Posted at 9:40 AM
Today, U.S. Secretary of Commerce Penny Pritzker delivered a keynote address to executives, technology industry leaders, and high-ranking government and national security officials at the U.S. Chamber of Commerce’s fifth-annual Cybersecurity Summit in Washington, DC.
During her remarks, Secretary Pritzker argued for fundamentally changing the value proposition for businesses to engage with federal agencies on cyber threats, pointing to the risk of punitive action as a deterrent for the dynamic, continuous collaboration between industry and government necessary to secure the digital economy. Secretary Pritzker called for federal agencies and businesses to fully embrace a common language for cyber risk management, highlighted the need for new legal structures to support greater public-private sector cooperation, and urged industry and government to work together to design and deploy technical solutions for emerging threats in cyberspace.
Remarks as Prepared for Delivery
Governor Ridge, thank you for that kind introduction. I am pleased to join you all this morning for the Chamber of Commerce’s fifth annual Cybersecurity Summit.
I also want to congratulate Ann Beauchesne on this impressive conference. The presence today of so many business leaders and high-ranking officials is a testament to your leadership.
At the Department of Commerce, our commitment to cybersecurity is driven by a conviction that secure, reliable access to the Internet – the greatest platform for innovation ever known – is essential to America’s economic future.
Just a decade ago, a tweet was a sound a bird made. A mobile deposit meant driving up to the bank teller’s window. And the only thing stored in the cloud was condensed water. Today, social media is part of every company’s marketing plan. New industries like FinTech are transforming financial services. And the data we share across borders is redefining international trade.
A start-up in Austin can now win investors in London, hire developers in Singapore, and use cloud servers in Utah to reach clients around the world. As we speak, new innovations are taking shape: virtual reality, the digitization of manufacturing, the Internet of Things – each promising new opportunities for economic growth, competitiveness, and prosperity.
Yet as technology evolves, so do the threats we face from hackers, terrorists, and hostile nations who seek to exploit weaknesses in our digital infrastructure. We all know that government alone cannot secure our digital economy. The vast majority of our infrastructure - our networks, our power grids, our financial system - is owned and operated by the private sector.
When Iran launched denial-of-service attacks on our banks, they targeted private institutions. When North Korea hacked Sony Pictures, they inflicted millions of dollars in damages on a major corporation. And we may not yet know who attacked Yahoo – but we do know that 500 million people were affected, it took two years to identify the breach, and troves of personal data were stolen.
Even though the Internet is now ubiquitous in our lives, cyber remains the only domain where we ask private companies to defend themselves against Russia, China, Iran, and other nation states.
Does that sound as crazy to you as it does to me? Threats of this scale not only undermine individual companies but threaten our entire country.
Government has a solemn obligation to protect our people against systemic threats to our national and economic security. The problem is that cyberattacks cannot be handled exclusively by our government’s law enforcement, military, or intelligence services.
Nor are federal regulations able to keep pace with ever-evolving cyber threats. Think about how our regulatory process works. Through lawmaking and rule-making, Congress and our federal agencies enact solutions for our nation’s challenges. Companies then react with compliance. As a result, the air we breathe, the food we eat, and the products we buy are safer.
But laws and regulations alone cannot save us from emerging cyber threats. Whether they are hackers or hostile nations, criminal rings or terrorists, our cyber adversaries constantly deploy new and evolving methods to exploit vulnerabilities and inflict harm on our country.
Mobile security is a perfect example of this dynamic challenge. Smart phones are now the place we store our most sensitive personal data, from credit card numbers to health records to passwords. Just weeks ago, the Pegasus attack represented an unprecedented intrusion into Apple’s iOS platform. No static checklist, no agency rule, no reactive regulation is capable of thwarting a threat we cannot foresee.
Put simply: the federal government cannot regulate cyber risk out of existence. What we can do is work with you – business leaders, technical experts, and cybersecurity professionals – to better manage cyber risk.
At Commerce, we believe cybersecurity requires a new, proactive, collaborative approach between government and industry – one not reliant on static requirements but on vigilant, continuous cyber risk management.
What we need, as experts at conferences like this one often say, is a “joint-defense posture” with real “public-private partnerships.” I have told my staff those are nice words, but how do we actually turn them into action and reliable protection?
We need government and industry to speak the same language of cyber risk, because we cannot work together without understanding each other. We need new laws to facilitate continuous, candid collaboration between industries and agencies – outside of the enforcement space. And we need to work together to counter threats and deploy technical solutions that bake security into innovation.
