Center for Strategic and International Studies (CSIS)
(As prepared for delivery)
Thank you for allowing me to speak here today.
Cybersecurity is a top priority for me, for the President, and for this Administration. It is my personal mission, before I leave office, to significantly enhance the Department of Homeland Security’s role in the cybersecurity of this Nation.
Today I provide a status report on our efforts in cybersecurity for the federal civilian .gov world. I also take this opportunity to emphasize the importance of passing new cybersecurity legislation, and soon, in this Congress. I applaud the Congress for the bipartisan efforts so far.
I will begin this speech like I end most of them. I tell audiences that homeland security is a balance – a balance between basic physical security and the freedoms we expect as Americans. As I have said many times, I can build you a perfectly safe city, but it will look like a prison. We can build more walls, install more invasive screening, interrogate more people and make everyone suspicious of each other, but not at the cost of who we are as a Nation of people who cherish privacy, value the freedom to travel and associate, and celebrate our diversity.
The same is true of cybersecurity. Cybersecurity involves striking a balance. I can build you a perfectly safe email system, but your contact will be limited to about 10 people, and you would be disconnected entirely from the Internet and the outside world. This, too, would be like a prison.
The reality is we live in an interconnected, networked world. Cybersecurity must also be a balance between the basic security of online information and the ability to communicate with and benefit from the networked world.
In the meantime, the reach of the Internet is growing at an exponential rate. Today, there are more connected devices than human beings on the planet. In just five years the number of devices connected to the Internet is estimated to exceed 50 billion.[i]
At the same time, cyber threats are increasing in their frequency, scale, sophistication, and severity. The ranges of cyber threat actors, methods of attack, and targeted victims are also expanding. This affects everyone, both in government and in the private sector across the country and around the globe. Not a week goes by without a news report of another organization being hacked. These threats come from a range of actors, including nation-states with highly sophisticated capabilities, profit-motivated criminals, and ideologically motivated hackers or extremists.
In the case of the breach of the Office of Personnel Management, a large amount of highly personal and sensitive information was taken by a very sophisticated actor. We have determined that federal personnel records were, in fact, taken by this actor. DHS, the FBI and the NSA have also determined that OPM’s system containing information related to background investigations was compromised. As required by law, OPM provided notice to approximately 4.2 million people who were impacted by the data breach involving employee personnel records. OPM is still working with an inter-agency team to determine the total number of people affected by the breach involving security clearance background investigation information.
The OPM breach also remains the subject of an ongoing investigation. We have strong evidence about the identity of the actors behind the breach. As the DNI said last week, there is a “leading suspect,” but we are not prepared to publicly identify those actors at this time.
To be frank, our federal cybersecurity is not where it needs to be. But we have taken, and are taking, accelerated and aggressive action to get there.
In response to the OPM breach, on June 12 the White House announced the establishment of a Cybersecurity Sprint Team, comprised of OMB, the NSC, DHS and DoD personnel to conduct a 30-day review of the Federal government’s cybersecurity policies, procedures and practices. On a reprioritized basis, we are deploying teams to assess the highest value systems across the federal civilian government, and hunt for and remove adversaries identified in the system.
This response to the OPM breach is part of a much broader federal cybersecurity effort that has been underway for some time.
There is a great deal that has been done and is being done now to secure our networks. We do in fact block a large number of intrusions and exfiltrations, including those by state actors.
But, we can and must do more. And, as I said before, Congress can help.
By law, each head of a federal department or agency is primarily responsible for his or her agency’s own cybersecurity.[ii] The Department of Homeland Security has overall responsibility for protecting federal civilian systems from cyber threats, helping agencies better defend themselves, and providing response teams to assist agencies during significant incidents.[iii] National security systems, such as those used by the military and intelligence community, are secured by the Department of Defense and the DNI.[iv]
There is no one “silver bullet” for cybersecurity. The key is to install multiple layers of protection to best secure our networks.
The Department of Homeland Security’s National Cybersecurity and Communications Integration Center, or “NCCIC,” is the U.S. government’s 24/7 hub for cybersecurity information sharing, incident response, and coordination. Thirteen U.S. departments and agencies, and 16 private sector entities have regular, dedicated liaisons at the NCCIC, while over 100 private sector entities collaborate and share information with the NCCIC on a routine basis.
Given the central importance of the NCCIC to the DHS mission, I have elevated it within our structure so that its leaders have a reporting relationship directly to me.
