| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security | Immigration |
The threat level in the airline sector is High or Orange. Read more.
This information is not current, is not being updated, and may contain broken links.
Release Date: December 10, 2008
For Immediate Release
Office of the Press Secretary
Contact: 202-282-8010
Secretary Chertoff: I want to apologize. I have a little bit of a cold. Ted, I want to thank you for that introduction. I want to thank all of you for coming out to hear me. I have got very good attendance, I see. And I want to thank the association for inviting me to speak on a topic that I know was a great concern for everybody who operates in the field of cyber-communications and computer activity, which is just about everybody.
As we discussed over the last year, one of the most pressing needs we face as a nation is the need to secure cyberspace, and to protect our nation's cyber-systems and infrastructure, whether it be government, military, or civilian government.
Now, one of the challenging things here is that this is not an exclusively federal responsibility, and it's not exclusively a private sector responsibility. Because of the way in which we network across cyberspace, and because most of the assets and the people involved are not government-employed, we have to address this problem in a partnership. We have to basically use a network to protect the network.
And so, what I would like to do is, with a particular focus about what we're doing at the Department of Homeland Security, talk at a strategic level about cyber-threats, and what we're doing to reduce the probability of those threats, and also how we hope to expand our partnerships across the government and the private sector.
But before I get specifically into the issue of cyber-threats, let me stand back and look at threats, in general. The whole purpose of this department, and the whole purpose of the Department of Defense is to protect this country against threats, whether they be from cyberspace or in the physical domain. And we don't need to be reminded, as we were two weeks ago in Mumbai, that those threats remain very urgent.
In this respect, I have to say that, looking back on the last four years as we to do at this stage of the administration, it is remarkable -- and we have six more weeks to go -- but it is remarkable that we have, in fact, managed to keep this country safe in the period of time that has elapsed since 9/11. This is, in my view –
Secretary Chertoff: This is, in my view, due to the leadership of the president. This President was on watch on September 11th, and pledged that never again would we have an attack like that successfully carried out against this country.
And, although efforts have been made -- some known publicly and some not known publicly -- none of them have succeeded here, as they have places abroad, because of the range of strategies undertaken by the president, whether it was taking the fight to the enemy overseas and killing and capturing leaders of al-Qaeda, or reorganizing the intelligence community to allow us both to collect and integrate information more effectively, or whether it was enabling us, the Department of Homeland Security, to strengthen the borders, to get more information so we have a better opportunity to identify threats coming into our country.
All of these are a part of the president's commitment to keeping the country safe. And, in that respect, it shouldn't be surprising, therefore, that earlier this year the president directed the government and the administration to proceed with a significant new national security strategy. It reflected a good deal of his personal attention to this issue over a period of the late months of 2007, when he got briefed on some of the challenges we were facing and some of the measures that we thought necessary to undertake.
We have seen, in the last year or two, some dramatic illustrations of the danger of cyber-theft, identify theft, using the ability to penetrate cyberspace. And this has underscored that the more of our assets and the more of our economy that resides in the virtual domain, the more important it is to protect that domain.
Just to take a few examples, we saw (inaudible) Estonia, which resulted in a short term but a very significant check on government operations. Our experts at U.S.-CERT have worked with Estonians in order to help rebuild that system. That was an illustration of what a nation state can experience when there are cyber attacks.
Right up to the struggle…battle between Russia and Georgia over (inaudible), there was a preceding denial of service or a wave of denial of service attacks by, let us say, sympathizers to the Russian side of the dispute. That was a planned and adjunct to the military attack where Russian troops entered Georgia. And I think it's just a harbinger of what's to come, the use of cyber attacks as a battlefield, so to speak, degrading their communication command and control, in order to make it easier for our troops to actually seize and hold an objective.
And on a less nation-state level, in the field of criminality, in August the Secret Service brought down the largest prosecution of identity theft, I think, in history. It involved a ring that stole approximately 40 million credit card numbers by capturing the numbers as they were moving over a wireless network between major retailers. And this, again, was a cyber attack. The design here was not denial of service, but it was, in fact, to steal valuable information.