Many of the companies here today worked with the National Institute for Standards and Technology, or NIST, on the Cybersecurity Framework. The Framework is a common language for risk management created by industry, for industry. And it’s widely accepted as the primary tool for businesses to evaluate their cybersecurity posture.
We even see industry encouraging government to use the Framework. And last month, the FTC did. Using the Framework’s lexicon – “Identify, Protect, Detect, Respond, and Recover,” – the FTC detailed over 60 enforcement actions for data breaches in a way that CIOs and CEOs can easily plug-in to their own operations and use to improve their cybersecurity.
Yet, even as companies and agencies begin speaking the same language of cyber risk, we are not yet having truly candid, actionable conversations because we lack the legal support structure necessary for doing so. Certainly, the Cybersecurity Information Sharing Act is enabling us to share malware signatures and other digital diagnostics. But we still need more strategic, real-world cooperation between government and industry.
The problem is that relationships between regulators and the businesses they regulate are inherently adversarial – NOT collaborative. Pick any cyber breach – Target, Sony, Yahoo. When under attack, these companies do not think about how government can help them. What they see are the downsides of engagement – potential liability, the risk of punitive action, and the investigations that may result from even basic interactions – like reporting an intrusion to the FBI.
And as someone who spent 27 years building businesses, I get it. We cannot blame executives for worrying that what starts today as an honest conversation about a cyberattack could end tomorrow in a “punish the victim” regulatory enforcement action.
When companies under attack by hostile nations fear coming to their government for help, something is wrong! We must change the value proposition for businesses to engage with government – before, during, and after cyberattacks.
Recently, FCC’s private sector advisory committee put forward recommendations for applying the Cybersecurity Framework across the communications sector. During that process, an innovative idea surfaced – the option for companies to voluntarily engage with regulators in a setting based on partnership, not punitive enforcement.
To encourage constant collaboration on current and emerging cyber threats, businesses might come under what you might call a “reverse Miranda” protection. In other words: nothing you say in this setting will be used against you. Don’t get me wrong, we must protect consumers and hold industry to high standards. But we also need a real team effort.
Think about what happens if you are seriously injured and in need of urgent medical care. You call 911. You do not worry about the risks. You know that emergency personnel will come to your aid. And everyone involved – from the first responders to the ER nurses and doctors to the rehabilitation staff – plays a specific role and shares a common mission: the patient’s recovery and well-being.
That is the type of public-private, well-coordinated team effort we need to defend our country against major cyber-attacks.
We know that when industry and government proactively come together to solve problems, everyone benefits.
That close cooperation is the Commerce Department’s guiding principle for cybersecurity. You see that principle in action at our National Cybersecurity Center of Excellence, led by NIST. The Center brings industry, government, and academic experts together to deploy technical solutions for current and emerging cybersecurity threats, from securing network-connected IVs in our hospitals to increasing the use of multi-factor authentication in retail.
And at the National Telecommunications and Information Administration, we are engaging stakeholders in fast-growing sectors like the “Internet of Things” to ensure that the cars, home security systems, baby monitors, and devices of the future are born secure.
Make no mistake – we want the private sector to drive the pace of innovation. But businesses must recognize the need for standards and best practices to ensure strong security. Just look at the warm reception from industry last week when the National Highway and Traffic Safety Administration proposed standards for autonomous vehicles.
The digital economy relies on trust: trust between consumers and businesses, and trust between businesses and government. Back in May, the NTIA released results from a survey of 41,000 households across America. Nearly 45 percent said that security and privacy concerns have discouraged them going online to conduct financial transactions, buy goods and services on the web, or even express their views on social media. These results remind us that email leaks, cyber threats, security concerns, and other violations of privacy have a chilling effect on public attitudes towards new technology.
Trust is the lynchpin of the digital economy. Failure to cultivate that trust will not only leave us vulnerable to attacks on critical infrastructure, but risk slowing the pace of American innovation. And we all know that innovation is essential to the success of our economy.
Now is the time for agencies, companies, and legislators to work together to secure our digital world. As medical devices are connected to networks, as driverless cars appear on our streets, as online technologies permeate more and more of our everyday lives, our cyber adversaries will only grow more opportunistic – and our need to work together will only grow more urgent.
Together, we must reject the notion that security and innovation are opposing forces. Together, government and industry must ensure that trust remains the lynchpin of the digital economy, and that the extraordinary opportunities made possible by the Internet continue to outweigh the risks. Thank you.