Remarks by APHSCT Lisa O. Monaco at the International Conference on Cyber Security
Remarks by Lisa O. Monaco
As Prepared for Delivery
International Conference on Cyber Security
Fordham University at Lincoln Center, New York
Tuesday, July 26, 2016
Since his first day in office, President Obama has recognized the great promise and peril of our 21st-century, interconnected world. That’s why, immediately after taking office, he ordered a top-to-bottom review of our approach to cybersecurity—to identify how best to safeguard our security and prosperity. As he said then, “It’s clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.” It was also clear, even as we made addressing these threats a top priority, that we would have to continually evolve our response to this rapidly-changing threat.
After all, technology has changed dramatically over the past seven and half years. Back then, iPhones had just hit the market. Bitcoin? Instagram? Just an idea. Twitter? A mere 2 ½ million tweets a day. Yesterday, there were more than 500 million tweets alone. I would also venture to guess that several of the companies represented here today didn’t exist.
The threat landscape was different, too. While the scale and sophistication of cyber threats was not what it is today, hackers, criminals, terrorists and spies were penetrating networks and stealing data—from intellectual property to classified information. Adversaries were adapting faster than governments or industry could deploy ways to stop them.
Fast-forward to today. The rate of cyber intrusions and attacks has accelerated dramatically. Since 2009 we’ve seen the number of annual incident reports received by DHS more than double. Our adversaries’ methods have evolved as well—from e-mail attachments and simple viruses to phishing scams that can deliver malware or steal users’ personal information. As critical infrastructure from the healthcare system to the financial sector become increasingly networked, and as the so-called Internet of Things integrates technology further into the tools of our everyday lives, the damage these attacks can inflict is far greater. We’ve seen a barrage of denial of service attacks, in which attackers bombard systems like bank servers until they slow or shut down operations. We’ve witnessed destructive cyber attacks on corporations from Saudi Aramco to Sony Pictures. We’ve seen the rise of ransomware—and hospitals’ lifesaving functions held hostage. And among our greatest concerns is the prospect of malicious actors manipulating the integrity of data, and the probing of systems that control our infrastructure—a dam or an electrical grid—either to cause destruction or as leverage.
Meanwhile, when it comes to cyber actors, the global landscape is increasingly diverse and dangerous. Nations like Russia and China are growing more assertive and sophisticated in their cyber operations. Iran has launched denial of service attacks on American banks—and North Korea has demonstrated it will conduct destructive attacks—against other nations and companies alike. Finally, non-state actors—from criminals to “hacktivists” to ISIL—are discovering how easily they can use cyberspace to pursue their goals. To put it bluntly, we are in the midst of a revolution of the cyber threat—one that is growing more persistent, more diverse, more frequent and more dangerous every day. Unless we act together—government, industry, and citizens—we risk a world where malicious cyber activity could threaten our security and prosperity. That is not a future we should accept.
Against this backdrop, it’s easy to imagine a future where people feel like they must choose between powering down their computers and foregoing the benefits of a wired world or subjecting themselves to intolerable levels of risk. It’s easy to think that we must choose between being a Luddite or a sitting duck. But that’s a false choice. For all of the challenges posed by the cyber threat, our experience in responding to other threats—from natural disasters to terrorism—have given us lessons and experiences to draw on, effective models to apply, and hazards to avoid. And this is exactly the approach we’re taking to address cyber threats today while preparing for the challenges we’ll confront tomorrow.
So today, reflecting on more than seven years of steady progress on addressing the cybersecurity challenge, I want to outline our approach to strengthening our cybersecurity and discuss new steps the President has taken to enhance our response to cyber incidents and attacks.
This approach is embodied in the Cybersecurity National Action Plan, or CNAP, which was released in February. The CNAP guides the actions we’re taking now and puts in place a long-term cybersecurity strategy—both within the federal government and across the country. And it’s intended to serve as a roadmap not only for this Administration, but for how future presidents—and the country as a whole—can tackle our cyber challenges for years to come.
Specifically, it directs the federal government to increase cybersecurity awareness, give Americans the tools to control their digital lives, and make wise cyber investments for the future. This includes everything from expanding the government’s use of secure payment cards and launching a new website for victims of identity theft to investing in innovative IT systems and hiring more cybersecurity experts. This plan focuses on the future and on our ability to deal with rapidly-evolving threats. That’s why, among other actions, it directs federal agencies to assess their most vulnerable assets and wean themselves off of outdated legacy systems—systems that are not only slow and inefficient but impossible to secure. It’s also why our plan established a bipartisan commission of leading thinkers from business, technology, and academia to recommend ways we can strengthen cybersecurity over the long-term.