What we know, of course, is that in the realm of cyber, we could have attacks that extricate credit information, as a matter of espionage, whether it be corporate espionage or government espionage, that we could have denial of service attacks. We could have corruption of a network or corruption of data, injecting confusion and uncertainty, and striking at the trust which is necessary for financial institutions.
If you need to have any illustration of how consequential that can be, if you look at the last six months, the loss of trust in our financial institutions and the valuation of assets -- which of course, has nothing to do with a cyber attack -- nevertheless, it illustrates that without a combination of trust and confidence, there is a very dramatic degradation of the ability to have transactions occur in the way we need to have them occur if we're going to have a robust economy.
So, imagine if, instead of having problems with (inaudible) of assets, we had some corrupting data at banks and financial institutions, raising questions about whether people's money was safe, or whether people's bank accounts accurately reflected their assets. How long do you think it would be before people started to pull their money out of financial institutions? I don't need to get too vivid; I think you get the point. This is a really critical area in which we have to operate.
The president is acutely aware of this. And that's why, after a considerable amount of discussion about this topic, and briefing and study, he launched this comprehensive National Cybersecurity Initiative earlier this year.
This is an effort, for the first time, to take cybersecurity out of simply providing a forum for the private sector to come in and exchange information and give some assistance from the civilian domain, but to really integrate all the tools and capabilities of national power in order to make them available, first of all, to the government domains, to make sure we're tight in our own house, and secondarily, to see if we can make them available in a somewhat refined form to the private sector, to help the private sector do what it has to do.
And under the president's initiative, the Department of Homeland Security has lead responsibility to protect federal civilian domains and networks, and to synchronize the efforts to protect all the federal networks, and make sure we're all coordinating together, as well as to begin the process of working with the private sector -- or, shall I say, the multiple elements of the private sector -- to configure cybersecurity in a way that meets the particular needs of each of the 18 principal sectors of the U.S. economy.
So, let me take it to a general level, high-altitude, through the core elements of this initiative, and what we seek to accomplish. First, we have to establish front lines of defense. In other words, reduce our current vulnerabilities and prevent intrusions.
Second, we have to make sure we are defending against the full spectrum of threats. Everybody thinks about cybersecurity in terms of network attacks. But, in fact, there are other vulnerabilities which could be exploited and cause an equal amount of damage, and we have to look end to end at the entire architecture to make sure that we are, in fact, protecting ourselves adequately.
And, finally, we have to shape the future environment by educating the next generation of cyber professionals, and by looking to see whether we can leap ahead technology to protect our cyber assets in the future. Throughout all of this I want to emphasize we will be very sensitive about privacy and civil liberty concerns. We have not looked at this as an opportunity to big foot the private sector, or have a massive federal presence sitting on the Internet, as some other governments have sought to do in policing the Internet that comes through their countries. That is not the approach that we are proposing here.
So, let me take you through each of these three elements of the initiative. First, the front lines of defense. Our concern, of course, first and foremost, as I said, is let's get our own house in order. And we recognize that for a considerable period of time, putting aside the military domains, which are protected by the Department of Defense, the civilian domains in the government have had, literally, thousands of points of access on the Internet. And we need to reduce that number (inaudible) so we can get a handle on the flow of traffic that is coming in and out of the federal government domain.
That means, as well, that we have to increase our capabilities U.S.-CERT and across the entire government, departmental agency network, to make sure we have watch standards 24/7, so we can have a prompt response when we detect something. Now, we need to coordinate across the interagency process through the National Cyber Security Center, which has just (inaudible) set up, to make sure that we are a kind of shared activity or coordination between the military, the intelligence, and the civilian (inaudible), so we can get the benefit of the information that (inaudible) on the other side of the wall, so to speak, and we can also share some of what we see with the intelligence community and the feds.
Part of this, of course, is the continual improvement of the intrusion protection systems that we have. We have EINSTEIN in place now. That is not -- its original form was not a real-time intrusion protection system. EINSTEIN II, which is being deployed at this time, is, in fact, a real-time system that will use passive sensors to detect malicious code and (inaudible) signatures in real time, so that we can give real-time notice warning, rather than do forensic analysis after the attack has occurred.
