Ritz-Carlton Pentagon City
I begin with something about Paris.
As the President said the night they occurred, the terrorist attacks in Paris are not just attacks on the people of France; they are attacks on all of humanity and the universal values we share.
Since Paris and in the days, weeks and months before then, we are doing a number of things to enhance the security of the U.S. homeland, and we continue to evaluate whether more is necessary.
The FBI, under the leadership of Director Jim Comey, continues to do an excellent job of detecting, investigating, disrupting and prosecuting terrorist plots to our homeland.
As always, the Department of Homeland Security and the FBI continue to be in close contact with state and local law enforcement. Since last Friday we’ve been providing them the very latest from our intelligence and law enforcement communities about what we know of the attacks in Paris.
As always, the Department of Homeland Security is in touch with a number of organizations representing retail businesses, mass transit, critical infrastructure, professional and college sports and others. Within hours after the Paris attacks we reached out to all these groups to share with them what we know, and to hear what additional security measures they may be taking.
I have personally been in touch with a number of big-city mayors to talk to them about the Paris attacks.
In general, the posture across this country, after Paris, has been to reinforce existing security measures, and provide an enhanced security presence at a number of large public events and places. Particularly as we approach the holiday season, we continue to encourage the public to travel, attend public events, and freely associate, but remain vigilant and aware. “If You See Something, Say SomethingTM” is more than a slogan.
There are other domestic security enhancements we have made in recent days, weeks, and months.
Last year, following the terrorist attack in Ottawa, Canada, we enhanced our security presence at federal buildings around this country.
Also last year, I directed additional security measures at airports overseas with direct flights to the United States. Those enhancements have been adopted as the new standard by many of the countries in which these airports exist.
Though the investigation of the crash of Metrojet 9268 in Egypt on October 31 is not complete, several days after the crash I directed further aviation security enhancements at certain “last point of departure” airports in the region with respect to items on aircraft.
To know more about those who travel to the United States from a country for which we do not require a visa – and many of those are European countries – at the beginning of this year, we sought more personal information from those who complete the Electronic System for Travel Authorization, or “ESTA.” These additions have already proven very effective. About half the denials for requests to travel here are attributable to these additional data fields.
In August, I announced additional security measures we are seeking from countries from which we do not require a visa to travel here. These include the use of E-passport, more use of the Interpol database for stolen passports, and more use of Federal Air Marshals.
Since I have been Secretary we have been proactive in engaging various communities in this country to help them identify and discourage anyone in those communities who may be turning toward violent extremism. I recently created an Office for Community Partnerships to take these efforts to the next level.
This includes, by the way, engaging the tech sector to help those in Muslim communities in this country who need a larger platform and a louder microphone for their message to counter the dangerous messaging of extremist groups around the world. This is an urgent matter and a call for action. Within a short period of time, groups such as ISIL have become extremely effective at using the internet to recruit and inspire. We need your ideas and your help.
As I said before, we continually evaluate whether more is necessary.
Now I want to say something about refugees. The world faces an unprecedented outpouring of more than 4 million refugees from Syria. At present, over 2 million are in Turkey, over 1 million are in Lebanon, and an estimated 630,000 are in Jordan, 245,000 in Iraq, 127,000 in Egypt, and about 150,000 in Germany. A number of other nations, including our closest allies, have pledged to share some of this burden and accept Syrian refugees into their borders. For example, the new government of our neighbor to the north, Canada, has pledged to accept 25,000 Syrian refugees this calendar year.
Meanwhile, our government has pledged to increase the number of Syrian refugees we will accept, from 2,000 last fiscal year to at least 10,000 this fiscal year. This represents a commitment by our government to accept 0.25% of the approximately 4 million Syrian refugees in the world.
The United States can and should adhere to this commitment.
It is important to note that the overwhelming majority of Syrian refugees we have accepted and will accept are women, children and families. Both the UNHCR and we have prioritized for resettlement the most vulnerable of Syrian refugees -- which means women, children and families who are the principal victims of the violence perpetrated by both the Assad regime and ISIL in Syria.
Further, the process for vetting Syrian refugees prior to acceptance and resettlement in this country is very thorough, occurs in multiple stages, involves the State Department, the Department of Homeland Security, the Department of Health and Human Services, in consultation with our law enforcement and intelligence communities, and the process is time-consuming. It is the most thorough vetting process conducted with respect to anyone who crosses our borders.
Especially during these tense times, it is useful to remember that terrorism cannot prevail if the people refuse to be terrorized.
In our efforts to enhance the security of the homeland, we must not compromise our values as a free and open society. I can build you a perfectly safe city, but it will look like a prison. We can build more walls, install more invasive screening, interrogate more people and make everybody suspicious of each other, but not at the cost of who we are as a Nation of people who cherish privacy, value the freedom to travel and associate, and celebrate our diversity.
