| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security | Immigration |
The threat level in the airline sector is High or Orange. Read more.
This information is not current, is not being updated, and may contain broken links.
Release Date: September 15, 2008
Washington D.C.
Ronald Reagan Building & International Trade Center
Mr. Schneider: Good morning. Is everybody awake? It’s probably going to take me another five minutes or so.
I really appreciate the opportunity to be here this morning. As you know by watching him on the news, the Secretary has been down in Texas and is back and getting ready to brief the President. So I have the opportunity and the pleasure really to talk to you this morning.
First, I’d like to introduce our key member of our organization who is our focal point for the coordination of the cyber security effort and that’s the Under Secretary Roger Jamison. Would you stand up for a second?
Mr. Schneider: Secretary Jamison is the Under Secretary for National Protection and Programs and as such, he is the one within the department that is responsible for the execution of those cyber references that are directly under the direct responsibility of the Department of Homeland Security as well as, I will talk a lot more about this later, the role that DHS plays in coordination of the entire Federal Government cyber security effort. So he is our key guy.
What I’d like to cover today is based in part by a coincidental meeting that I had with the moderator for the next panel, Kay Capor from Lockheed Martin. Unbeknownst to me, I happened to be visiting a Lockheed Martin facility in Suffolk, Virginia, on Friday, and at one of the breaks, she happened to mention to me about this big event that was going to take place this morning and that everybody was anxiously looking forward to having Secretary Chertoff explain what this National Cyber Security Initiative was all about.
So I said to her, “He’s not going to be here,” and she said, “Well, why not?” So, I said, “Well, because of where he is and what his plans are.” So, I said, “I’m the person that’s going to be speaking.” So I asked her, I said, “Well, what should I cover?” So she said, “Three things.” So let’s see if I got it right. “First, who’s in charge of this effort. Second, what’s the relationship of this National Cyber Security Center relative to U.S. Cert, and third, how’s the Federal Government going to work with the private sector?” So I said, “I got it, and I can do that.”
So that is pretty much what I am going to try to cover today.
First, cyber security really is, it’s one of the top priorities of the Department of Homeland Security and the Federal Government. The Secretary, myself, Secretary Jamison, and a host of others, not just in the department but across the Federal Government, spent and have spent a tremendous amount of effort formulating the structure for what is the National Cyber Security Initiative and laying out the groundwork and strategy for actually executing it.
From my standpoint and as you heard from my bio, I’ve been around a long time, this is probably unprecedented in terms of the amount of coordination and collaboration that has to take place within the Federal Government and then, of course, between the Federal Government and the private sector and so it’s something that I think everybody really kind of understands the importance and the significance of it and it clearly will transition from this Administration to the next Administration.
Part of the challenge we have is to make sure in fact that that is in fact a seamless transition, and I believe we have taken the effort and I think we’ve crafted the strategies and put in place clear lines of responsibilities and authorities that will ensure that it is in fact the seamless transition.
Unlike a lot of other areas in Homeland Security, Cyber is not exclusively a federal responsibility or it’s not something that we could unilaterally impose upon the rest of the nation. We don’t own the nation’s IT networks or the communications infrastructure nor would we want to force an excessively burdensome security regime on something that is clearly a very dynamic, very fluid and one of the most reliable engines of our economy. So this doesn’t mean, on the other hand, that cyber security is solely a private sector responsibility either and so although the vast majority of the nation’s cyber infrastructure is in your hands, the reality is that its benefits are so widely distributed across the public domain and so integrated in virtually every aspect of our economy, we face clear national security risks and consequences with its continued protection and so as you know, no single person or entity controls the Internet or the nation’s IT infrastructure.
There’s no centralized node or database or entry point. As a result, there’s no single person nor company or government agency that can fully protect it and so what we are faced with is the absolute need for a very unique partnership in order to defend this network.