Finally, we're looking into the development of EINSTEIN 3.0, which will be the next step. It will be a prevention capability that would actually block, as well as warn, again, in the government domains.
Now, that's, of course, (inaudible) attacks, in terms of the government itself. Let's look at the broader spectrum. There are two other major ways in which people compromise their cyber assets. First is someone on the inside simply comes in, sticks, you know, a disk or a thumb drive in, steals information, steals passwords, and then uses that avenue to extricate credit information or damage a cyber network.
This, by the way, people tell me is likely becoming an increasing risk in an environment where people are getting -- I guess "downsized" is the euphemism -- because sometimes people aren't happy about having their jobs terminated, and they may decide to manifest that unhappiness in a destructive way. So, this is really low-tech stuff, but it is equally important.
Finally, I want to emphasize the importance of protecting your global supply chain. There was a story in the Wall Street Journal about maybe a month or six weeks ago about people whose financial data was stolen because in the circuits or the chips in some ATM machines in Europe someone had embedded, essentially, a beacon which would periodically send around the world information it had captured, where people (inaudible).
Now, that's -- again, that's a compromise of hardware, it could be a compromise of software that is actually in the manufacturing process. And in the global environment, in the global supply chain, a quality assurance, an integrity assurance, is going to become an increasing challenge, again, as closing one of the doors to a threat.
Finally, we need to shape the environment. We need to continue to educate and recruit. Somebody told me some time back in Silicon Valley that you get lots of really smart kids who come out of school who want to design software and new systems. Not that many are interested in security. But I think that interest in security and protection of what is being designed has got to be a top priority, and also should be something, frankly, that will excite the people who have an intellectual passion for computers. We have to continue with research and development. And, most important, we have to engage the private sector, in cooperation.
Now, how do we do this? Well, instead of re-inventing the wheel, we decided to take the wheels we have and configure them for this new challenge. We have 18 economic sectors that we have been working with over the past several years through our National Infrastructure Protection Plan, which is a plan where everybody agreed to each of the sectors, where there is financial, IT, communications, and commercial. Everybody participated.
And we now have sector coordinating councils that are a pipeline that work with each of these sectors. And that is going to be a major vehicle for operation, coordination, and cooperation with the private sector. We need to identify long-term and short-term objectives, and with a cross-sector cybersecurity working group that we have set up, we need to facilitate information shared back and forth. We need to know what the threats that you're seeing are in the private sector, and you need to know what we're seeing, that we can release to you, perhaps in some refined form, that you can use in order to secure your systems better.
Again, it's not going to be one-size-fits-all. Concerns you have in financial institutions is not the same thing you have, for example, with energy institutions, or status systems. So that's why we wanted to use the (inaudible) approach.
But I do want to emphasize something that I think is critically important. I think this cannot be a mandate. I think if the federal government comes out and says, "You must put this on your system," we are going to experience a backlash. I think there will be very strong incentives to put things on systems and to have protection. I remember in Y2K, companies got advice well in advance of the clock hitting midnight in the year 2000 about what they needed to do, from a liability standpoint, to protect themselves. So I think that there will be a market that is ready, willing, and able to work with us in this effort.
But I do know there are going to be some people who don't want to do that. And I don't want to tell people that they have to operate through this system. If you want to have -- if you are so concerned about the government that you want to keep your system away from the government, I think that, you know, you should be entitled to do so. Obviously, you have to live with the consequences.
It's an area we have to proceed in with a great deal of delicacy. And it really is, in my mind -- there is a set of network relationships we should build from the ground up, not impose from the top down. And so it's a kind of iterative process that I think we're talking about.
Now, this isn't all going to happen by the time we leave office in a little less than 6 weeks. And I would be a soothsayer in saying I am sure this is going to get a lot of attention in the next administration. But I do think that we have launched a strategy that is robust, that has laid out the major pathways and pointed the right direction, and that has jump-started the process of moving us toward a more secure cyberspace. We have got a lot of good coordination under our belt, and made a lot of progress. And we look forward to continuing to work with you on securing the assets of the 21st century, namely of our computer networks. Thank you very much.
