Today, Secretary Nielsen delivered a keynote address at the RSA Conference in San Francisco. During her remarks, she laid out the steps DHS is taking to address the evolving threats to our nation’s cybersecurity infrastructure.
The remarks as prepared can be found below.
Thank you. I appreciate RSA for inviting me this year.
Let me start off by saying that it is good to be in a room where I won’t be asked questions about why the dark web is dark…or why you can’t pull bitcoins out of an ATM…or why there isn’t a “button” for us to turn off the internet. These are the types of questions I’ve been asked in D.C. since becoming Secretary…usually by Congress.
But in seriousness, every year when we gather at RSA, we take stock of what’s changed in cybersecurity and forecast what’s next on the horizon.
I believe we have reached one of those “horizon moments.” And when we look back, we will see this period as a turning point in cyber history.
Why? Because digital security is converging with personal and physical security—and the public is starting to realize how much they are both intertwined.
We have predicted this convergence for many years.
But people are waking up to this phenomenon because they are getting robbed of their security…again and again…in sweeping digital heists and pernicious intrusions.
Cybersecurity used to be a problem reserved for the IT department. It was something out there that someone else handled. It was not my problem. Now it is a real-life, daily concern for parents, teenagers, teachers, small business owners, and beyond.
Every facet of our society is now being targeted and at every level: individuals… industries… infrastructure… institutions… and our international interests.
Simply put, it is now everyone’s problem. And it is affecting our lives, our livelihoods, and our way of life.
Although I’m the first to admit I could talk about this subject all day, today, I will give you my high-level perspective of the threat landscape.
And I will highlight five areas where we need a new approach to respond to a new age.
First, let me be very clear: the threat picture is getting dimmer, not brighter.
I hate to be the Debbie Downer of cyber conferences, but I begin each morning with an intelligence briefing that covers everything from terrorist plots to drug smuggling. And I see—as many of you do—that digital threats are multiplying faster than we can keep up.
The cyber threat landscape is different today because cyber is not only a target. Cyber can be used as a weapon and as an attack vector or method through which nefarious activity is conducted.
Today, our innovations can be stolen and used to diminish our prosperity…our infrastructure can be hijacked and used to hold us hostage…and our institutions can be compromised and used to undermine our democratic process.
Last year was the worst-ever in terms of cyber-attack volume.
Nearly half of all Americans had sensitive personal information exposed online. But that wasn’t the total for 2017. That resulted from one single breach, when cybercriminals hacked the Equifax credit bureau.
In the same period, WannaCry ransomware spread to more than 150 countries, paralyzing industries from healthcare to hospitality. And the NotPetya attack wreaked havoc, creating one of the costliest cyber incidents in history.
By 2021, cybercrime damage is estimated to hit $6 trillion annually1. To put that in perspective, that’s almost 10 percent of the world economy.
Making matters worse, the proliferation of internet-connected devices—which make our lives easier, and in some cases more fun—have also made it easier to attack us.
If the past year showed us anything, it’s that our cyber enemies are bolder, more brazen, and savvier than ever before.
This goes for nation-states, in particular.
Several years ago, a cyber-intrusion by a foreign rival might look similar to a sloppy home break-in. You knew you’d been hit because the window was broken, there were boot marks in the hallway, and your favorite electronics were missing.
Today, our adversaries are getting more sophisticated—and sinister. The door is still locked when you get home and everything looks normal. But in reality, the intruder has already been inside for hours and will remain in hiding, waiting to steal or to harm. Your confidence in the security of your home—and the sanctity of your home—have been forever affected.
Our response to the evolving threat environment is complicated by the fact that different attackers have different objectives.
Some foreign governments want to siphon away our classified information to outmaneuver us or weaken our defenses.
Others try to steal intellectual property, trade secrets, or bulk data, including personal information on ordinary Americans.
This may be to advance their own industries or to undermine specific individuals down the road—or simply to better understand our patterns, our behavior, and our choices in order to manipulate us.
In some cases, foreign governments are committing cybercrime to finance their regimes. And still others seek to compromise our critical infrastructure, so that one day in a conflict they can turn our vital systems against us—or, simply turn them off.
In some ways we are at a disadvantage because our cyber adversaries have a different risk calculus or cyber activity threshold.
