April 28, 2010

Whitehouse: We Must Elevate the Profile of Cybersecurity to Reduce our Vulnerabilities

This speech was delivered at the 2010 Center for Democracy and Technology Annual Gala

Many thanks to Leslie Harris and the Center for Democracy and Technology for inviting me to speak tonight. I’m very, very proud to be with you. It is truly a privilege to join in CDT’s anniversary celebration.

It is sort of the tech prom, and it is quite a who’s who that is here. I will share with you one of the glories and blessings of serving in the United States Senate: you get to spend a lot of time on a lot of different issues surrounded by people who know more, are better informed, and are smarter than you and you get to pick their brains and try to get the best solutions out of them. So it really is an honor to be here. I think statistically it is the highest concentration of tech people wearing ties.

It is remarkable how far we’ve come in fifteen years. Internet access in the United States has more than tripled and it is hard to think of a sector of the economy that isn’t dependant in some way on the internet. Through this period of incredible growth, CDT has been an unwavering champion of privacy and free expression. I commend CDT for its efforts and I hope that in the past and in the future you find me a helpful ally.

Of the many issues that I am interested in and involved in the Senate, I care most about cyber security and health information technology. Tonight I want to talk briefly about cyber security. It’s no secret to anybody in this room, filled with distinguished IT experts and executives, that there is a dark side to our growing dependency on the internet. To be blunt, the United States is hemorrhaging intellectual property and national security secrets at an unprecedented alarming rate.

This audience has undoubtedly heard some of the most disturbing stories and astonishing figures:

? Concerted and systematic state-sponsored efforts to steal America’s cutting edge technologies.

? The rise of criminal hacker communities devoted to perpetrating financial industry fraud, stealing consumer’s personal data, and transforming personal computers into botnet zombies.

? Trillions of dollars in intellectual property and related losses worldwide.

At a briefing that I got today, I heard that ten federal agencies that are currently being tracked are hit 180,000 times a month and that one corporation in America has lost 38 terabits of data exfiltrated out of its computers. Many of you work for companies that have been among the hardest hit and you understand the threat all too well and you know we are under relentless assault.

The problem is, the broader public is often unaware of the magnitude of the threat, and hence largely disengaged from our policy debates about how to address it. The heavy level of classification about some of the issues doesn’t help either. As a Senator, I’ve engaged in many issues. But there is no issue in which the public is more insulated from the real problems the country faces than this one.

That is not a good place to be in a democracy. This must change if we are going to reduce our vulnerabilities. We have to find ways to communicate to the public the relentless nature and broad extent of this threat. Factually, soberly, with real data. We have to get the American public engaged.

It is our collective challenge, as public and private sector leaders to elevate the profile of cybersecurity in our national policy debates in such a way as to induce needed action.

That is one of the purposes of Senate Intelligence Committee cybersecurity task force that I chair. I’m joined in this effort by Senator Snowe and Senator Mikulski. I want to commend before all of you the diligence and expertise that they bring to this effort. We wanted to put a couple of Senators together to deep dive, that would be deeper than the whole committee and come back and report and their efforts have really been phenomenal.

On July 1, we will issue a report to the Intelligence Committee that outlines our findings and recommendations. That report will be based on extensive consultations across government, the private sector, we have spoken to many of you, the NGO community, as well as on a thorough review of the unclassified and classified literatures.

Getting the public to care about cybersecurity, and to begin to understand the issues involved, is a major challenge that we must overcome, and when we talk about the public we should disaggregate whom we are talking about.

There’s “John Q. Public,” the private citizen, who cares primarily about the privacy of his or her personal communications with friends and family, and the integrity of online transactions with merchants, with financial institutions, and with other purveyors of consumer goods and services. For John Q. Public, cybersecurity is really about public safety: not getting mugged online, so to speak.

Then there’s “J. Q. Public Inc.,” the private company that relies on the internet for a variety of business purposes. Private companies tend to evaluate cybersecurity in terms of business risk, and see measures to mitigate that risk as a cost center.

People do sometimes of course do personal business at work and vice versa, but the distinction between the two is an important one. Any public outreach campaign has to be tailored to very different constituencies.

For example, framing cybersecurity solely in terms of national security may not be the most effective way to engage John Q. Public. In doing so we risk perpetuating a mindset that assumes there’s nothing individuals can do about the threat. We need to help people realize that, just as the driver who fails to replace faulty car brakes puts himself and other drivers at risk, so do individuals who fail to update their operating system or antivirus software. Such software would have protected users from the Waledac botnet that Microsoft took down in late February.

To travel the web with equipment that is crawling with malware is just as irresponsible as driving an ineffective vehicle on the highway and people have to understand that.

The key to engaging the private business sector, by contrast, is to demonstrate how adopting better cybersecurity practices and technologies will improve bottom lines. If the federal government wants to forge real public-private partnerships with the private sector-as it should-then the government needs to make a business case for why the private sector should invest in such partnerships. Beyond that, there needs to be discussions on what the background rules should be to protect against free riders and those companies that would game the system.

The Defense Industrial Base, I think, is an interesting model to look at for such partnership. But an important question behind this is: should the private sector be left at the mercy of government defense or should we empower the private sector to better to defend itself, in the way that Microsoft stepped up recently with its litigation action to shut down the Waledac botnet?

Of course, the federal government also needs to get its own house in order. I believe we’ve laid the foundation for some real progress, with Howard Schmidt’s appointment as Cybersecurity Coordinator and the nomination of General Alexander to serve as commander of U.S. Cyber Command.

But we have a long way to go; “.mil” is quite well protected, “.gov” is getting better, but the U.S. government remains a major target under constant and relentless attack.

We also need to continue to institutionalize privacy protection across the federal cybersecurity enterprise. From my place on the Senate Intelligence Committee, I can tell you that privacy is something that we on the Committee take extremely seriously.

Fortunately, I believe the current leadership of the Intelligence Community shares our commitment. NSA and DNI both have robust compliance offices, and the NSC has a designated civil liberties official.

But technology, as we all know, evolves quickly, and it is essential that our legal regimes and oversight mechanisms keep pace. We must continue to seek innovative ways to protect the American people from unwarranted and unnecessary intrusions into their private lives. Defense Secretary Gates has suggested dual-hatting a senior official in DHS and NSA with responsibility for protecting civil liberties across the government’s cybersecurity efforts. Among others, it is an idea worth exploring.

To conclude, we do better as a nation on cybersecurity. I’m confident that we can do better, but we are still working on defining the questions, let alone the answers. And the technological features we’re trying to address in our policy matrix are constantly and rapidly evolving. So it will take leadership and vision from all sectors and a commitment to swift action to get what we need to get done, done. I think we will get there, in many ways I think we will get there because I know we cannot afford not to.