Posted at 10:32 AM
U.S. Secretary of Commerce Penny Pritzker delivered a keynote address to USTelecom’s eighth National Cybersecurity Policy Forum on a report issued this past Friday by the Commission on Enhancing National Cybersecurity. Secretary Pritzker’s remarks highlighted key elements of the Commission’s recommendations, which provide industry leaders, federal lawmakers, and the incoming Administration with a blueprint for securing our economy in the digital age.
President Obama charged the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) with providing staff and logistical support to the 12-member Commission, comprised of public and private sector experts appointed by the Administration and bipartisan leaders in Congress. A core component of the Obama Administration’s Cybersecurity National Action Plan, the Commission’s recommendations contain short and long-term strategies to strengthen our cybersecurity posture across industry and throughout every level of government.
Remarks as Prepared for Delivery
Thank you for that kind introduction, Walt. It’s a pleasure to be here. I would also like to thank Robert Mayer and the many industry leaders here today who developed last year’s recommendations to the FCC on cyber risk management. Your continued engagement is vital. Your companies sit at the forefront of our cyber threat landscape. And this forum could not be more timely.
Earlier this year the President established the Commission on Enhancing National Cybersecurity, comprised of 12 public and private sector experts appointed by the Administration and bipartisan leaders in Congress. The Commission was charged with developing short and long-term recommendations to strengthen our national cybersecurity posture. Last Friday, their Report on Securing and Growing the Digital Economy was delivered to the President.
Recent events have made clear how urgently we need a comprehensive, well-coordinated, and collaborative cybersecurity strategy. In 2016 alone, we witnessed ransom-ware infect at least a dozen hospitals nationwide, a denial-of-service attack disrupt Twitter and other sites using malicious code installed on household devices, and email hacks influence our elections in unprecedented ways.
These incidents indicate we have arrived a moment of reckoning. Innovation and technology adoption are outpacing our ability to ensure security – and will continue to do so if we fail to take action. The Cybersecurity Commission’s report provides our country with a blueprint of steps that must be taken – by our government, by our businesses, and by our citizens – to address this cybersecurity crisis.
The Commission’s recommendations are the culmination of months of consultation with stakeholders across business, academia, government, and civil society. They reflect principles that transcend partisan divides, different Administrations, new Congresses, and changing political and economic cycles.
And I am proud that this report embraces priorities that my team and I have championed throughout my tenure at the Department of Commerce, such as enhancing security without stifling innovation, protecting a free and open Internet, and enabling greater public-private sector cooperation.
We have worked to give industry a voice throughout this process, because our cyber policies impact not only our national security but also the ability of our businesses to compete and drive innovation in the 21st century global economy.
Today I want to discuss three of the strategic imperatives outlined by this Commission that are vital to securing our digital future.
First, creating new structures to enable industry collaboration with government – before, during, and after cyber-attacks.
Second, launching an aggressive national cybersecurity workforce initiative to meet the needs of employers across government and industry.
And third, baking security into the Internet of Things and other emerging technologies through greater technical collaboration and investments in basic research.
Recognizing that neither government nor industry alone can secure our nation’s vast digital infrastructure, the Commission recommends that we create new mechanisms for collaboration. That begins with getting companies and agencies to speak the same language of cyber risk.
In today’s highly-dynamic threat environment, traditional checklist compliance alone cannot defend us against ever-evolving threats. Consider the Pegasus attack that compromised iPhone users’ credit card numbers, passwords, and other sensitive data earlier this year. No static checklist could have prevented such an intrusion. That is why companies and agencies must move beyond traditional compliance and towards continuous, vigilant cyber-risk management.
Many of your companies were among the more than 3,000 stakeholders convened by NIST to develop the Cybersecurity Framework, a common language for cyber risk management increasingly embraced by companies across America and around the world.
The Commission highlights the Framework as one of the Obama Administration’s signature achievements on cybersecurity. And they outline several ways we can work together to expand its adoption and enhance its utility, including by developing sector-specific best practices and reliable metrics, helping small businesses with affordable implementation, and aligning regulations with the Framework’s principles.
