UC Berkeley College of Engineering
(Remarks as Prepared)
Thank you, Provost Breslauer and Dean Sastry for that kind introduction, and thank you to the UC Berkeley community for the invitation to join you this afternoon. I’m on something of a college speaking tour this year, and I always enjoy being in a great college town like Berkeley. I was at MIT last month to speak about the “Future of Science as Public Service.”
And I have been thinking maybe we can turn this into a bit of a competition, maybe an East Coast vs. West Coast rivalry. In the spirit of the football draft that is coming up, the only rule I’ll impose is that we get first dibs on drafting the best and brightest to come work at the Department of Homeland Security.
I began this series of remarks in January at George Washington University with the first annual "State of America’s Homeland Security” address. As I said then, our homeland is more secure than it was when we were attacked on 9/11 – now almost a decade ago. We are better prepared than we were eight years ago when DHS was created, and, indeed, better prepared than two years ago when I began serving as Secretary.
If these were ordinary times, that might suffice. But these are not ordinary times. The terrorist threats have not gone away, and have evolved in ways that – more than ever – make our security a shared responsibility. Indeed, consider the rapid evolution of cyberspace and threats to its security, which I’d like to address today.
On September 11th, 2001, we were still a few years away from the start of the Web 2.0 and social media world we all live in today. Today, our biggest opportunities, like our most urgent threats, are networked. The pace of innovation has accelerated and become more and more decentralized, but so too have the methods to attack our way of life, especially online.
This rapid and dispersed rate of change in the cyber sphere has led the Department of Homeland Security – and indeed, the entire Federal government and the military – to pursue an approach that acknowledges that we all have a role to play. Today’s threats require the engagement of our entire society – from government and law enforcement to the private sector and importantly, individual members of the public.
We’re working hard across government to drive changes that recognize we each have a role to play. Just two weeks ago, President Obama released the National Strategy for Trusted Identities in Cyberspace (because we’re in government, we call it NSTIC). What it aims to do is make online transactions more trustworthy in a simple but fundamental way: by moving away from passwords and instead toward secure, reliable credentials available to consumers who want them.
Instead of having to remember dozens of passwords, you would have a single credential to log into any website, with more security than passwords alone could provide. And when you’re not doing secure transactions, you can protect your anonymity online. Dozens, if not hundreds, of companies could offer these credentials – which could be unique software on a smartphone, a smart card or perhaps a token – so you’ll have plenty of choices.
In another big step toward empowering individuals and communities to play a role in our shared security, just last week I announced the new National Terrorism Advisory System to replace the old system of color-coded alerts. This new system is built on a clear and simple premise: When a threat develops that could impact you, we will tell you, and provide whatever information we can so you know how to protect yourselves, your families, and your communities.
Cyberspace as a civilian space
This shared responsibility approach is particularly important when it comes to safeguarding cyberspace, and the many elements of our lives that depend on cyber networks. As President Obama said in his Cyberspace Policy Review, the security of our national cyberspace is a vital national and economic security priority for the United States. The innovations that cyberspace has enabled have driven advances in prosperity, transparency, and freedom that were unimaginable just a few short years ago.
Yet in a very short amount of time, we have also grown dependent on digital networks working reliably and securely as part of our day-to-day – actually more like minute-by-minute – lives. Without a secure cyberspace, critical infrastructure like basic utilities stop functioning, basic necessities don’t make it onto store shelves, phones fall silent, and, perhaps most devastating, none of us can update our Facebook or Twitter accounts to complain about it.
More seriously, if the security of our cyber networks is compromised, modern life – our economies, our health care systems, and our transportation networks – effectively grinds to a complete halt. That possibility is why DHS has a clear mission and a clear vision when it comes to cyber.
We see cyber as part-and-parcel of a secure homeland and something that can’t be treated as separate and distinct from our other missions. Specifically, our cyber mission is two-fold. First, we’re working to create a safe, secure, resilient cyber environment. And, second, we’re promoting cybersecurity awareness and innovation with our many partners outside the Department. UC Berkeley has been a real leader on this front, through the pioneering work here in computer science, engineering, and mathematics. The TRUST program led by Dean Sastry is a great example of the kinds of partnerships we need between academia, industry, and government. DHS also has partnered with Berkeley to improve our own nuclear forensics research, and we’re grateful to tap into the expertise resident on this campus.
Before I go into what DHS is doing, and what DHS plans to do, to facilitate a more secure cyberspace, it’s important to be clear how we, as a government and as a society, view cyberspace – because how we understand and approach it plays a large role in how we go about securing it. At DHS, we believe cyberspace is fundamentally a civilian space. There is probably no perfect metaphor to capture cyberspace, but as an inherently civilian space, it bears similarities to a neighborhood, a library, a marketplace, a school yard, a workshop.