The NCCIC shares information on cyber threats and incidents, and provides on-site assistance to victims of cyberattacks. In this fiscal year alone, the NCCIC has shared over 6,000 bulletins, alerts, and warnings, and responded on-site to 32 incidents – over double the number of on-site responses for the entire prior year.
The NCCIC is also the place where we manage the EINSTEIN system. EINSTEIN is the first basic layer of protection we provide at the network perimeter of each federal civilian department and agency. EINSTEIN consists of three programs:
EINSTEIN 1 and 2 sit at the perimeter of the agencies’ networks.
EINSTEIN 1 observes and records basic information about all activity entering and exiting an agency network. It is like a recording camera sitting on the perimeter fence that can be reviewed to determine when or if a certain individual enters or exits the compound.
EINSTEIN 2 detects known, prohibited adversaries that have entered or exited the fence, and alerts us to them.
When EINSTEN 1 and 2 detect and identify malicious activity, the NCCIC shares that information with all departments and agencies. This affords those departments and agencies the opportunity to take appropriate actions to protect themselves.
By the end of 2005, EINSTEIN 1 and 2 were deployed to protect only 3 federal agencies. Today, both protect all federal civilian traffic routed through a secured gateway to the Internet.
Then there is EINSTEIN 3 Accelerated, also known as “E3A.” E3A resides with the Internet Service Providers serving the federal government. E3A has the capacity to both identify and block known malicious traffic. Like the system that protects DoD, one key value of E3A is that it is an intrusion detection and prevention system that uses classified information to protect unclassified information.
E3A was first deployed in 2013. By December 2014, E3A protected 237,414 federal personnel. Today, E3A protects over 931,000 federal personnel, or approximately 45% of the federal civilian government. I have directed that DHS make E3A fully available to all federal departments and agencies, and have challenged us to make aspects of E3A available to all federal civilian departments and agencies by the end of 2015.
E3A has demonstrated its value. Since its introduction, E3A has blocked over 550,000 requests to access potentially malicious websites. These attempts are often associated with adversaries who are already on federal networks attempting to communicate with their “home base” and steal data from agency networks.
Importantly, EINSTEIN 3A is also a platform for future technologies and capabilities to do more. This includes technology that will automatically identify suspicious Internet traffic for further inspection, even if we did not already know about the particular cybersecurity threat.
As an additional line of defense, the Department of Homeland Security helps federal agencies identify and fix problems in near-real-time using Continuous Diagnostics and Mitigation programs – or “CDM.” Once fully deployed, CDM will monitor agency networks internally for vulnerabilities that could be exploited by bad actors that have breached the perimeter. CDM will allow agencies to identify, prioritize, and fix the most significant problems first. It will also provide DHS with situational awareness about government-wide risk for the broader cybersecurity mission.
CDM is divided into three phases. The first phase, which is being deployed now, checks to ensure that all computers and software on agency networks are secure. The second phase will monitor users on agencies’ networks and ensure they are not engaging in unauthorized activity. The third phase will assess activity happening inside agencies’ networks to identify anomalies and alert security personnel.
To date we have made the first phase of CDM available to eight agencies, covering over 50% of the federal civilian government. I have directed, and we expect, that DHS make the first phase of CDM tools available to 97% of the federal civilian government by the end of this Fiscal Year. I am also requesting authorization from Congress to provide additional funding to speed up CDM Phase 2.
As our detection methods continue to improve, more events will come to light. In fact, OPM was able to detect the recent breach as a direct result of implementing new tools and best practices recommended by DHS. As we are able to see and block more events, we will thereby identify more malicious activity and frustrate an adversary’s attempts to access sensitive information and systems.
The NCCIC also provides on-site assistance to federal agencies, as well as to private companies operating critical infrastructure. We, in effect, make house calls. When an incident like the OPM breach occurs, the NCCIC helps the victim organization find the adversary, drive them out, and restore service. The NCCIC also coordinates responses to significant incidents with other government agencies to give them the information they need to respond effectively and to ensure unity of effort.
By the authority given to me by Congress in the Federal Information Security Modernization Act of 2014,[v] I can now, as Secretary of Homeland Security, issue Binding Operational Directives to federal departments and agencies. A Binding Operational Directive is a direction to agencies to mitigate a risk to their information systems.
I issued the first Binding Operational Directive on May 21 of this year. This directive required agencies to promptly fix critical vulnerabilities identified by the NCCIC on their networks. We know we must drive change from the top. Thus, working with OMB, we notified department and agency heads so that they are aware of the status of their own agencies’ efforts to comply with the Directive. Departments and agencies responded quickly, and have already reduced critical vulnerabilities covered by the Binding Operational Directive by more than 60%.