In April of 2008, Secretary Chertoff gave a speech on cyber security at the RSA Conference in San Francisco. In that speech, he outlined the cyber threats that are facing our country and some of the challenges in addressing those threats. So I’d like to spend some time this morning talking about our approach in a little bit more detail than has been put out before and so you all know that protection of the federal security networks is part of this new Comprehensive National Security Initiative and so what we have been working on is the details in the priority manner of what our initial focus is going to be as well as what’s our long-time strategy.
Much of this plan and, quite frankly, it’s been inhibiting to a large extent, much of this plan is classified and it’s still in the works and so because of that, that has, unfortunately, put some restrictions on how much we have -- we can actually discuss out in the public domain. That fact notwithstanding, we have begun many discussions at the classified level with representatives of industry in some of the formats which I will talk about later.
So I want you to get an appreciation of the fact that just because it’s highly classified, the fact is the government knows how to work with industry in a highly-classified manner and we have begun those types of discussion. So let’s talk about this cyber attack or attacks. Everybody knows the Internet’s been around for roughly two decades and so has cyber attacks.
Now, some may view cyber attacks as simply the cost of doing business and that there’s probably no need to do anything special to protect against them. In other words, we have some out there that don’t take this very seriously. I would argue, on the other hand, that in this 21st Century, we have the new era of threats and vulnerabilities in the cyber domain and that requires us to act with much greater urgency and a sense of purpose.
Many of you understand this and your organizations are actively working on solutions to address this threat. We have seen recently in the news cyber threats can impact both individuals and entire nations alike. The two most recent examples. First, the Georgia-Russia conflict. Perhaps that is the first instance of a military action containing a clear cyber component: denial of service. Denial of service attacks were launched by Russia against Georgia. There were large swaths of Georgians that could not access any information about what was happening in their country on government websites, government websites were defaced, and the delivery of government information was seriously curtailed.
A similar denial of service attack was perpetuated in 2007 against the Soviet Government networks.
The second instance was -- involved identity theft. This was a very large United States Secret Service case where 40 million credit card numbers were stolen from nine major retailers due to a very sophisticated international scheme that was perpetuated by war-driving. This led to millions of dollars being withdrawn from the bank accounts of innocent consumers. In sum, it was probably the worst case of ID theft in U.S. history, all due to lapses in network security by the retailers.
As a personal aside, I had identity theft of my own occur about two weeks ago when apparently, unbeknownst to me, I started getting calls from the credit card company about some individual that was operating up in New York State and loading up on a lot of gas and a lot of other stuff using my particular credit card. So the company said, “Well, do you have your card?” I pull out my wallet and said, “Sure.” So then I started asking a bunch of questions, like, “Well, how the hell could this happen?” And so I got a personal lesson in identity theft and then as I started to share that experience with several of my co-workers, what I started to find out was I’m not the only one and a lot of people that I know and I see every day have been experiencing this same particular situation.
So from my standpoint, I think the reality is that cyber attacks are not decreasing, they’re increasing in frequency, sophistication, and scope, and this has major implications for our national and economic security. So how can we protect ourselves from malicious activity, whether it’s criminal, an extension of state power, as in the instance I gave, espionage, information-gathering, or just plain old routine hacking?
So from the government’s perspective, the very first thing we need to do is to make sure that the federal civilian networks are protected. In other words, our first priority is to make sure that our own house is in order and to protect national security. Now, we’re not starting from scratch. We already have a foundation from which to build on and that’s through the hard work of the Department of Defense as well as the Director of National Intelligence and other federal agencies as well as our own DHS National Cyber Security Division.
In January of this year, the President issued a classified National Security and Homeland Security Directive that outlined for the first time this Comprehensive National Cyber Initiative. For abbreviation purposes, a lot of people within the government just refer to it as the Cyber Initiative. It’s designed to focus the energies and the resources of the Federal Government, coupled with the knowledge and the expertise of the private sector, to secure our nation’s IT infrastructure and to protect it against significant attacks.
