Secretary Alejandro N. Mayorkas delivered the following remarks at the Singapore International Cyber Week Summit. His remarks are below:
In the past year, Singapore endured a surging number of cybercrimes, phishing campaigns, and ransomware and malware attacks that impacted small and large businesses alike.
The healthcare industry was particularly hard hit. Just one year ago, the personal medical records of more than 400,000 customers of a Singapore-based health platform appeared online. The cost to the economy (company) and to the individuals whose records were exposed is incalculable.
Singapore was by no means alone. Cyber actors continue to grow in their sophistication, scope, and maliciousness – targeting governments, private companies, and individuals; and extracting time, money, and resources from those who can ill afford it. Singapore is addressing this growing challenge in the manner that others must follow: through collaboration.
The United States believes that we must work hand-in-glove with international and municipal governments, nonprofits, academia, and the private sector to address the ever-changing cyber threats we face. These are shared challenges that demand a unified response.
The United States and Singapore share this approach. The Cyber Security Agency of Singapore is working with the private sector to recruit the top cyber talent worldwide and identify the skillsets most vital to Singapore’s security. Through the Asset-Based Cyber Defence program, Singapore is taking advantage of their expertise, connecting over 100 enterprise businesses to these private sector experts to provide advice, technical solutions, and consultancy services.
These partnerships also go beyond the country’s borders. Singapore launched the ASEAN-Singapore Cybersecurity Center for Excellence last year, which has brought together more than 1,000 officials from 40 governments, the private sector, academia, and nonprofits to learn how to better prevent attacks.
The United States and Singapore enjoy a strong a relationship in many domains, but there is perhaps no area where our relationship has grown stronger than in building cybersecurity together.
The Biden-Harris Administration last year signed an agreement with Singapore to extend our cooperation on cybersecurity and announced an annual cyber dialogue designed to share best practices on cybersecurity operations and critical infrastructure security.
I am honored to be at Singapore International Cyber Week before this distinguished group at such a pivotal moment in history.
So many of you here in the room tonight create and employ innovations driving unprecedented, exponential technological progress, making the world more and more interconnected.
Today’s world affords previously unimaginable access to knowledge, education, and communication – enabling an ever-growing number of us to converse and share ideas around the globe – enabling people to learn new skills and improve their quality of life – enabling nations to grow their economies and strengthen their national security.
But our interconnectedness and the technology that enables it – the cyber ecosystem – also exposes us to a dynamic and evolving threat environment, one that is not contained by borders or limited to centralized actors, one that impacts governments, the private sector, civil society, and every individual.
It is in the cyber arena where we increasingly see one system, fortified by standards established in concert with each other, yet challenged by another where the rules are set by those who wield power unfairly and irresponsibly.
We are at a cyber crossroads. Each of us faces the same evolving cyber threats, but nations are choosing different paths.
Some are working collaboratively to combat these threats and assessing whether technology they deploy is secure and safe for their people for years to come. Others are lured by bargains for technology that ultimately is not secure. As I will outline, these deals come with strings attached, including significant risk to security and even to sovereignty.
We have never been more at risk.
Flouting internationally accepted norms of responsible behavior, transparency, and accountability in cyberspace, our adversaries—hostile nations and cybercriminals—continue to advance in capability and sophistication. Their methods vary but their goals of doing harm are the same.
Often their aim is subversion. They target critical infrastructure to wreak havoc on our daily lives. They exploit the integrated global cyber ecosystem to sow discord, undermine liberal democracy, and erode trust in our institutions, public and private.
Sometimes their aim is control. Cyber operations are increasingly used to eliminate choice and the freedom of expression.
Other times the aim is profit, as is the case with ransomware attacks, which are fast increasing. The FBI’s Internet Cyber Report noted over 2,500 ransomware attacks in the United States in 2021. That does not reflect the many that go unreported. This year, the number of attacks continues to rise worldwide, increasingly affecting critical infrastructure and governments, including those in Southeast Asia, where attackers are regularly hampering businesses and endangering public health.
Hostile nations like Russia, Iran, North Korea and the PRC, and cybercriminals around the world, continue to get more sophisticated and create more adverse consequences. These cyber operations threaten the economic and national security of everyone in this room.
Leading up to and following Russia’s illegal invasion, Ukraine experienced a series of disruptive cyber operations against their networks.