Next, information sharing is also fundamental to achieving our mission. In order to sufficiently address the rapidly evolving threats to our cyber systems, we must be able to share cyber information as quickly, in as close to real-time, as possible. To accelerate the speed and expand the breadth of our information sharing, we are taking three actions:
First, we are supporting the development of Information Sharing and Analysis Organizations, as called for in the President’s Executive Order 13691 issued on February 13, 2015.[vi] Next month, we will, as directed by the President, select the organization that will develop best practices for these ISAOs. By supporting the development of ISAOs, we want to help companies -- regardless of size, location, or sector -- share information with their peers and with the Department of Homeland Security.
Second, I have directed an aggressive schedule for deployment of next-generation information sharing techniques by the NCCIC. DHS itself now has a system to automate our sharing of cyber threat indicators, and we are working to extend this capability across the federal government and to the private sector, so we can send and receive this information in near-real-time. One agency is already receiving cyber threat information via this automated system – over a month ahead of our original schedule. We expect that multiple agencies and private sector partners will begin sharing and receiving information through this automated system by October of this year.
Third, we are working closely with other agencies of our government to stand up the Cyber Threat Intelligence Integration Center, or “CTIIC.” This new center will help us better understand the various threats and provide more actionable and timely intelligence to the NCCIC to share with our private sector partners.
Finally, there is more Congress can do.
Congress has a role in cybersecurity, to ensure that we have adequate resources and budget, and the legal authorities necessary to pursue the mission.
Last year, in addition to passing the Federal Information Security Modernization Act of 2014,[vii] Congress gave us additional authorities to hire cyber talent,[viii] and codified the role of the NCCIC as the federal interface with the private sector for cybersecurity.[ix]
But, there is more Congress can do. The recent breaches in cybersecurity demonstrate the urgency of acting now, and we appreciate the good bipartisan work on cybersecurity legislation underway in Congress.[x]
We believe there should be three basic things in any cyber legislation:
First, Congress should expressly authorize the EINSTEIN program. This would eliminate any remaining legal obstacles to its deployment across the federal government. The House has passed H.R. 1731, which accomplishes this, by ensuring agencies understand they are legally permitted to disclose network traffic to DHS for narrowly tailored purposes.
Second, we must incentivize the private sector to share cyber threat indicators with the federal government through the NCCIC in a manner that provides protection from civil and criminal liability for private entities that share threat indicators, and protects privacy.
Third, we need a national data breach reporting system, in lieu of the existing patchwork of state laws on the subject, and enhanced criminal penalties for cybercrime.
In the meantime, as I have described here, we are moving forward.
As we improve our defenses, cyber adversaries will continue to improve their own efforts to break through them. This problem is not unique to the government – it is shared across the global cybersecurity community. Our adversaries are constantly evolving, and so must our tools to combat them.
We cannot detect and stop every single intrusion. That is not news. So often, the most sophisticated actors penetrate the gate because they know they can count on a single user letting his guard down to an act of spearphishing.
But, my message today is we have increased, and will continue to increase, the instances in which attempted intrusions are either stopped at the gate, or rooted out from inside the system before they cause damage.
We are taking action. We are aggressively strengthening our defenses. We are accelerating the deployment of the tools we have, and working to bring new ones online.
# # #
[i] Julianne Twining, National Cable & Telecommunications Association, Behind the Numbers: Growth in the Internet of Things (Mar. 20, 2015), available at s.ncta.com/platform/broadband-internet/behind-the-numbers-growth-in-the-internet-of-things/.
[ii] See 44 U.S.C. § 3554.
[iii] See id. § 3553(b); Office of Mgmt. & Budget, Exec. Office of the President, OMB Memorandum No. 1515-01, Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices (2014).
[iv] Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283, 128 Stat. 3073 (2014).
[v] Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283, 128 Stat. 3073 (2014).
[vi] Exec. Order No. 13,691, 80 Fed. Reg. 9,349 (Feb. 13, 2015).
[vii] Federal Information Security Modernization Act of 2014.
[viii] Border Patrol Agent Pay Reform Act of 2014, Pub. L. No. 113-277, § 3 (2014) (“Cybersecurity Recruitment and Retention”).
[ix] National Cybersecurity Protection Act of 2014, Pub. L. No. 113-282 (2014).
[x] See National Cybersecurity Protection Advancement Act, H.R. 1731, 114th Cong. (2015); Protecting Cyber Networks Act, H.R. 1560, 114th Cong. (2015); Cybersecurity Information Sharing Act, S. 754, 114th Cong. (2015).