With the Framework, agencies and companies are increasingly speaking the same language of cyber risk. But we still need to remove structural impediments in the way of truly candid collaboration around current and emerging cyber threats.
The problem is that today, relationships between regulators and the businesses they regulate are inherently adversarial – not collaborative. And as someone who spent 27 years building businesses, I get it. We cannot blame executives for worrying that what starts today as an honest conversation about a cyber-threat could end tomorrow in a “punish the victim” enforcement action.
Many of the industry leaders here today have been thought leaders on this issue. The Commission’s recommendations closely mirror your proposal that the FCC allow companies to voluntarily discuss cyber risk with officials under what I call a “reverse Miranda” protection. In other words: nothing you say in this setting will be used against you.
While existing statutes would likely allow for this candid, protected collaboration for regulated critical infrastructure companies, the Commission also recognizes that Congress may need to pass laws that extend to businesses throughout the digital ecosystem.
Don’t get me wrong: we must hold industry to high standards. However, enabling greater cooperation and protecting consumers are not mutually exclusive. Enhancing collaboration between government and industry is not an option – it is a necessity. And we need this teamwork at the most senior levels. That is why the Commission recommends the President establish a new National Cybersecurity Public-Private Program, or NCP-3.
This joint government-industry board would be charged with delineating clear lines of responsibility for protecting critical infrastructure, and organizing operational exercises and training to effectively defend, respond and recover from major threats.
Of course, in both government and in business, we are only as strong as the teams we can assemble. We need a workforce prepared to protect the digital assets of companies and institutions across every sector. At Commerce, our National Initiative for Cybersecurity Education has funded the first-ever grants for community-based cybersecurity training.
But with more than 200,000 openings in cybersecurity nationwide, we must rapidly attract more Americans into this field. That is why the Commission calls for a national talent surge to meet the needs of employers across government and industry. This ambitious effort would include tuition assistance, apprenticeships, and new STEM partnerships between colleges and employers. They also recognize the unique obstacles federal agencies face when it comes to recruiting and retaining top talent – and recommend establishing a Presidential Cybersecurity Fellows Program to attract talented graduates and seasoned professionals into public service
As we equip more workers with the right skills, the Commission also emphasizes that we must bake security into innovative new technologies through greater collaboration and bold new investments in basic research. This is especially vital for the long-term success of products in emerging sectors, like the Internet of Things.
As driverless cars appear on our roads, as medical devices are connected to networks, and as digital technologies permeate more of our everyday lives, our cyber adversaries will have more opportunities to disrupt our economy and threaten our security. Already, Commerce is a leader in bringing public and private sector experts together to solve real-world challenges.
For instance, the NIST-led National Cybersecurity Center of Excellence, brings experts together to deploy-market ready solutions, from securing networked medical devices to increasing the use of multi-factor authentication. And at the National Telecommunications and Information Administration, we continue to engage stakeholders to ensure that the cars, baby monitors, and household appliances of the future are born secure. Whether it is a network router or a home security system, government can work with industry to ensure products are designed with highly-usable interfaces and easily updateable software.
As we educate consumers, industry has a responsibility to make it easy for their customers to do the right thing and hard for them to do the wrong thing. Beyond deploying market-ready technologies, we must also accelerate the discovery of new breakthroughs through basic research. Artificial intelligence, machine learning, and other fields could dramatically enhance our ability to detect and defeat cyber threats.
And throughout our history, government funding of basic research has paid huge dividends to the American people. To secure the technologies of tomorrow we must make bold investments in innovation today.
Whether we are investing in research or educating our workers, one thing is clear: we need the political will to get it done.
Today, I ask you – the owners and operators of our digital infrastructure and the innovators behind some of our greatest technologies – to ensure these recommendations are not just considered, but enacted and implemented.
As the voice of business in government and a federal powerhouse of technical knowledge, the Commerce Department will be your partner and advocate in these efforts. Together, we must ensure this report does not wind up collecting dust on shelves inside the White House, or the Library of Congress, or our corporate breakrooms.
This report provides us with clear steps to secure America’s future in the digital age. It is up to us, as a country, to take them. Thank you, and I wish you a productive conference.