The same is true of cybersecurity, which is the topic I originally came here to talk about. Cybersecurity also involves striking a balance. I can build you a perfectly safe email system, but your contact will be limited to about 10 people, and you would be disconnected entirely from the Internet and the outside world. This, too, would be like a prison – an information prison.
The reality is we live in an interconnected, networked world. Cybersecurity must, therefore, also strike a balance between the basic security of online information and the ability to communicate with and benefit from the networked world.
In the meantime, the reach and interconnectivity of the Internet is growing at a rapid rate. Today, there are more connected devices than human beings on this planet. In just five years the number of devices connected to the Internet is estimated to exceed 50 billion.
At the same time, cyber threats are increasing in their frequency, scale, sophistication, and severity. The ranges of cyber threat actors, methods of attack, and targeted victims are also expanding. This affects everyone, both in government and in the private sector across the country and around the globe. Not a week goes by without a news report of another organization being hacked. These threats come from a range of actors, including nation-states with highly sophisticated capabilities, profit-motivated criminals, and ideologically driven hackers or extremists.
Cybersecurity is a top priority for me, the President and this Administration. Indeed, I am determined to make tangible improvements to our cybersecurity before leaving office as Secretary. We are making aggressive strides in that direction.
Today I’d like to make four points about cybersecurity:
First, I congratulate both houses of Congress for passing cybersecurity legislation this year. Congress is actually getting some stuff done, and in a bipartisan fashion.
On October 27, the Senate passed S. 754, the Cybersecurity Information Sharing Act of 2015. Earlier this year, the House passed H.R. 1731, the National Cybersecurity Protection Advancement Act, and H.R. 1560, the Protecting Cyber Networks Act. All of these bills seek to codify important parts of the President’s legislative proposals for cybersecurity.
These bills strengthen the role of the Department of Homeland Security in our Nation’s cybersecurity efforts.
The Senate bill and the House Homeland Security bill both incentivize the private sector to share cyber threat indicators with the federal government through the National Cybersecurity and Communications Integration Center, also known as our “NCCIC,” at the Department of Homeland Security. At the same time, we will ensure that any sharing regime optimizes the government’s ability to share cybersecurity threat information in the most effective and efficient manner. This is why we have been equipping the NCCIC to share this information rapidly and in automated fashion with other federal agencies, and to do so with appropriate protections for privacy. For the private sector, the principal incentive for information sharing in these bills is the limitation on civil and criminal liability.
The legislation passed by the House and Senate also specifically authorizes DHS to deploy its intrusion detection and prevention system – called EINSTEIN – across the federal government. For reasons I will explain later, this technology is key to DHS’s efforts to protect federal civilian networks.
I urge that Congress proceed to conference on the House and Senate bills as soon as possible, so that they can get to the President’s desk and become law.
The action by Congress this year builds greatly on cyber legislation passed last year: the Federal Information Security Modernization Act of 2014 and other laws that codify the role of the NCCIC as the federal interface for the private sector with DHS and provides DHS additional authority to hire cyber talent.
With the help of Congress, therefore, we are strengthening our ability to protect the cybersecurity of the American public, American businesses, and the federal government.
Second point: in connection with the visit of the President of China Xi Jinping in September, our two governments announced several commitments to address our differences on cyber issues.
In September the United States and China committed that both states should increase law enforcement communications regarding malicious cyber activities, including breaches of sensitive information, and provide timely responses to requests for information and assistance concerning malicious cyber activities. Both nations agreed to provide updates to the other side on the status and results of these investigations and take appropriate action.
The United States and China also committed to refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors. Such a commitment was uttered by President Xi himself, in a speech he delivered in Seattle in September.
Finally, as a means of ensuring that these commitments are upheld, we agreed to a regular Ministerial-level dialogue on these issues, involving, on the U.S. side, the Secretary of Homeland Security (that’s me) and the Attorney General. The first of these meetings will occur here in Washington on December 1-2.
Last week, Deputy Secretary Mayorkas led a U.S. delegation to Beijing to meet with senior Chinese officials in preparation for these December meetings.
Time will tell whether the Chinese government’s commitments in writing are matched by action. Our next round of meetings is on December 1 and 2 and they will be an important indicator.
I intend to remain personally engaged on these issues. These commitments do not resolve all our challenges with China on cyber issues to be clear. But, they do represent a step forward in our efforts to address one of the sharpest areas of disagreement in the U.S.-China bilateral relationship.
Third point: I have directed an aggressive timetable for improving cybersecurity for the federal civilian .gov network. As the OPM breach painfully demonstrated, our federal cybersecurity efforts are not where they need to be, but we are improving, by detecting and blocking more and more intrusions every day.
To begin with, at DHS we recently made the first phase of our Continuous Diagnostics and Mitigation program available to 97% percent of the federal civilian .gov. We met this milestone weeks ahead of schedule. This program, known as CDM, helps federal agencies identify and fix problems on their networks in near-real-time. Agencies are now working diligently to deploy CDM. Once fully implemented, CDM tools will monitor agency networks internally for vulnerabilities that could be exploited by bad actors that have breached the perimeter.