In February, Russia conducted a cyber-attack against commercial satellite communications, impacting families and businesses across Europe.
Iranian cyber-attacks recently caused severe harm to government networks in Albania, limiting access to essential services.
In the last two years alone, North Korea has largely funded its weapons of mass destruction programs through cyber heists of cryptocurrencies and hard currencies totaling more than 1 billion dollars. They have perpetrated these cyber heists against entities within countries present today, and they have done so with near impunity.
It will not surprise anyone that PRC-backed hackers are among the most active groups targeting governments and critical infrastructure this year – including across Southeast Asia. They are the most active group targeting businesses around the globe. Just one PRC hacking group known as APT41 has stolen intellectual property from at least 30 multinational companies in the pharmaceutical, energy, and manufacturing sectors, resulting in hundreds of billions of dollars of lost revenue.
The PRC is using its technology to tilt the global playing field to its benefit. As part of its massive Belt and Road Initiative, the PRC unveiled its Digital Silk Road project, capitalizing on the worldwide demand for internet communications technology. It lures customers by purporting to improve recipient countries’ telecommunications networks, AI capabilities, and e-commerce systems at low cost.
Accepting assistance from the PRC can come with unintended consequences. We have seen this play out beyond the technology realm when countries strike infrastructure deals that are too good to be true with PRC-backed companies. Countries incur large amounts of risk and debt under these deals, and like all loan agreements, when a borrower defaults, the lender can call on the debt. Nations must consider what leverage they are giving up and whether they are mortgaging their futures when they reach agreements for critical infrastructure with the PRC.
Beijing often requires large PRC-based companies to share and store data from their networks in-country and to provide that data to the government when requested by authorities.
That is why the United States passed legislation to ban PRC state-sponsored companies like Huawei and ZTE from deploying their network equipment in the United States and revoked China Telecomm’s authority to provide services in the United States.
It is our belief that our essential telecommunications networks should not be owned or operated by companies who will either sell or provide your information to a foreign government. Cheap telecommunications technology is not worth the price of citizens’ privacy, your national security or your sovereignty. If the deal looks too good to be true, it probably is. The cut-rate price at which the technology was purchased may not be the final bill to arrive.
We also must be vigilant with regard to the rules and standards that govern our ongoing efforts to keep the internet and our infrastructure secure. This year, a review conducted by our Cyber Safety Review Board, a group made up of leading cyber experts in the public and private sectors, noted that Beijing has established rules that could require security vulnerabilities to be reported to the government before they are fixed.
This would afford PRC government hackers the potential to use weaknesses in technology products to steal intellectual property and conduct military operations.
The United States is steadfast in our commitment to a free and open internet, one that is built on rule-based international order. An order with input and buy-in from all stakeholders, ensuring that data is protected and not exploited, vulnerabilities are identified and addressed, and standards are streamlined, transparent, and consistent no matter what country you live in.
This is why I am here at Singapore International Cyber Week. Partnership is essential to the cybersecurity challenges facing the world today.
The U.S. recognizes that our collective cybersecurity depends on government, and on many stakeholders including the private sector, non-profits, academia, and individuals. Critical infrastructure like communications, energy, and agriculture span borders, and efforts to protect our cybersecurity increasingly demand a multifaceted approach with international partners.
We have expanded our engagement on cyber and technology issues with key partners around the world to ensure we can address the cybersecurity risks of today and tomorrow, including through our attaches in over 60 posts globally.
We share timely information on cyber incidents, threats, and mitigation measures through our Computer Emergency Readiness Team. We exchange technical expertise on cloud security, cyber insurance, maritime cybersecurity, and aviation cybersecurity, to name just a few.
We conduct joint cybersecurity tabletop exercises that inform our preparedness and cyber operations. And we work together to securely deploy 5G technology and secure our supply chain.
The Biden-Harris Administration is building strong operational relationships to combat ransomware through the US-EU Ransomware Working Group and the U.S.-Republic of Korea Ransomware Working Group.
A year ago last week we brought together 30 nations, including many in this room, for an International Counter Ransomware Initiative Summit intended to accelerate cooperation against this growing threat. At the end of this month, we will meet in person for the first time to review our outcomes and chart our path forward together. Singapore’s leadership, alongside the UK, is also critical in sharing best practices and shaping our next steps in combatting illicit use of virtual currency.