They seem to believe the digital realm is fair game for nefarious activity, and they are often indifferent to collateral damage.
Look, for instance, at the viral spread of volatile malware. Last year both Russia and North Korea unleashed destructive code that spread across the world, causing untold billions in damage.
The United States – and our allies - exposed both nations for their reckless actions.
But why would they take such risks in the first place? The answer is simple—they think they can get away with it. And too often they have. The consequences have been limited.
In response to the evolving threat, the Department of Homeland Security is adopting a more forward-leaning posture.
Soon the Department will release our new cybersecurity strategy.
It will bolster our digital defenses by prioritizing enhancements in risk identification, vulnerability reduction, threat reduction, and consequence mitigation. And it will focus on strengthening the security of the broader cyber ecosystem.
But today I want to give you a preview of themes guiding that strategy and highlight five areas in particular where I believe we need a new approach for a new age.
The first is systemic risk.
We must be more aware of vulnerabilities built into the fabric of the internet and other widespread weaknesses. We must be more aware of single points of failure, concentrated dependencies, and cross-cutting underlying functions.
An attack on the financial sector, for instance, can quickly have an impact on the energy grid, which can affect water systems, which can affect healthcare and agriculture…and you can’t predict where it will stop because of our endless inter-connectivity and digital dependence.
We cannot afford get stuck in silos and focus only on vulnerabilities within specific sectors, assets, and systems. We must also prioritize securing essential functions across sectors, including those executed through multiple assets and systems.
Whether it is common tools such as GPS or payment and settlement systems, our cyber risk assessments need to factor in shocks to the system that could have untold, cascading consequences.
So what are we doing about it?
First, I am making sure this perspective shapes DHS engagement with the private sector, our risk assessments, and our prioritization of services and tools.
For instance, we recently launched a voluntary initiative to identify and mitigate systemic risk in supply chains.
We are working with users, buyers, tech manufacturers, and others to hunt down unseen security gaps—and to share actionable information that will help close them.
This includes identifying companies in the supply chain whose risks might go unnoticed.
And we need your help. We ask you to work with us to identify systemic risks, to flag emerging ones, and to work with us to fix them.
That leads to my second focus area: collective defense.
Our hyperconnectivity means that your risk is now my risk and that an attack on the “weakest link” can have consequences affecting us all.
Everyone is cyber vulnerable. And everyone has a role to play in making cyberspace more secure. The attack-and-defend cycles are no longer merely fights between hackers and network defenders. Today, we are ALL on the frontlines of the digital battlefield.
It’s like getting ready for a natural disaster. If we prepare individually, we will fail collectively.
That is why collective defense is now central to our long-term cyber strategy.
Looking five years out, the Department of Homeland Security aims to have far greater awareness of dangerous threats before they hit our networks…to dismantle major illicit cyber networks in minutes, not months…and to be faster, smarter, and more effective in responding to incidents.
We cannot get to this place alone. We need your help.
The bad guys are crowd-sourcing their attacks, so we need to crowd-source our response.
Unfortunately, we are not quite there yet. Much like the pre-9/11 period, we have the data points to stop attacks, yet we still aren’t sharing quickly enough to connect the dots—especially not with a threat evolving at machine speed.
That is the reason DHS is working on efforts such as Automated Indicator Sharing (AIS). Every time someone sees a threat, we want them to share it securely and quickly so others can protect themselves right away.
AIS does exactly that and has allowed companies big and small to block known malware and root out intruders.
Another example of successful collective defense is the Financial Systemic Analysis and Resilience Center, which was started by a number of banks in 2016 to understand and manage systemic cyber risk.
The FSARC stood up an initiative to help industry and government alike identify the key players and unique threats around a national critical function – the wholesale payment system – and to jointly develop solutions to buy down that risk end-to-end.
I encourage other sectors to emulate the FSARC model and drive towards collective defense.
Third, we need to refresh our thinking about what the federal role in cybersecurity should be.
I know people may get the chills when I say that. But bear with me.
I’m not talking about “federal regulators.” We need to be “federal empowerers”—using our resources to offer voluntary assistance and unique tools to address cyber market failure.
For example, too often, in a rush to be first-to-market, young companies are dis-incentivized to build security into their products.
Why sell a $30 cyber-secure pedometer for marathon runners when you can sell a basic version for $5? And who wants to buy the $30 version?