DHS has the lead responsibility to protect the federal civilian domains and networks which basically means anything with a dot-gov address. The Department of Defense has made great strides in the strengthening and the protection of their networks and the dot-mil environment. So we are leading the charge to do the same for dot-gov.
In addition, and this is one of the points I want to stress today to answer Kay’s question about who’s in charge, we are the lead coordinating body, the synchronizing efforts for the protection of all federal networks and systems, including dot-gov, dot-mil, and dot-ic, and acting for the Secretary, the individual that has that responsibility, is Under Secretary Jamison.
So let’s now talk about what are some of the main elements of the Cyber Initiative. We got three key focus areas. First, establishing the frontlines of defense which means reducing the current vulnerabilities and preventing intrusion. Second, defending against the full spectrum of threats by using intelligence and strengthening supply chain security. And third, shaping the future environment by taking cyber security research and development to the next level by educating the next generation and investing in leap-ahead technologies.
As is true for all of our Homeland Security programs, privacy and civil liberty considerations are at the center of our efforts. We will continue to strike what we believe is an appropriate balance between security, privacy and civil liberties. This effort is not about sending over the Internet like some other countries and controlling what people see nor is reading about the personal e-mail of Americans. That is not our interest. That is not our intent. We’re talking about protecting the federal networks. We’re talking about protecting against malicious computer code.
If someone is seeking to access our systems and possibly inject some form of malware, it is fully within our right to take a closer look and see whether that code poses a threat just as you would ask a few questions about a stranger that wanted to enter your house.
Our first goal under the Cyber Initiative is to protect our permanent defenses and prevent the intrusions and the way we’re going to do this is by limiting the external points of access to the federal networks. At present, there are thousands of Internet access points to Federal Government networks. This gives our adversaries too many avenues to seek out technical vulnerabilities and exploit potential gaps.
As part of what we’re calling the “Trusted Internet Connection Initiative,” which is being led by the Office of Management and Budget, we are working to reduce these external points of access to 50 or less across the Federal Government and thereby reducing the ability of attackers to penetrate our systems. To support this effort, we’re expanding the United States Computer Emergency Readiness Team or US-CERT which is our 24-hour early watch warning and detection capability to provide oversight of these points of access.
Complementing the expansion of US-CERT is the establishment of the new National Cyber Security Center. So now I’m talk a little bit about the National Cyber Security Center or NCSC. The NCSC will connect and leverage the operational postures of the federal agencies that are responsible for defense to provide comprehensive situational awareness across the Federal Government.
It is responsible for coordinating the protection of the dot-mil, dot-ic as well as the dot-gov domains. It is a coordination and collaboration in coming up with a common situational awareness responsibility. US-CERT is the operator and consolidation point of a new Comprehensive Intrusion Detection Network and as such, it’s going to have real-time situational awareness of the federal civilian networks. US-CERT will push the information down to those federal agencies and up to the NCSC.
NCSC will consolidate that information with information from other operation centers, such as the Joint Task Force, Global Network Operations, who has the common operational picture for the Department of Defense networks, and will provide products back to US-CERT and GNO. While all the federal agencies have a center that provides situational awareness of their own networks, we do not have a near real-time common operating picture that captures the threats as well as the mitigation posture across all federal agency domains.
So the National Cyber Security Center will serve as the hub for cross-domain awareness and will be fed by the six agencies with responsibilities, one of whom is US-CERT which has that defense responsibility for federal civilian networks and the private sector, and so the NCSC will oversee efforts to make sure that these centers have network connectivity, that their IT systems can talk to one another, and they’re using the same standards and definitions for how to handle data and information, and that they have shared operating procedures. This will ensure continuity among the centers, improve the coordination and raise our overall situational awareness. All this is going to be done under the auspices and the leadership of the Department of Homeland Security and again the Under Secretary Robert Jamison.
So what I’ve tried to cover was a little bit about Kay, what Kay wanted me to do on Point Number 2. I listen when Kay talks. Okay? So I think we talked about NCSC, relationship with US-CERT, talked about the situational awareness, linking the network situational awareness, common operational picture together, and how we’re going to share the information.
