and all-cargo aircraft operators to designate a cybersecurity coordinator and report cyber incidents to CISA. TSA will expand the covered entities gradually to other relevant entities and consider additional measures over time.
Taken together, these elements – a dedicated point of contact, cyber incident reporting, and contingency planning – represent the bare minimum of today’s cybersecurity best practices.
We are also advancing initiatives like CISA’s CyberSentry program, a voluntary partnership between government and business that helps us spot sophisticated threats early, understand how far they reach, share critical guidance, and collaborate with network defenders on responding swiftly and effectively.
Further, cybersecurity will be a top priority in the next cycle of FEMA’s transportation-related grant programs to ensure we are driving funding toward key efforts. A new working group with CISA, FEMA, TSA, and the Coast Guard is driving this forward. In my first month in office, we already increased the required minimum spent on cybersecurity through FEMA grant awards to 7.5%, a significant increase across the country.
Throughout this process, we will continue working closely with the private sector to identify additional opportunities to work together and increase our collective cybersecurity baseline.
In many respects, our transportation sprint – and our Department-wide efforts – are a microcosm of our Administration’s whole-of-government approach to cybersecurity. And I have only just scratched the surface of what we are doing, as a Department and as an Administration, to meet this moment. Every day, we dive deeper into new and innovative ways to up our cyber game.
Before I finish, let me reiterate one more point: we can’t do this alone. As I have said before, the Department of Homeland Security is fundamentally a department of partnerships. Our ability to execute our critical mission relies on the strength of our partnerships. We need your expertise, perspective, and strategic guidance. We need your partnership.
Please consider partnering with us, collaborating with us, or joining our team for a meaningful and challenging and fulfilling career in public service. We want your voice at the table and we encourage differing views. That’s a hallmark of good government.
Tackling the cybersecurity challenges facing our Nation, our democracy, and our future requires our collective time, energy, expertise, and resources. We are keen to team up with you. Thank you so very much.