Tel Aviv, Israel
June 20, 2016
This morning I realized that this summer marks the 39th anniversary since my first visit to Israel—39 years ago I visited family, I worked on a kibbutz, and I toured the country. These past two visits over the course of the last year, I have visited in my official capacity, yet nevertheless, I feel just as much at home this past year now as I did 39 years ago.
It is not only because of my family residents here in Israel or my love of this country, but importantly, because of the friendship and partnership that I have forged with a number of officials in the Israeli government, chief among them Dr. Matania, and I appreciate that and am grateful for that.
I felt that I would just share a few thoughts about the landscape in the United States domestically in terms of our federal government’s efforts, speak a bit about the international forum in which we operate to discuss our cybersecurity challenges, and then to share with you what I deem to be an imperative for the future.
Back home in the United States the federal government is in the process of really reorganizing itself to best meet the cybersecurity challenges that we confront. Significantly, the Department of Homeland Security has been placed in the point position, the tip of the spear if you will, on behalf of the federal government, not only to drive the security of federal government departments and agencies throughout the administration, but critically to be the point in a public-private partnership to ensure that the federal government and the private sector is working together to address a challenge that confronts us both. And in this regard, the critical architecture that we are developing is the architecture of information sharing. That is one of the edifices for the institutions we are building, and the second is a response protocol that is unique to the cybersecurity challenge.
In normal criminal law, the focus of attention on behalf of the government is the identification and apprehension of the perpetrator to address the threat in the first instance. In the cybersecurity realm, we recognize that the identification and certainly the apprehension of the perpetrator can be so difficult. The perpetrator could be across the world. Cybersecurity as we know knows no boundaries, and importantly, therefore, it is critically necessary to ensure that we filtrate the harm, we remediate and repair it. And so, the ability to protect the asset in the cybersecurity realm could be more important than the apprehension of the wrong doer.
And between those two architectures, the sharing of information and the response to the asset that is the target of a cybersecurity challenge, we are really building a new culture and a new institution in the federal government. We confront some challenges in doing so; the sharing of information between the private and the public sectors brings some challenges as I mentioned.
First, at a very nascent stage, the industry, individuals, companies ask of us “What is really in it for us? What is the benefit for us to share information?” And the answer is in one of the unique natures of cybercrime that is the ease of replication. Just as a perpetrator victimizes one individual computer or institution’s system that harm can be replicated with ease and with tremendous speed. And so, the ability to share information with the government, so that the government, in its unique position, can disseminate the cyber threat information to others throughout the country will ensure the replication of the harm never materializes.
And so, even though we are at a nascent stage in information-sharing architecture, I am confident because of our abilities and the capabilities we are developing that we will, indeed, instill this culture in the private and the public sector.
The second obstacle that we confront, quite frankly, is the issue of trust. There is still a chasm of distrust between the private sector and the federal government. I, personally, believe that to some extent we still are operating as a federal government and, certainly, in the cyberspace. In the shadow of the Snowden disclosures of several years ago the question arises when an individual or an institution shares information: what will the government do with that information? And the legislation that Congress implemented at the end of 2014 and the policies that we have implemented since that critical piece of legislation provides adequate protection in that regard.
In addition, there’s a concern about accountability. Some of our independent regulatory agencies have brought actions against institutions when those institutions have revealed inadequate cybersecurity process to protect shareholders, to protect customers, and to protect consumers more broadly. And so, the accountability regime in our country serves as a point of hesitation in an institution’s willingness to share information with us, and of course, there is the issue of civil liability not just government action but consumer litigation should the information provided reveal a level of negligence. This too, our legislation and our policies have guarded against.
There is anonymity if one so chooses when providing information to the government, there is liability protection and there is a confidentiality of information once we in the Department of Homeland Security receive it.
I think that our ability, our unique position to receive information and to disseminate it broadly really is a galvanizing force in the information sharing architecture that we see is critical to the future.
There is one element to it from a market perspective that I would implore people to embrace. And that is the notion of a public good. Despite the threat indicator itself, now we can moderate the value that is in the marketplace. The cybersecurity industry has blossomed and has grown so significantly beyond the mere possession and dissemination of cyber threat indicator. That indicator need no longer be treated as a commodity and should be treated as a public good.