So next, we have to talk about how do we keep people from getting into our system. Currently, we have an intrusion detection system that’s deployed across the federal networks that’s called Einstein. That allows us to passively detect breaches and intrusions. In its current form, Einstein gives us only limited capabilities with respect to detecting the source of the attack and raising our awareness. In effect, it lets us know once we’ve already been attacked.
We’re going to proceed to take Einstein to the next level. Through US-CERT, we’ll be deploying a much more aggressive intrusion detection system across the Federal Government that will enable us to use passive sensors to scan for malicious code and detect protocol-based signatures. We’ll be able to look for patterns of malicious code that characterize the intrusions so that we can very quickly shut them down before they do real harm. We are going to try to operate and defend in real time.
Also, we need to take a look at prevention. While we have a lot of effort that we’ll be going into in developing a robust intrusion prevention system, as we start developing the requirements for this, this is clearly an area where we’re going to be reaching out to the technical sector to make sure that we have in fact the very best technology that’s available to help us in this endeavor.
We take a look at -- I want to talk a little bit about counterintelligence. We have to deal with a full spectrum of threats that face the country. The best way obviously to deal with a threat is to be aware of it and to understand it and that requires information and intelligence. One of our elements of our plan is to develop a governmentwide Cyber Counterintelligence Plan specifically focused on foreign state-sponsored cyber threats. Intelligence is one of our best preventive tools.
I don’t have to go into any detail. You all know the examples. It starts going back 200-300 years up through World War II with the use of radar. So we need to have similar types of tools in order to make better use of intelligence in the cyber domain in order to stop our adversaries before they can launch attacks against us and that gets us to discussion of the global supply chain.
We all know that the global supply chain and how we do business internationally, how we tap into the global markets, how we share products and expand trade is something that’s become one of the underpinnings of our economy and has spurred a tremendous amount of economic growth, but this also has inherent in it clear risks. There’s a large part of the supply chain that we do not own or control and never will, including a lot of technology and electronics that are produced overseas.
So we need to make sure that the products that we import from foreign markets are not seated with malicious hardware or software that could compromise our systems and help our adversaries gain valuable national security information or, even worse, disrupt our networks. Make no mistake about it, this is a real concern. In some ways, it is the high-tech equivalent of the intellectual property rights violations we see every day at our ports of entry when we discover adulterated products or fake hand bags or DVDs, only in this particular case, it’s far more damaging to the national security because these products essentially function as Trojan horses that we conceivably would allow through the gate.
The Federal Government by itself cannot ensure the integrity of the supply chain. Though we have several program that are in place, including CT-PAP, which is our public/private partnership to improve security across the supply chain, and our Container Security Initiative, we’re going to need your help in order to pursue this effort. Addressing this risk will require a greater awareness of the threats, the vulnerabilities and the consequences, and it’s going to require sell-down position policies and practices, and it’s going to require an unprecedented level of cooperation and awareness across the entire global supply chain.
As we look to our future environment, a key part of our strategy is our people. The reality is, and it’s really well known, that the Federal Government is not the nation’s foremost repository of cyber security expertise. That’s not to say we don’t have very skilled people, but we need to build the next generation of our cyber security workforce. So we’re going to be focusing a lot of resources within the Federal Government on education and training and recruiting talent. So after I give this speech, if anybody would like a job with the Department of Homeland Security, if you could see me or Robert Jamison afterwards.
This is a little plug for working for the Federal Government. You don’t have to be Secretary or Deputy Secretary to make a major contribution to national policy and achieving national goals and one of the things we are going to be taking a look at is how do we establish more programs that require or that basically emphasize and encourage rotation between private sector and the Federal Government?
We already started in a couple of isolated cases, lone executive programs, and we’re looking to increase the use of those type of programs because in the end game, it benefits the private sector and benefits the Federal Government.