That’s not to say that cyberspace is benign, however. We all know that it can facilitate conflict, exploitation, and criminal activity. Just over the past year – in fact, just in the past few weeks – we have seen a full spectrum of cyber threats, from spamming to denial of service attacks, and attempts to inject dangerous pieces of spyware, among other things.
Symantec, a leading cybersecurity firm, recently reported a 93 percent increase in cyber attacks for 2010 compared to 2009, and many of these reported incidents happened in the private sector. Earlier this year we also saw malicious attacks targeting financial networks such as NASDAQ – which is arguably among our most critical national assets.
This month, a company called Epsilon, which provides email marketing to many financial services companies, reported an intrusion and compromise of sensitive information. Internationally, the European Commission recently reported intrusions into their systems. Even renowned cybersecurity company RSA, which provides encryption and security products to a huge portion of the financial services community, also reported an intrusion and compromise of their sensitive information in the past year.
Of course, just as all cities experience some crime, so too does cyberspace. We cannot eliminate the risk entirely. While it can seem like the dangers posed in cyberspace are magnified because of its inherent openness, at DHS, we believe that by doing something we call “enabling distributed security” – making the open nature of the Internet one of its strengths – we can support the enormous potential of cyberspace while creating a secure environment.
We’re creating distributed security right now
So now you may be asking, how do you secure a distributed, decentralized, and fundamentally civilian space that is largely privately owned, straddles international boundaries, and has both virtual and physical elements? Good question. At DHS we have two specific roles in cybersecurity. The first is protecting the federal executive branch civilian agencies – in other words, the “dot-gov” world. It’s where the government does its own business and maintains essential functions, but also provides services to the American people.
Our second responsibility is leading the protection of critical infrastructure and its connections to cyberspace. This is not something we can do by ourselves. It requires a full range of partners – including other government agencies, the private sector, as well as individual users of the Internet. Right now, we’re building what we call a “technical ecosystem” based on an understanding of cyberspace as a civilian, distributed place, and also the “policy ecosystem” to support it.
I use the term “ecosystem” intentionally – because cyberspace is a dynamic, constantly changing, even organic environment. We cannot treat it as static or self-contained. Just last month, we put forward a technical vision for enhancing cyber security that is intended to empower individuals and enterprises across cyber networks to take action to enhance their own security operations. It has three primary building blocks: automation, interoperability, and authentication. Too often today, our cyber defenses are ad hoc, manual processes. Because things in cyberspace move at Internet speed, we need to move to a system of automated defenses, with real-time detection capabilities and coordinated responses. As we all know from waiting for a page to load on our computers or mobile devices, a few seconds is a long time in cyberspace.
By developing and implementing automated defenses, we can combat threats at their earliest, least-costly stage, and minimize their impact. Many of today’s cyber systems and devices also operate independently, cannot exchange security data, or have inconsistent security policies. For the most part, these systems were developed by private entities fully independent of each other. By implementing more interoperable systems and policies from the outset, however, we can create a more common understanding and picture of threats, and improve our ability to combat them in a coordinated fashion.
Finally, our vision is built on the need for authentication. Online transactions and decisions require a level of trust and authenticity. As with any transaction, people need to have a high degree of confidence they are dealing with legitimate actors, devices and systems. In the future, we want to see better authentication mechanisms that protect against identity theft and spoofing, are affordable, easy to use and administer, and are scalable and interoperable.
Our overall goal in implementing this vision is to secure government systems and assist the private sector and the public in securing their own cyber activities while enforcing the law. Over the longer-term, we want to move toward agile, interoperable computer systems and networks that can be reliably authenticated and that can recognize and respond to threats in real-time. We want input on our vision – give it a read on our blog (blog.dhs.gov) and email us at email@example.com. We’ll be publishing a follow-up paper driven by the input that we get.
To support this vision, which involves a healthy partnership between the government and the private sector, the Administration is also putting forward a legislative proposal to Congress that will allow us to implement what I’ve been talking about here today. Government has a unique role, through legislation and regulation, to drive the outcomes we want as a nation and align them with incentives that can help get us there.
We believe that any government rules for cyberspace should identify where we want to be, not proscribe exactly how to get there, and should allow ample space for innovation. They should also be clear, fair and broadly supported, and respect and reflect the diversity of the society in which we live.
We are taking steps to secure cyber networks
So how are we putting our vision into practice? First, we’re taking steps to secure the dot.gov universe. We’ve set out on a path to help build a cyber ecosystem that supports a secure and resilient infrastructure, encourages innovation, and protects openness, privacy and civil liberties by its very design.
In close partnership with other agencies and the private sector, we are deploying the National Cybersecurity Protection System – of which the EINSTEIN intrusion detection system is a key component. Much like its namesake, the EINSTEIN system is smart – it helps block malicious actors from accessing federal executive branch civilian agencies, while working closely with those agencies to bolster their own defensive capabilities.
Beyond dot.gov, we are also leading the effort to protect our nation’s critical information infrastructure – the systems and networks that support the financial services industry, the electric power industry, and the defense industry, to name a few. We work with the private sector, other government agencies and the international community every day to mitigate the risks and to reduce the potential for a malicious actor to be successful.