Secretary Chertoff: Now I am happy to take some questions. If you tell me who you are, I would be happy –
Question: Good morning. (Inaudible) Systems. What do you think about the new suggestion by various groups that the president have a cybersecurity team reporting directly to him?
Secretary Chertoff: Well, this is the first of the commissions that were set up by the CSIS to talk about cybersecurity. This is a personal opinion. I think that, first, people need to understand the White House, in the inter-agency policy-making process, has, throughout what we have done, played a role in making sure that there is cross-agency coordination through some policy-making. And it's hard to envision that that wouldn't be the case. That's one of the roles of the White House, is to coordinate policy-making.
I think that in evaluating the suggestion, there will have to be some careful consideration paid to two issues. One, do you want to get the White House or an agency in the executive office of the president involved in operational activity? Namely, making specific decisions, operationally, about what happens?
Traditionally -- maybe this is the lawyer in me coming out -- that has been viewed as a risky thing to do, because it pulls the White House into areas where it's exposed to legal issues, oversight issues, and other things like that. I guess everybody remembers Iran-Contra back in 1986. So, I think that's one issue.
The second issue is I think it's important not to create a Lou Goldberg type of schematic to how we manage things. I found in my four years in Washington that organization and reorganizational movement is second only to spending money as a hobby (inaudible) --
Secretary Chertoff: I can understand why, in a way, because the actual hard work of implementation, which is very detail-oriented, and can be frustrating, does not lend itself to a polite elegant discussion.
But again, I am -- my view here is I would go slow. It may be that there are some enhanced capabilities in the White House, or enhanced involvement you want to have. You certainly do want to have a high-level White House push behind this initiative, and no nonsense, no kidding direction to all the agencies to play together, which is what this president has done. Whether, organizationally, you want to reconfigure a little bit, I think that maybe the new administration will want to consider it, see what's out there, and then make a decision in the fullness of time.
Question: (Inaudible.) Judge Posner of Chicago wrote a book about surprise attacks. And the book explains that surprise attacks have been because people tend to solve the easy problems. The hard problems, or things which are hard to solve, they leave alone. And then the enemy looks and says, "Okay," and (inaudible).
My question is two weeks ago and yesterday came out two reports that deal with the issue of cybersecurity. There was very much criticism of government, very harsh. Now, there is a budget, $30 billion (inaudible) for programs of cybersecurity. This is a constant problem. How do we know, the citizens, or as government, that we are not dealing with that $30 billion in creating more of the same solutions and hopefully we are not taking the easy issues? How do we know that we are really going after the hard issues?
And to be more specific, how do we know that enough money is being allocated to deal with (inaudible) new technologies that might bring solutions to our situation?
Secretary Chertoff: Well, I do agree with the proposition in general, people -- I don't think it's limited to government -- tend to deal with -- there is a little bit of a tendency to deal with problems when you know that you can solve the problems, as opposed to problems you can't solve, or can't solve readily.
And again, I want to come back and say I think that one of the challenges we had in cybersecurity is for a long time -- and I looked at some of the earlier reports -- everyone said, "Oh, you have to do cyber security," but there was really vague generalities. They were, you know, "We have to have more law enforcement, we have to work together, and we have to hold hands, sing Kumbaya."
I was concerned that we did not have -- we weren't being serious about the fact that there were some very, very difficult challenges. And it was largely because it's a network system, it's only as strong as it's weakest link, and because we feel uncomfortable about the fact that, you know, the government has to work in the private domain. That means we have to share some degree of secrets with the private domain. It also means the private domain has to get comfortable with the government getting involved in its activities, which is -- you know, culturally, when you deal with the Internet, it has a real, you know, kind of -- it has a real chilling effect.
Now, obviously, in terms of money, we do have classified intelligence budgets. And Congress gets to see them, but I think that's a problem of classification (inaudible), which is outside of my range.