In research and development, we will be spending a significant amount of resources in the private sector and that’s because that’s where the technology is going to come from. I would caution you to temper your appetite, that there’s a tremendous pot of gold that’s about to be delivered to the private sector in this particular area because, as I emphasized earlier in my talk, our initial focus is on our existing networks, what do we have to do to immediately strengthen them, and as we get downstream, we think is when you’ll see perhaps a more heavily-leveraged investment in the technology.
Okay. Now I want to get to Kay’s third point, which is the private sector. How are we going to work with the private sector? So we all understand that it’s imperative that we figure a way and the right vehicles to work on hardening and protecting the shared infrastructure. We think we have a good basis for cooperating with the private sector when it comes to protecting critical infrastructure.
Under the National Infrastructure Protection Plan or the NIPP, we’ve worked across all 18 sectors to develop sector-specific plans that set clear goals and metrics and common priorities for enhancing security and for each of these plans, we’ve looked at the interdependencies with respect to cyber infrastructure and how it potentially has the cascading effect. Many of you have worked with us on an activity we call Project 12 of the Cyber Initiative.
Over the last few months, we’ve been working through the NIPP Partnership Framework to engage with you and your colleagues to develop a series of long-term and short-term objectives regarding how the government can work with the private sector to enhance our nation’s critical infrastructure and key resource networks and so our plan is to work through the NIPP.
First, in the short-term, we’re planning to increase our current public/private information-sharing via the NIPP Framework. We continue to recognize just how important it is that we have robust working channels to exchange and integrate information with and among our partners in industry. A lot of good work’s been done but we have a long way to go and we recognize that the individuals within an organization who take action on cyber issues are not always the same who address the physical security issues. So we’re working to make sure that we get the right information to the right people at the right time.
Our effort in this area has already begun through what we call the Cross-Sector Cyber Security Working Group. We have convened an information-sharing subgroup to look at ways to facilitate what I call the bidirectional sharing of cyber information, indications and warnings through the operational capabilities within and across the sectors in the Federal Government by looking at better ways to how we share this cyber threat vulnerability information with those in the industry who need it.
We clearly understand that some of this information is very sensitive and also the fact is that we have to figure out how we work with our partners in industry to get greater situational awareness of issues that affect critical infrastructure.
So the bottom line on this is each of the critical sectors we know have different business models. We know how cyber is treated is a little different and so we feel the best way to work this problem with the industry is through the Sector Coordinating Councils, different groups that cut across all the different sectors with a focus on cyber.
I think it’s probably -- and the reason being is different folks in the industry that suggested we set up a different type of infrastructure, set up different type of group. The fact of the matter is we believe using a proven structure that we have today is probably the best way to go do that. If there’s any doubts in anybody’s minds about how well that works, you just need to take a look at what’s happened between Gustav and Ike and the role of the NIPP and the Sector Coordinating Committees have taken with regard to giving jointly the state, the federal, and the private sector great situational awareness on what to do in terms of rebuilding critical infrastructure that’s been either totally lost or severely damaged over the past three weeks.
We’re also exploring options as to how to share government intrusion detection capabilities, such as Einstein, with our interested industry partners. We know that sharing information both ways is very critical and that’s going to be one of our focus.
I think if you take a look at the -- what we’re trying to do within government, just to reiterate, this is kind of an unprecedented type of an activity. If you take a look at -- we’re talking about relative to the globalization issues. We have established a partnership at DHS with the Department of Defense and the Director of National Intelligence as to how to -- this issue of global markets and technology coming in and the like, to lay out the framework for strategic undertaking that we’ve coordinated with the private sector that will take a look at some of our fundamental policies and practices, what may be the best course of action for government, what may be the best course of action for the private sector, and to work in concert to tackle some of these long-term strategic issues.
So my bottom line is we have a plan. A lot of it’s because of the classification has come out in pieces. What I’ve tried to give you today is answer Kay’s three questions. What are we doing? Who’s in charge? How do these things all lash up? And how are we going to work with the private sector?