We are deepening international research and development partnerships to stay ahead of emerging cyber threats, including with South Korea, Israel, the United Kingdom, and others.
Our work with Australia and Singapore deepens and broadens cooperation in cybersecurity and critical-infrastructure security, including a partnership with Singapore’s Cybersecurity Agency to develop a training course on securing Industrial Control Systems that will be offered to students from across ASEAN nations.
We are partnering with 47 Indo-Pacific nations and territories to help secure ports through our Global Maritime Transportation System Cybersecurity Initiative.
Through our law enforcement personnel embedded in overseas cyber-crimes units, we have trained hundreds of local law enforcement officials on cyber investigations, and together, we are bringing thousands of criminals to justice.
Only through collaboration with the private sector can we fully address our cyber challenges.
Voluntary efforts have been very productive. After Russia’s unprovoked aggression in Ukraine, our “Shields Up” initiative galvanized the private sector to exercise vigilance and implement urgent security improvements in response to a heightened potential for a cybersecurity event of a retaliatory nature.
Today hundreds of thousands of organizations are voluntarily using our “Shields Up” guidance, in fact, thousands are.
We see the impact: faster mitigation of vulnerabilities known to be used by Russian cyber actors, expanded information sharing on cyber threats, and investments in critical security measures like multi-factor authentication that can no longer be considered optional.
We just marked the one-year anniversary of the Joint Cyber Defense Collaborative – or the JCDC – where operational cybersecurity experts from government join those in the private sector to build and implement plans to address cyber risks. We recently expanded the JCDC to include major energy and financial sector firms and will continue to broaden our efforts to address evolving risks.
The Log4j software vulnerability was first assessed by a group of U.S. government and private sector members on the Cyber Safety Review Board. It is important to note that the Cyber Safety Review Board is not about accountability or enforcement– it is forward-looking and focused on identifying ways that our communities can strengthen their cybersecurity.
In consultation with industry, we will soon issue cybersecurity performance goals that constitute the highest-priority baseline measures critical infrastructure owners can take to protect themselves. We call on partners around the world to work with us to consider these security measures as worthy minimum-security baselines within your own countries and industries.
In some areas, voluntary standards are, candidly, insufficient and mandatory standards will be essential to protect critical infrastructure.
In the wake of the Colonial Pipeline attack, we worked in consultation with the private sector to publish rules requiring certain cybersecurity measures to be taken in the pipeline industry, then also applied them to the aviation and rail sectors. We rely on voluntary approaches wherever we can, but sometimes targeted regulation is required to protect our populations and the critical services on which they rely.
When we do regulate, however, part of doing it smartly is to avoid overly burdensome and duplicative requirements. We are also focused on streamlining incident reporting requirements.
We must simultaneously look for opportunities to harmonize regulations domestically and with international partners. Multinational companies operate across jurisdictions and deploy tech infrastructure that serves their global needs. As much as we can, we as governments should strive to harmonize requirements so that there is a sensible landscape of rules that incorporate the best security standards, and which companies can implement in a practical way.
The Department of Homeland Security, the department I am privileged to lead, chairs the federal Cyber Incident Reporting Council, bringing together all U.S. government agencies that have reporting mandates, to identify areas for harmonization and streamlining. Of course, many other governments represented here have incident reporting mandates of their own. We want to engage with you to identify common approaches that can get governments the information they need, but in a way that is streamlined and coherent for multinational companies that frequently must report single incident to many different regulators.
We are working on these targeted, regulatory approaches. We are in parallel accelerating our voluntary collaboration like “Shields Up,” JCDC and the Cyber Safety Review Board to show how the private sector can work with government to unite against common enemies and elevate all of our cybersecurity. We must continue to accelerate this work.
People should live their lives free of fear. Whether it is fear for their physical safety or fear of having their information exploited. They should be free to build a business on a level playing field and free to express their opinions.
Critical to these things is ensuring cyberspace remains free and secure.
We have a choice.
We can work together to protect one another and embolden and enable nations and people around the world to live freely, invent, create, and share without fear of reprisal or fear for their safety.
Or we can go it alone, and leave the fate of our economies, our data, and our critical infrastructure in the hands of the lowest bidder. We can allow one government, one corporation, or one individual to unilaterally determine our standards and use private information to exercise control over people around the world.
For the benefit of people all over the world, we think the choice is clear.
Thank you. And thank you Singapore for hosting this important event.