Commerce.gov is getting a facelift soon. See the new design.

Remarks at Cybersecurity and Innovation in the Information Economy

Printer-friendly version

AS PREPARED FOR DELIVERY

Tuesday, July 27, 2010

CONTACT OFFICE OF PUBLIC AFFAIRS

202-482-4883

Commerce Secretary Gary Locke
Remarks at Cybersecurity and Innovation in the Information Economy

I want to begin by thanking you all for your attendance and participation in this very significant event. 

Especially Senator Barbara Mikulski, who is here with us today. 

As Chairwoman of the powerful Senate Commerce, Justice, Science Appropriations Subcommittee, Senator Mikulski has used her influence to increase cyber security awareness among the American public; and to lead the charge on Capitol Hill to develop policies that keeps our Internet safe and secure in the 21st century. 

In fact, Senator Mikulski is responsible for including funding in the 2011 appropriations bill for a new $10 million Cyber Center of Excellence at Commerce’s National Institute of Standards and Technology. 

I’ll let the Senator provide details on this in a few minutes – but suffice to say that this is just one of many cyber security initiatives where Barbara Mikulski is out front. 

It was almost one year ago when President Obama challenged the U.S. government to collaborate even more closely with the private sector to meet the evolving challenges of cyber security.

This morning’s event is symbolic of this improved public-private sector cooperation.

Today’s symposium is hosted by the Department of Commerce Internet Policy Task Force, which is made up of senior staff from across different parts of the Department including experts in intellectual property, trade, Internet communications, and standards.

The task force is working on developing cyber security policy, as well as policy recommendations on other critical Internet issues like privacy, copyright protection, and international e-commerce.

With all of these issues, the input of the private sector and other stakeholders is absolutely indispensable.  The Internet Policy Task Force needs your help to:

  • provide a policy framework for innovation; and
  • to help set the standards and rules of the road that will enable us to strengthen the connective tissue of the Internet.

Everyone in this room understands the economic and national security implications of cyber security.

You know that the Internet -- which analysts say is responsible for $10 trillion in annual online transactions – is a cornerstone of the global economy.

But ultimately, the importance of cyber security can be summed up in one word: Confidence.

That's what underpins everything we do on the Internet. 

  • Consumers need confidence that their identity and their personal information will be secure online;
  • Businesses need confidence that their intellectual property won’t be stolen; and
  • Government agencies and our military need confidence that our trade, technology and military secrets are safe from our adversaries.

And let’s be blunt -- because the Internet was initially designed for convenience and reliability, instead of with security as a top priority, we are fighting an uphill battle.

That was made abundantly clear in Symantec’s recently published its 15th Internet Security Threat Report.  It had three major conclusions:   

  • First, malicious activity is increasingly flowing out of countries where broadband and information technology penetration is growing the fastest.
  • Second, so-called “advanced persistent threats” focused on large enterprises are becoming more common as thieves seek customer data, financial information and intellectual property assets. 
  • And third, mass-market attacks – those that small businesses and consumers usually fall prey to – continue to evolve in their sophistication.  This underscores the reality that wherever we encounter a computer attached to the Internet, we will always have to be aware of cyber threats.

These rising threats demand an aggressive response – but they also demand flexibility because there is simply no one-sized-fits-all approach for dealing with cyber security threats.

For an organization like the Department of Homeland Security, or the Defense Department, the primary focus of cyber security might be more straightforward: keeping top secret information in, and keeping the bad guys out.

But for businesses, and other organizations that rely on a free flow of information to grease the wheels of commerce, a more tailored approach to cyber security might be necessary.  The level of investment needs to be calibrated to the risk.

I am proud to say that the Commerce Department -- working closely with our colleagues throughout the administration and in the private sector -- is making significant progress in making it easier for commercial entities to be cyber secure. 

In the next few minutes, I’d like to talk about how the Commerce Department, and in particular our National Telecommunications and Information Administration (or NTIA) and our National Institute of Standards and Technology (or NIST) have been working to improve America’s cybersecurity.

And I’d like to suggest some avenues for discussion for today’s symposium.

One of the Commerce Department’s most important accomplishments went into effect a few weeks ago when D-N-S-SEC was fully deployed at the root of the Domain Name System.

This action essentially gave a “tamper proof seal” to the address book of the Internet, and applied to “.com” domains, as well as “.us,” “.edu,” and “.gov.”

The Commerce Department is also continuing to play a central role in a variety of other cyber security initiatives.

Working with the National Security Agency, we are helping to standardize cyber security controls across national security systems and the rest of the Executive Branch.  

We are also helping the Department of Defense better manage cyber security risks stemming from an insecure global supply chain.  We’ve been working with experts in industry and across government to standardize both government and commercial supply chain best practices.

And then there is the work we are doing in conjunction with the NSA and the Internet Security Alliance to create the first-ever checklist of vulnerabilities for smart phones – which will have a large impact on helping create more robust devices at the outset of the product design process. 

As the Commerce Department takes all these concrete steps to improve our cyber security, NIST is also coordinating a nationwide informational campaign called the National Initiative for Cybersecurity Education.

Ultimately, effective cyber security is dependent on the vigilance of civil servants, of our military personnel, of citizens and of businesses.  Everyone needs to understand how central cyber security is to the safety, security and prosperity of America.

This initiative will consist of four tracks of work:

  • A national public awareness campaign that is being led by the Department of Homeland Security
  • Formal cybersecurity education being led by the Department of Education;
  • National workforce training being led by the Department of Defense; and
  • Federal workforce development being led by the Office of Personnel and Management.

In every case, these Commerce initiatives have relied on feedback from stakeholders like all of you.  Today, as we discuss government-wide policy recommendations on cyber security, we will need the same level of engagement.  For example:

  • What are the marketplace incentives and disincentives for better cyber security practices?  Shopkeepers know to lock up their store and to secure valuables in the safe before they head home for the night.  Why aren’t they regularly locking up and safeguarding their digital assets?
  • By Presidential directive, the Department of Homeland Security has responsibility for coordinating cyber security initiatives with those who operate critical infrastructure and those who provide other key resources.  For the rest of the private sector, what are the most effective ways to share best practices? 
  • How can policymakers prevent balkanization of the global legal framework? 
  • Finally, it’s often said that you cannot manage a problem unless you can measure it.  How can the government’s data gathering capability be put to better use in this space?

We are eagerly awaiting your answer to these questions – and I’d like to announce today that we are also casting a much wider net for input.

Tomorrow, the department’s Internet Policy Task Force is releasing a formal notice of inquiry that will solicit viewpoints from stakeholders throughout the country on how we can both preserve innovation in the Internet economy and ensure security and confidence in the system.

There is of course an endless array of issues that people will have ideas about, and we welcome them. 

But above all, what we need most in the cyber security arena is a commitment to “pull together” – to define roles and responsibilities more clearly – and to deliver on those responsibilities.

I know that the Commerce Department team is looking forward to the rest of today, particularly the remarks of our next speaker. 

It is my pleasure to introduce the senior Senator from Maryland, Barbara Mikulski.