There’s a lot more that will start coming out in the weeks and months ahead, but I think the thing that we all recognize within the government is that this is an all-encompassing challenge that’s going to require unique coordination and cooperation, unprecedented to date. I’m personally very encouraged by what I see in terms of the coordination and collaboration within the Federal Government. When you get as many diverse departments and agencies coming together to make this happen in, frankly, what is a relatively short period of time, I think it’s testimony to the folks that are in leadership positions that recognize just how important this particular effort is.
So I want to -- appreciate the opportunity to be here today and talk to you. I know, based on the panel discussion that’s going to take place, if you have any real hard questions about DHS or about the effort, please ask Secretary Jamison and not me, and with that, we have time for a couple of questions.
Mr. Rawls: Mr. Secretary, thank you very much. I’m Roger Rawls with GD. How does Homeland Security Information Network play into the -- what you were talking about in terms of the Sector Coordinating Councils and the overall information-sharing through the NIPP?
Mr. Schneider: Well, I believe, and Roger, you can correct me if I’m mistaken, one of the things, as you probably know, we’re trying to revitalize and strengthen the HISN, Homeland Security Information Network. The folks that run the HISN have worked very closely with Assistant Secretary Bob Stephan who worries about critical infrastructure.
As part of our effort, and I believe we awarded a contract a couple of months ago, basically changing the architecture of identifying portals to each of the communities of interest or sectors that meet their specific needs. So HISN is, in terms of, I would say, our backbone, HISN is being modified to basically meet the requirements of the individual sectors and it’s -- this is really a big deal. Okay? It’s one of the reasons why what we have decided to do is focus our dealings on sectors and the reason is they’re up and running.
It’s a -- it already is government-industry partnership which seems to work very well. I guess I would use the term “self-governing.” It’s really self-governing and the fact of the matter is, who better than those individual committees can determine what the IT information needs they want to see in terms of the push pull. So it’s key to basically acting as an enabler for the sectors.
Mr. Mizer: Hi. It’s Andy Mizer, Commerce Daily. A quick question. You said that you’re working on this with an eye toward a new Administration. Can you tell me a bit more detail about kind of what you all -- how you’re planning to do this since you only have a few months left?
Mr. Schneider: I didn’t say with an eye toward the new Administration. What I said was this thing will transcend the existing Administration to the new Administration.
Mr. Mizer: Is there a framework in place? Can you give us some detail about how you’re looking ahead in --
Mr. Schneider: Well, the way you look ahead is to build on the existing framework that’s been put in place and that’s why we’ve basically institutionalized through our Infrastructure Protection arrangement the individual Sector Coordinating Committees and that whole governance structure. That’s -- and so, by and large, when you take a look and if your issue is, you know, what happens with the transition of political leadership, you know, there’s -- I mean, I can just clarify a little bit for you.
The fact of the matter is, contrary to what is popularly covered in the press, the fact is that there will be a wholesale departure of people and I can talk about the Department of Homeland Security. The fact of the matter is that’s just not true and so the majority of the people that are running these programs, the fact of the matter is they’re running the programs today, they’ll be running these programs on January 20th and the 21st. So, by and large, in a lot of these efforts across government, what you’ll see is a seamless transition and the change of political leadership will be transparent relative to the execution of many of these particular efforts.
Now, obviously any new Administration can come in with new policies and the like, but the -- if you take a look at where we are putting our current emphasis, okay, reduction of the number of trusted Internet connection sites, getting real-time situational awareness, hooking up centers to get IT connectivity, common situational awareness, moving information up and down the line, those are kind of foundation pieces of what would be any cyber security strategy.
So, you know, I -- this business of a transition from one Administration to the other relative to something like protection of critical infrastructure, I don’t see that as being an issue.
Speaker: One last question, anyone? If not, thank you.
Mr. Schneider: All right.
###
This page was last reviewed/modified on September 15, 2008.