But I will try to answer your question this way. I think what makes this initiative different from the past reports I saw was the past reports essentially set what was going on in the world and the Department of Defense and the intelligence community, and they radically separated it from what was going on in the civilian domains. Because we couldn't find a way to bridge the gap, in terms of classified material, or concerns that the civilian domains would feel threatened by having too close a relationship.
And, in a series of conversations that I had with people on the defense side and the intelligence side, they really came forward and said -- and this is really the genesis of this back in 2007 -- they came forward and said, "Look, we think we actually can do a lot more sharing." And, you know, particularly because media relationship that DHS has with the private sector and with the defense side, that we could be the bridge to enable us to allow a lot of the value add of the very, very technical and cutting edge things being done on the defense side, to get that configured in a way that it could be shared with the private sector, and certainly with the civilian and government domains.
And so, that's why we all got very passionate about this, because we saw this as a game changer. It wasn't going to be shying away from a problem, we were going to tackle it. Now, this requires a lot of hard work, as I said. When you talk about (inaudible) the number of Internet connections, it's hard, because everybody has their own way of doing business. People don't want to have to change or give up their system. So that's the -- what I said earlier -- is the grinding implementation part, which is hard and persistent.
But I do think if you look at the (inaudible) you will see something that is more precise, and more systematic than what you have seen previously. That doesn't mean (inaudible) classified side -- which is maybe what you're looking for, but you're not going to get from me -- but maybe it gives you a sense of how (inaudible).
Question: (Inaudible.) To follow up on your policing issues, a lot of these issues are both criminal and malicious. Do you have a legislative piece to your strategy? And if so, what would you suggest for the next administration to start (inaudible) within the law?
Secretary Chertoff: Well, back in the old days, when I was in the criminal division, one of my responsibilities actually was to supervise cyber prosecutions. We have laws in the book to deal with this. The biggest challenge has been, as you know, many of the attacks and criminal cases originate from overseas. And, therefore, the question is not do we have the laws. I think we have, you know, pretty good laws. But do other countries have the laws, and are they willing to cooperate with us?
There is, I believe, a UN cyber crime convention that we encourage people to sign up to. But in the end, it's the ability of other countries to enforce, and their willingness to enforce, that makes a big difference.
We had an arrangement when I was at the Department of Justice that had 24-hour watch standing with a number of countries, so we could react quickly if there was an attack. As you can see, with the Secret Service case I announced in August, we can successfully bring cases against people. And this was an international case, and we got help from other countries.
What's really challenging, of course, is when you have a foreign country that is tacitly or even openly, facilitating or tolerating this kind of activity for its own reasons. Then we move out of the domain of crime into the domain of national security.
Question: Good morning, Mr. Secretary, (inaudible) OSD staff. You have spoken quite a bit about public-private partnership and voluntary nature and ability for private entities to opt-out, if they so choose. Of course they will have to deal with the consequences of that decision.
But what about the case where the actual true consequences of that decision would not be borne so much by that entity that decided to opt out, but by other firms who are working, and more importantly, by the general public?
Secretary Chertoff: That is what -- that is the hardest issue to deal with, is the question of inter-dependency, and what do you do when a firm is irresponsible, a private firm, and the consequences of that irresponsibility will be visited on others?
We saw a little bit of that in Y2K. During my time as a judge, I had the good or ill fortune of having to decide an insurance coverage case involving (inaudible). And, you know, the issue here was if you didn't take care of the Y2K problem in your company and there was a cascading effect, are you liable.
I think this is going to have to be balanced carefully and slowly, for the following reason. Any -- and here I differ a little bit with some of the suggestions in the commission report -- I have observed the process of trying to get a regulation in the area of communications. You have all seen it, too, whether it was (inaudible) that sort. And the Internet, the culture of the Internet, is so strongly individualistic, and so resistant to the idea of the government getting in there and saying, "You have to do this, you have to let us sit on your system," that I think anything that smacked of that in the slightest would cause a backlash that would make some of the other controversies we have seen look like they're (inaudible).