The CNAP—and our cybersecurity approach more broadly—can be boiled down into three key prongs—what I call the “cyber triad”: raising our cyber defenses, countering malicious cyber actors, and improving our responses to cyber incidents. We can only overcome this threat by pooling our collective knowledge and resources and working together. That’s why we’ve been working with Congress, the public, industry, academia, and international partners to put this approach into action.
The first leg of the triad involves improving our network defenses—both public and private. This does not just mean using better firewalls or the latest defensive technology. It means changing how we manage cyber risk as a nation.
For instance, we worked closely with industry to develop best practices and raise our cybersecurity standards. We worked with the financial industry to adopt “chip & PIN” technology for credit cards—so that your transactions are secure, from taxis to your local supermarket. And last December, we worked with Congress to pass the bipartisan Cybersecurity Act of 2015, which encourages companies to share threat information with each other and the government while offering liability protections for those who do.
These are just some of the actions—along with the ones we’re pursuing through the CNAP—that we’ve taken to raise our cyber defenses. But defense alone is not enough. That’s why the second leg of the triad focuses on deterring and disrupting malicious actors.
To do so, we’re harnessing all elements of national power, just as we do in dealing with other threats, like terrorism. No tool is off the table. We are using diplomacy to urge the international adoption of voluntary norms of responsible cyber behavior. Where we can reach common understandings to reduce malicious cyber activity—as we did with China last fall—we will do so. But we will also carefully monitor compliance with these arrangements. As we do, we will continue to use law enforcement tools, as the Department of Justice has done in charging members of the Chinese military involved in hacking American companies. We will use the power of sanctions, as we did against North Korea after its destructive attack against Sony Pictures. And we will conduct cyber operations on the battlefield to disrupt ISIL’s communications and organization.
Our tools now include an executive order authorizing sanctions against those that engage in significant malicious cyber activities, such as harming our nation’s critical infrastructure—our transportation systems or power grid. We will use this authority in a targeted manner against the most significant cyber threats we face—when the conditions are right and when action will further U.S. policy. The President has made it clear that we will take action to protect our interests in cyberspace and we will do so at the time and place of our choosing.
Law enforcement continues to play a key role in these efforts. Here, the counterterrorism model is instructive. As many of you know, I have worn multiple hats in the government—at the FBI, the Department of Justice, and now at the White House. When I was the Assistant Attorney General for National Security at the Department of Justice, we drew both on the Joint Terrorism Task Force model and the “CHIP” network of Computer Hacking and Intellectual Property prosecutors to create a National Security Cyber Specialists’ Network. This network brought together experts to serve as a one-stop shop for the private sector, prosecutors, and agents around the country dealing with cyber intrusions by terrorists and nation-state actors.
Increasingly, cyber is also part of our counterterrorism efforts—for instance, our campaign to degrade and to destroy ISIL. Cyber tools are now an integral part of the capabilities that can be employed against an adversary during a conflict—that includes a 6,200-member Cyber Mission Force that U.S. Cyber Command is currently building.
When it comes to identifying and disrupting threats, we’re drawing on valuable lessons from our counterterrorism playbook. For example, as with terrorist threats before 9/11, until last year there was no single place in government responsible for integrating intelligence about cyber threats. To fill this gap, we established the Cyber Threat Intelligence Integration Center, or CTIIC, under the Director of National Intelligence. Today, CTIIC provides a common picture of cyber threat activity to policymakers and operators, and helps ensure that our government cyber centers, law enforcement, and network defenders have the information they need. I visited CTIIC last week, and it has more than filled the gap. From its threat summaries to more in-depth assessments, CTIIC has become the place that senior policymakers turn to for threat analysis. CTIIC will also benefit the private sector by helping to declassify threat reporting so that agencies like DHS can share it with industry. So going forward, CTIIC’s success will be vital to our nation’s cybersecurity mission.
In all these efforts, the framework we apply when considering the use of cyber operations is quite similar to how we approach other operations in the physical world. Any actions we take must be consistent with our values, and after we assess the potential for collateral damage, and consider other potential options. We consider the likely reaction of the target, our allies, and other countries who may be affected, and we consider whether the effects of a cyber operation could lead to escalation and greater conflict. Moreover, the United States has been clear that established principles of international law do apply in cyberspace and that nations conducting cyber activities must take into account the sovereignty of other nations.
In cyberspace, our actions are also guided by a set of voluntary peacetime norms that the United States has worked to promote internationally over the past two years. These include the idea that countries should not intentionally damage or otherwise impair critical infrastructure; they should not use their cyber capabilities to steal intellectual property, including trade secrets to provide a competitive advantage to its companies; and they should not prevent national computer response teams—the cyber equivalent of first responders—from responding to cyber incidents. We will continue to press our partners and allies to adopt these norms and to encourage their broad acceptance around the world. Since last fall, leaders from nearly 30 countries have affirmed these norms.
