Posted at 11:22 AM
Today, U.S. Secretary of Commerce Penny Pritzker delivered remarks to the Commission on Enhancing National Cybersecurity at its final meeting in Washington, D.C. President Obama has charged the Commission with developing and releasing a comprehensive set of recommendations to strengthen public and private sector cybersecurity by December 1st.
During her remarks, Secretary Pritzker outlined the challenges faced by cabinet secretaries working to secure their departments' networks, data, and digital assets with inadequate resources and personnel. She offered possible solutions for improving the recruitment of cybersecurity professionals, the procurement of new technologies, and the use of shared services.
Secretary Pritzker also underscored the need to build upon the progress of the NIST Cybersecurity Framework and create new forums for government and industry to work together, collaborate on solutions, and develop a true joint cybersecurity defense posture.
Remarks as Prepared for Delivery
Good morning. I am pleased to have the opportunity to address the Commission on Enhancing National Cybersecurity as you begin to finalize your recommendations.
Kiersten, thank you for that kind introduction, and for your outstanding dedication. Tom and Sam, thank you for going above and beyond in your roles as Chair and Vice Chair. Your leadership is appreciated by all of us engaged in this process. Finally, I want to convey the President's gratitude to everyone serving on this Commission, including the dedicated staff working behind the scenes on this ambitious undertaking. Your work is the centerpiece of President Obama’s Cybersecurity National Action Plan – and by sitting on the Commission, you are doing a profound service to our country.
Today, I want discuss two issues: the cybersecurity challenges that I face as a Cabinet Secretary, and the partnership between government and industry necessary to secure the digital economy itself.
In today’s digital economy, every device, every service, and every operation is increasingly connected, networked, and online. Cybersecurity is therefore integral not only to the core mission of every enterprise across government and industry, but also to the basic functionality of our economy and our country.
As Secretary of Commerce, I am accountable to the President and the American people for the performance of my Department’s 12 bureaus. And essential to that performance is the security and resilience of our networks, data, and operations.
In other words, the Commerce Department cannot promote our economic interests abroad or protect our intellectual property or deliver accurate weather data to our communities – or meet our many other critical responsibilities – without strong cybersecurity. So consider me very wary of any vast centralization effort that dilutes our authority – as managers – to hold our teams accountable.
This Commission faces many questions. For instance, do we need a unified .GOV network, similar to .MIL? Should we use one provider for all our servers? Which is more urgent, moving Commerce’s 12 agencies and 47,000 employees to one email system, or doing so for all two million of our federal government workers? Keep in mind, the functional requirements for cybersecurity vary a great deal across federal agencies, whether it’s securing the Census Bureau’s vast data assets; meeting the FAA’s operational network needs; or protecting the integrity of the Justice Department’s criminal investigations.
Therefore, a fundamental question faced by this Commission is how to strike a balance between centralizing certain cybersecurity functions and standards while preserving the independent authority needed for Department leaders to fulfill our mission-critical responsibilities. As a manager, my ability to meet my cybersecurity commitments hinges on having the right people, resources, and technical support.
Let’s start with people. Since arriving at Commerce, I have faced a chronic shortage both in quantity and quality of cybersecurity personnel. Yet I do not have the authority, flexibility, or resources to do enough about it. Nationwide, employers face a shortfall of more than 200,000 cybersecurity professionals. However, the federal government’s challenges are compounded by a smaller talent pool, uncompetitive salaries, and a cumbersome hiring process.
As many of you know, Washington is not Silicon Valley. Hiring takes months, not minutes. In all honesty, I feel like Sisyphus here! I meet biweekly with my CIO and often find out that by the time we bring someone new on board, someone else has been lured away by private sector perks or poached by an agency that offers hiring bonuses or higher pay.
We are only as strong as the team we can assemble. To attract the best and brightest, I ask you to think big. You might consider recommending a centralized system to recruit, train, and place federal cybersecurity personnel. Whatever the structure, we need specialized pay scales to compete with the private sector - like used for the financial industry. We must also end the musical chairs of cybersecurity workers among federal agencies. Maybe it’s time for contracts with preset time commitments or even private-sector style non-compete agreements.
Finally, we need to rethink recruitment with bold ideas like debt forgiveness for graduates with certified programs; tuition-free community college in return for federal service; and cybersecurity apprenticeships within civilian agencies.