If we share the cyber threat indicators with one another we can achieve our goals, the goals I previously articulated, and that is to ensure that our vulnerability, once discovered, is not twice exploited. And if, in fact, an institution shares that vulnerability with another, if one has been victimized we can ensure that the second and subsequent institutions that share that vulnerability are not similarly victimized. We must share information and specifically the cyber threat indicator to share and receive that result.
One of the lessons, I think, what we have experienced in the cyber world is to go it alone is a very precarious endeavor, but to work together makes us all stronger and creates an ecosystem that will best protect us.
That leads me to turn to the international arena. We enjoy an extraordinary close partnership with the State of Israel. Dr. Matania and I reached agreements in the past and we are, in fact, going to be signing an agreement together tomorrow to embark on an automated information sharing protocol together. And that is a capability that we in the Department of Homeland Security have developed the ability to receive information in automated form and disseminate it in near real time in automated form as well. And I say near real time because, critically, I spoke of the confidentiality provisions and the ability to protect privacy interests and that we are able to do in seconds and minutes.
The cybersecurity threat is, of course, borderless. So, just as we proselytize the sharing of information domestically we proselytize it in the international arena as well. And information must be shared between and amongst countries through the computer emergency response teams in CERT-to-CERT relationships and otherwise. We must always also ensure that countries follow the well-established international norms. We are pleased that we were able to negotiate an agreement with the Republic of China to ensure that it abided by the international norms, and critically, the norm that it will not engage in cyber conduct to steal secrets for the commercial advantage of entities operating in its domain. And, of course, with respect to cooperation there is a critical need to share our research and development and to share our innovations of which Dr. Matania spoke. And in that regard, the United States and Israel share a strong bond and a very strong partnership.
The United States with our remarkable resources, our technological innovation, and the dynamism of our tech community can certainly be a leader in cybersecurity across the globe. Our close partner and great ally, a much smaller country, Israel, is and can be as well. And I think that’s for a number of unique reasons, not just its extraordinarily brilliant individuals working not only in universities and government, but in the private sector in close partnership with those institutions, but also because of the architecture Dr. Matania spoke of and has developed. It is an extraordinary high priority of the prime minister and of the government as a whole to ensure that the cybersecurity is a result of tremendous investment of talent and funds to ensure the cybersecurity of the nation.
It is, as Dr. Matania mentioned, a direct report to the prime minister which reflects the prioritization of this critical agenda. It is also, quite frankly, Israel’s position in the world as a leader, also quite frankly, because of the visionary leadership of Dr. Matania himself. I have had the privilege and the pleasure of working with Dr. Matania for well over a year now and I think he is one of the most thoughtful leaders in this face that the world has and we can all benefit from following the model of Israel and listening to and adhering to the vision of some of its leaders.
The tech industry in Israel is growing by leaps and bounds, and it also has the unique ability to recruit talent through military service, through the identification of individuals with the talent needed to develop the cybersecurity of tomorrow. Israel, along with the United States and other nations, is poised to work as a collaborative partner to ensure that our ecosystem in a united way is stronger today and tomorrow.
It is interesting, I spoke with a government official, a local government official in the United States, recently and one of the topics in our conversation was the question whether our security could keep pace with our technological innovations. We were remarking on the news that the virtual currency, Ether, had been victimized by a cyberattack despite the best of defenses. And the official asked me what we can do to make sure that the driverless car of tomorrow is secure given its reliance on technology and I impressed upon him that that tomorrow is already here, today.
Last year, I spoke at a conference of hackers in Las Vegas, Nevada, a conference known as DefCon, and immediately preceding my remarks was the presentation of two individuals that hacked into a Chrysler automobile and took over its operating system. So, we cannot think that tomorrow is far away when we speak of the need to ensure that security keeps pace with technological innovation. That tomorrow is here. We are all gathered here today because of that reality. And if I leave you with one message, it is the message of the need for all of us to work together to make each of us stronger and more secure.
Thank you very much.