So this is the framework we apply to cyber operations—consistent with our values, guided by norms, and using the same analysis that guides our military, intelligence, law enforcement, or operations elsewhere—in air, land, sea, or space.
But even as we strengthen our defenses and go after malicious actors, the threat is not going away—we will continue to face serious incidents. Indeed, from California to New York, and from Washington, D.C. to Kiev, from the cyber attack on Sony to the incident at OPM to the assault on the Ukrainian power grid last December—we are living this reality. We’ve seen it in this city, as New York’s financial sector has repeatedly come under assault. No one is immune. This means that all of us—government, industry and citizens—have to be ready to respond. Because the faster we can respond, the faster we can recover. The faster business and consumers can get back online.
Through war and economic turmoil, through natural disasters and terrorist attacks, the resilience and unbending resolve of the American people has always been one our nation’s greatest strengths. Our response in cyberspace should be no different. By applying lessons learned from past responses, we have already begun to improve how we handle cyber incidents. But we know there is more work to do.
So today, I’m pleased to announce that President Obama has issued a new directive laying out how the federal government responds to significant cyber incidents. This directive establishes a clear framework to coordinate the government’s response to such incidents. It spells out which federal agencies are responsible. And it will help answer a question heard too often from corporations and citizens alike—“In the wake of an attack, who do I call for help?”
This policy sets forth principles to guide the federal government’s response to cyber incidents. It states that we have a shared responsibility in guarding against cyber attacks and managing incidents. It says that the scale of our response will be based on an assessment of the risks posed by a cyber incident—for instance, what is the impact? How might it affect our national security or economy? Does it threaten the life or liberties of the American people? It also says that the government will appropriately safeguard the privacy, civil liberties, and information of those affected. It commits to unifying the government’s response across agencies. And it emphasizes that our response will be focused on helping victims of cyber incidents recover quickly.
The directive outlines a range of actions that we will pursue along three lines of effort:
First, as in terrorism cases—and because it is not always clear at the outset of a cyber incident if the actor is a nation state or a criminal—the FBI will take the lead in coordinating the response to the immediate threat. This includes bringing the full range of law enforcement and national security investigative tools to bear—from collecting evidence and gathering intelligence to attributing attacks and bringing malicious cyber actors to justice.
Second, the Department of Homeland Security will take the lead when it comes to coordinating help for organizations dealing with the impact of a cyber attack or intrusion and preventing the attack from spreading elsewhere. We call this asset response. For businesses recovering from a significant cyber incident, DHS will provide technical assistance to help them find the adversary on their network, protect their assets, bring systems back online, shore up vulnerabilities, and supply additional federal resources to aid recovery.
Third, because having a clear picture of the threat is the first step in combating it, the Office of the Director of National Intelligence, through CTIIC, will be responsible for integrating intelligence and analysis about the threat and identifying opportunities to mitigate and disrupt it.
Our new policy also acknowledges that when businesses and federal agencies are the victim of experience a significant cyber incident, one of the most important considerations is likely to be restoring operations and getting back online. Our policy makes clear that we will coordinate with the victim to minimize any interference between their incident response and our own.
We will apply this approach to significant cyber incidents—those events that are likely to affect our national interests, public confidence, public health or safety—events that result in damage to systems, corruption or destruction of data, or where key systems are taken down. We are also releasing the criteria we use for classifying the severity of an incident. Because no one is immune, this policy applies to the federal government itself, when it is the victim of a cyber incident. Finally, this policy directs agencies to integrate their cyber response activities with responses to events like natural disasters.
We’re not going to wait for the next attack to hone these new procedures and capabilities. Over the next few months, agencies will be incorporating the new guidance into exercises like Cyber Guard and Cyber Storm—the nation’s largest cyber exercises. These will be done in partnership with a wide array of industry organizations and agencies like the Departments of Energy and Treasury. And next week we will bring together industry and government experts to lay out this new policy and get vital industry feedback on how best to implement it.
In closing, I think it’s important to remember that the technology we’ve been discussing is an incredible tool. But our wired world also presents a great paradox. The same tools that connect us can deliver destruction. Now, I grew up in Boston, which has become an amazing hub of innovation. And I’ve spent time with some of the best minds and cutting-edge companies in Silicon Valley. Our task, going forward, is to ensure that our innovation and interconnectedness remains a source of strategic advantage and not a strategic vulnerability.
I believe we can do this. Humans invented cyberspace and we can manage the challenges it generates. Over the past seven and a half years, we’ve made tremendous progress. The framework and actions we’re putting in place today are another strong step forward. And with the help of people like those of you in this room, I’m confident that we’ll continue to enhance our security and prosperity in the years ahead. Thank you.