Next, on October 31, we reached a major milestone in our efforts to automate our sharing of cyber threat indicators. Our system to send and receive this cyber threat information in near-real-time is now up and running. We are working with multiple agencies and private sector partners to expand the number of those sharing and receiving information through this automated system.
As directed by the President in Executive Order 13691, on September 3 DHS announced the selection of the University of Texas at San Antonio as the standards organization to develop best practices for Information Sharing and Analysis Organizations. By supporting the development of these “ISAOs,” we will help companies -- regardless of size, location, and sector -- share information with their peers and with DHS.
We have seen great success from the Binding Operational Directive that I issued in May, based upon the authority provided to me by Congress in 2014. This directive required agencies to promptly fix critical vulnerabilities identified by the NCCIC on their networks. Departments and agencies responded quickly.
When I issued that Directive, we had identified 363 critical vulnerabilities across federal agencies. Of those, agencies have fixed nearly 99% of them. But we are discovering more critical vulnerabilities every day, and our numbers of vulnerabilities are still higher than I’d like (although far lower than the 363). I recently urged my fellow agency heads to remain vigilant and ensure that they keep up this critical effort to rapidly fix vulnerabilities on their networks.
I have directed my team to dramatically accelerate the deployment of EINSTEIN 3 Accelerated, also known as “E3A.” I have told them to make at least one E3A security measure available to all federal civilian agencies by the end of this year. We now protect 47% of the federal government with E3A, and to date, we have blocked over 700,000 actions that were possible attempts to steal government data or disrupt government systems. E3A is the intrusion prevention portion of our broader EINSTEIN program, and has the capacity to both identify and block known malicious traffic. Significantly, E3A will serve as a platform for future technology to go farther in recognizing and blocking suspicious and unwanted intrusions.
My fourth and final point: whether in .gov, .mil, .com, .edu or .org, perhaps the single most effective thing we can do to improve cybersecurity is actually pretty simple – raise the awareness of everyone who uses your systems to the dangers of spear-phishing. I will tell you that the most devastating attacks by the most sophisticated actors often start with a simple act of spear-phishing – the bad actor is let in by the naïve employee who opens an email or attachment he or she should not. And, once the bad actor is through the gate and inside the house, he can pose as a system administrator or anyone else and gain access to sensitive information.
While big problems typically require large, complex and expensive answers, the answer to this particular big problem is pretty simple -- raise awareness.
For example, one of my largest components sent out an email to all of its employees with a link to free Redskins tickets. This e-mail was in fact a mock spear-phishing campaign – and bore many of the telltale signs, such as an unusual “from” address and an embedded link. Those employees who clicked on the link received a follow up message to meet in a certain room for their free tickets. When they arrived, they received a briefing on proper cybersecurity practices.
We must train our people to understand cyber risks and use best practices online. Our adversaries understand that human behavior can be exploited as a weakness. Along with deploying innovative technologies, we must also ensure that our employees, family, and friends contribute to our shared security.
The Department of Homeland Security is taking steps to help develop the cyber workforce. Since 2010, our Science and Technology Cyber Security Division has funded the National Collegiate Cyber Defense Challenge, a college-level competition where teams of eight students compete against each other to defend a business network from persistent cyberattacks. Over 200 colleges participated in this year’s competitions. We have also partnered with the National Science Foundation to fund the Scholarship for Service CyberCorps program. This is a unique program that issues selected colleges and universities scholarship grants to attract students to the cybersecurity field. Graduates are then able to work for federal, state, or local governments. We, at DHS, have successfully hired many graduates from this particular program.
And, earlier this year we launched the 2015 Secretary’s Honor Program Cyber Student Volunteer Initiative for current two– and four–year college students. More than 75 selected students completed volunteer assignments supporting the DHS cyber mission at department field offices in over 50 locations across the country. Through this initiative, created in April 2013, students gain firsthand experience applying their skills and exposure to the cybersecurity work performed across DHS. In addition to their assignments, selected students participate in mentoring and professional development events with DHS managers and senior leaders.
In conclusion, there is no one silver bullet for cybersecurity. But we are moving forward urgently to address a shared problem. My goal for the remainder of this administration is for the entire civilian government to be covered by a common baseline of security provided through E3A and CDM, and to maximize the number of companies benefiting from cybersecurity information sharing with DHS. We will face more challenges ahead. But we are taking aggressive action and we are well on our way.
Given my own experiences as a New Yorker and a Department of Defense official, I have said many times in speeches that the cornerstone of the Department of Homeland Security is counterterrorism. I recognize that cybersecurity must exist alongside counterterrorism as one of our top priorities, for the protection of the American people, American businesses large and small, and the federal government.
Toward this goal, we at the Department of Homeland Security have made considerable progress, and we will continue on this path.
Thank you very much.