Our approach to addressing this problem is two-fold. First, we want to enable better “supply-side” security by helping creators build defenses into the design and creation of their products.
We are developing tools we can share to identify bugs and risks earlier, with the goal of moving from “first-to-market” to “first-to-market secure.”
We are also working to coordinate the disclosure of newly-discovered vulnerabilities so that developers can correct problems before adversaries exploit them.
Secondly, we need to drive “demand-side” security by educating more consumers to be security conscious, and ensuring our services match up with what the consumer needs and wants.
Consumers must demand products that put security first. And we can help do that by raising greater public awareness of cyber risks.
My fourth point is that today there is only so much we can do on the prevention side. Despite our best efforts, we will get hit, over and over again. We have moved from “if” to “when” to “how often” and “how long can you withstand persistent attacks.”
So in an era of advanced persistent threats, we need to urgently focus on what I have called “advanced persistent resilience.”
I would offer in the cyber realm this means the system or asset must continuously deliver the intended outcome despite ongoing attacks.
We must be obsessed with building redundancy into our systems so that when they get attacked and fail, they fail gracefully. So that when they fail, we innovate as we recover. We not only ounce back but we bounce forward.
Systems should be designed so that parts can function offline—“unplugged”—without a requirement to take down the entire system or network.
The recent cyber attack on the City of Atlanta is a cautionary tale. Without built-in redundancy, critical systems went dark and public services slowed to a halt.
Today the pressing need for resilience is highlighted by the issue of election integrity.
Two years ago, the Russian government launched a brazen, multi-faceted influence campaign aimed at undermining public faith in our democratic process generally and our elections specifically.
That campaign involved cyber espionage, public disclosure of stolen data, cyber intrusions into state and local voter registration systems, online propaganda, and more.
We cannot let it happen again, and that is why DHS has adopted an aggressive posture for helping to defend our election infrastructure.
We have been working with state, local, and private sector partners to offer voluntary assistance—including cyber hygiene scans—to better protect critical election-related infrastructure systems.
We have been promoting best practices to make sure that, even if there are incidents, our election infrastructure has built-in redundancies.
And we have been advancing new efforts alongside interagency partners to counter the efforts of foreign adversaries to sow discord in our democracy.
The President has been clear, and DHS and our interagency partners have been clear: We will not allow any foreign adversary to change the outcome of our elections.
Every American must have confidence in the integrity of the system and that their votes will be counted—and counted correctly.
That leads me to my fifth and final subject: cyber deterrence.
If we really want to stop bad behavior, we have to deter it. That’s not new.
What’s new is that our digital lives now depend on it.
The threats are so severe that if we don’t start identifying and punishing our assailants, they will overtake us. And the costs of interconnectivity will start to outweigh the benefits.
So as Secretary of Homeland Security, I am working with my counterparts in the President’s cabinet to fight back.
And I have a news flash for America’s adversaries: Complacency is being replaced by consequences.
We will not stand on the sidelines while our networks are compromised.
We will not abide the theft of our data, our innovation, and our resources.
And we will not tolerate cyber meddling aimed at the heart of our democracy.
The United States possesses a full spectrum of response options—both seen and unseen—and we will use them to call out malign behavior, punish it, and deter future cyber hostility.
In today’s hyper-connected world, cybersecurity is national security. Our cyber defenses help guard our very democracy and all we hold dear.
So to those who would try to attack our democracy, to affect our elections, to affect the elections of our allies, or to undermine national sovereignty, I have a simple word of warning: DON’T.
My appeal to those of you in this room today is to work together.
You hear that all the time from this stage, but I mean it—tell us what you need from DHS, flag the risks and threats that you are seeing, work with us collectively to block digital enemies, and innovate with us to stay ahead of the threat.
We need to harness the energy of the people in this room to evangelize the idea that security is a core business function and is a competitive advantage.
Your commercial efforts toward network security are also a public service toward national security. So please think about how you can take that mentality back to your workplaces following this Conference.
In the meantime, DHS will continue to work with you so that we can raise our shields without lowering our standards.
We don’t need to close ourselves off from the world in order to protect our networks. And we shouldn’t have to dial back our innovation.
Together we will forge a path that will give Americans—and all those that share our interests—greater confidence in their digital security.
I look forward to working with you all. Thank you.