Without talent, we cannot keep the federal government secure. Yet defending our government against an ever-evolving landscape of cyber threats also demands sufficient resources. Too often, cybersecurity is viewed as an added expense that competes with other priorities instead of an indispensable condition for every priority.
Consider our need to modernize legacy technology. In the private sector, a corporate board can make long-term capital improvements a priority, and executives have the flexibility and the authority to meet those targets. In the federal government, the appropriations process hamstrings our ability to make the multi-year investments in software, technology, and other infrastructure that we know we need – assuming we even get the money in the first place.
Securing funds from Congress for specific programs is much easier than long-term improvements. As a result, we rely on loose change in our operational and maintenance budgets to patch outdated systems instead of making strategic decisions. Congress has proven, with the Department of Defense for instance, that it is capable of funding long-term capital investments. The problem is that cybersecurity for civilian agencies remains severely underfunded.
From the Executive Office of the President, through the Office of Budget and Management, to the halls of Congress, funding for cybersecurity must reflect its place as core to the mission of every Department. Agreement on this basic principle would mark a critical culture change in Washington.
We must make a universal commitment to empowering department leaders to meet our challenges in cyberspace. However, we must not mandate centralized, one-size-fits-all solutions for every agency. We welcome the availability of more centrally-developed services – especially when Cabinet Secretaries have the discretion to apply them in ways that meet the needs of their agencies. For example, DHS’s Continuous Diagnostics and Mitigation is a valuable tool for helping departments conduct real-time risk management. We see it as a service – not just a top down mandate – that empowers my peers and me to meet our core responsibility to secure our Departments’ networks and data.
When done right, shared services can reduce the burden on individual agencies without undermining our ability to fulfill our own missions. I know that my CIO would welcome, for instance, access to emergency-ready cybersecurity personnel in the event of a serious breach or intrusion.
Likewise, shared services for procurement could help IT teams more quickly access the latest private sector innovations. My CIO should be able to test bleeding-edge cybersecurity solutions without having to wait months for Commerce’s legal team to negotiate a single-use evaluation license. Perhaps the General Services Administration, in consultation with experts from NIST and other agencies, could provide CIOS from across the federal government with a sandbox environment to evaluate the latest software.
Whether it is rethinking recruitment or increasing funding, one thing is clear: we need the political will to secure our federal government’s vast digital assets. The world is undergoing a sea change of innovation – and our current approach is akin to plugging holes in a leaky boat. Meanwhile our cyber adversaries grow more sophisticated and opportunistic by the day.
This Commission’s challenge is not only to recommend solutions, but also to convey our urgent need for bold action. We must get government’s house in order for many reasons - not the least of which is having the credibility to address the broader challenge we face: securing our digital infrastructure and the economy at large.
Strengthening federal government cybersecurity is not alone sufficient to address the threats that we face as a society from hackers, terrorists, hostile nations, and other bad actors. The vast majority of our critical infrastructure, from our broadband networks to our power grids, is owned and operated by the private sector.
To secure our nation, we must enable teamwork between government and industry at every level: technical, tactical, operational and strategic. That requires universal cybersecurity standards and best practices that are understood and implemented by government and industry alike.
Commerce is a federal leader in this regard, having convened public and private sector stakeholders to create the NIST Cybersecurity Framework. The Framework is an adaptable risk management tool for businesses and organizations of every size, in every sector. The problem is that we still lack effective mechanisms for fostering meaningful government-industry cooperation across the full spectrum of cybersecurity issues. Only by working together can business and government reap the benefits of innovation and effective risk management.
As cars go driverless, as banking goes mobile, and as medical devices are connected, the cyber threats we face will only grow more widespread. Without action, we not face the threat of large-scale cyber-attacks on critical infrastructure, but also risk the gradual erosion of public trust in the innovation so vital to our economic future.
We cannot afford to sit idly by while the digital economy suffers death by a thousand cuts. Now is the time to create new, game-changing mechanisms for industry and government to work together to bake security into innovation and develop a true “joint defense posture.”
Today, our cybersecurity posture is failing to keep pace with the incredible innovations of our time. The report delivered by this Commission will steer the next President’s agenda from day one and influence our country’s cybersecurity priorities for many years to come. Your recommendations will shape how our government, our businesses, and our people defend themselves from the threats of the 21st century.
I urge you to be bold in your recommendations. Be creative in your solutions. And most of all, be unrestrained by convention. Thank you.