For example, when RSA, one of the world’s premier computer security companies, was hacked, DHS, in conjunction with our law enforcement and intelligence community partners, worked with the company to mitigate the threat. We took our understanding of the tools, tradecraft, and techniques used by these malicious actors, and converted it into actionable information that all 18 critical infrastructure sectors could use to employ mitigation measures that would lower their risk to the type of attack we saw at RSA.
Beyond working with critical infrastructure partners, we also partnered with antivirus companies so they could take proactive measures to stop possible threats from reaching an even broader audience. Moreover, we worked with our federal agency partners to share and disseminate these indicators as widely as possible, thus reducing the risk to the federal government.
In addition, we’ve spearheaded the development of the first-ever National Cyber Incident Response Plan (NCIRP). The plan enables us to coordinate the response of multiple federal agencies, state and local governments, and hundreds of private firms, to incidents at all levels – just like we do at DHS for incidents in the physical world. We recently tested this plan during the CyberStorm III national exercise, which simulated a large-scale attack on our nation’s critical information infrastructure. In fact, seven Cabinet agencies, eleven states, twelve international partners, and sixty private sector companies all participated in the CyberStorm III exercise.
Beyond this work, our Science and Technology Directorate is also leading efforts to develop and deploy more secure internet protocols that protect consumers and industry internet users. This is the only continuous research, development, test and evaluation, and deployment effort in or outside the U.S. government. Major companies in the cyber industry, such as Verisign, Microsoft and Comcast, have picked up our protocol to incorporate into their products. Our Science and Technology Directorate is also supporting multiple efforts to protect internet infrastructure from attack by creating new tools to detect malicious software on networks, and new test beds and measurement techniques to help characterize and develop countermeasures for current and emerging cyber attacks.
Recruiting best and brightest
Perhaps above all, we are focused on building a world-class cybersecurity team by hiring a diverse group of cybersecurity professionals—computer engineers, scientists, and analysts—to secure the nation’s digital assets and protect against cyber threats to our critical infrastructure and key resources.
Our National Cyber Security Division nearly tripled its cybersecurity workforce in 2009, and nearly doubling that number again last year. To build on this momentum, we have launched the DHS Cybersecurity Workforce Initiative to build a strong, dependable pipeline for the future. We’re building strong cybersecurity career paths within the Department, and we have created a number of very competitive scholarship, fellowship, and internship programs to attract top talent.
And if I can make a pitch: DHS is a great place to come to work to help move this vision forward. We are a relatively new department. It is a place where all of us – including you, the young scientific leaders of our country – have the opportunity to come and have a profound impact. Of course, the public has a critical role in cybersecurity too. Just as we all take prudent measures to protect our homes or investments and even our health, we need to take some simple actions to protect our cyber systems and be safe online.
Last year, we launched a national campaign – "Stop.Think.Connect" – to cultivate the basic habits and skills that everyone should adopt to keep our cyber networks safe. Our message begins with a simple concept: to ensure cybersecurity for all of us, each of us must play our part. We know it only takes a single infected computer to potentially infect thousands and perhaps millions of others.
Everyone should make basic cybersecurity practices as reflexive as putting on a seatbelt – using antivirus software, being careful which websites you visit, not opening emails or attachments that look suspicious. These basic measures can improve both our individual and our collective safety online.
I truly believe that as a nation, and as a society, we will rise to this complex challenge if we commit to engaging in – and sustaining – a broad public conversation about the shared responsibility for securing cyberspace.
It must become a common value for all Americans that responsibility for cybersecurity begins with each individual user and extends out to every business, school, and other civic and private enterprise. All of us, from the most casual users to the most highly-trained experts, share in the responsibility to learn about cybersecurity and to do more, individually and collectively.
We need industry to redouble its efforts to increase the reliability and quality of the products that enter the global supply chain. We need primary and secondary schools to teach safe cyber habits to students from an early age. We need colleges and universities to make cybersecurity a multidisciplinary pursuit so that we have policymakers who understand technology, and also technologists who understand policymaking.
It should not be unusual for a top computer scientist to take a leave from academia or the private sector and spend a couple of years in government – and hopefully, at DHS – working on solving important technological problems. In fact, that’s precisely why after I became Secretary I recruited Phil Reitinger from Microsoft to come work at DHS and lead our cybersecurity efforts. We need a more transparent and inclusive cybersecurity policymaking process that brings the best minds to the table across many fields, not just the subject matter experts.
Most importantly, we need the general public to be more aware of the threats unsafe cyber behavior poses to our way of life, as well as more knowledgeable about where to get information to protect themselves.
Our nation has come together to meet great challenges before. I’m confident that together, we can meet this one. Together, we can – and we will – achieve a cyberspace that is safe and resilient, and that remains a source of tremendous opportunity and growth for years and years to come.