I do think there is an approach that is likely to be helpful. As we move along and develop this partnership, I think what we will come to see is that if we -- lay out performance standards, not saying, "We are going to sit here, but you have got the responsibility to make sure that certain things happen, certain things don't happen." Then we could be an enabler to allow people to help them meet those performance standards.
But we are not actually saying that we ourselves want to sit on your network or your system, or we want to micro-manage your network or your system. That -- the approach of performance or outcome-based rule strikes me as likely to be more successful. If the commission does want to -- you know, if their suggestion about regulation is, in fact, adopted, I would go with an outcome-based or performance-based system, because I think that's less likely to get resistance.
Question: Yes, Sir. My name is Clint Lock. I work for TSA, so –
Question: You were talking about the problems with nation states not -- maybe not bring to -- certain initiatives. Would you say you would be willing to give countries an ultimatum and say, "If you don't abide by certain things, by certain initiatives," that we would be willing to help them out?" Like going to Syria or Pakistan.
Secretary Chertoff: Well, I am -- this has come up a little bit in the sense of people asking the question, "When is a cyber attack like an act of war?" As we discussed in the question of Estonia. Of course, with Georgia, it was accompanied by (inaudible) troops, so that's an easier initiative. That's going to be an interesting question for lawyers.
I do think that -- and I don't want to feel like I'm off the hip on this issue -- I do think, at the risk of ducking, we do need to have a doctrine about the point at which -- two things become national security threats that can be dealt with in a national security way. One is what do we do when a country, explicitly -- or at least implicitly -- encourages or condones attacks. You know, that's true in the physical world, and that's true in the virtual world.
The second is what do you do when a country is incapable, can't prevent attacks? And I think both of these present real challenges for international legal doctrine. It's not so much there a question of what our capabilities are, it's a question of what we should be authorized to do. That is way too complicated for me to expound upon in this statement, but I do think it's an area we are going to have to talk about.
Moderator: One more question.
Question: Secretary? Hi there. (Inaudible), Fox News Channel. On that question, you mentioned two attacks in (inaudible) Estonia and Georgia, both of Russian origins. But there was one more recent one with possible Russian origins on DoD. And I wanted to know what has been gleaned from that attack last month, and also what that says about the state of cybersecurity for the government at large.
Secretary Chertoff: Well, (inaudible) attacks they are public, not -- I am not going to discuss matters that are not non-public. I think what I can say, though, is we have, over the past several years, seen all kinds of efforts to penetrate systems, whether they're government systems or private systems. Some are more sophisticated than others are.
And I think that the increasing pace of these attacks, and the increasing appreciation of the consequences of these attacks have led people to realize that this is a vulnerability that has to be plugged.
On the Estonia and the Georgia (inaudible) public. And to be clear, they were not -- I don't think anyone has accused the Russian government of doing this. I think the indication was it was sympathetic, or perhaps antipathetic to Estonia and Georgia that were responsible.
Moderator: Thanks very much, everyone.
Participant: One more?
Moderator:Yes.
Participant: Okay, this will be the last question.
Question: Mr. Secretary, my name is Mark (inaudible) private sector. And (inaudible) report makes another recommendation, and I would like to get your views on it.
The recommendation is to subordinate or actually, more precisely, incorporate the Homeland Security Council into the National Security Council, and create (inaudible) National Security Advisor. I just wonder what your perspectives are in such a move.
Secretary Chertoff: I think how the White House organizes itself that is truly an issue for the next president, the next White House. I mean, they have got to make a judgement about, you know, what the status will be; the National Security Advisor, whether there should be a person doing Homeland Security things are -- if it's a deputy or, you know, (inaudible). All that is really kind of out of my domain.
Some observations to the transition people, which I think I owe them, the (inaudible). So I don't think I am going to comment (inaudible). I had the privilege of working with two Homeland Security advisors, Fran Townsend and Ken Wainstein. Both were outstanding. Both actually happen to be good friends. That's not why I'm saying they're outstanding, that's just a coincidence. And both added real value.
Now, we are a more mature organization now, the department, much more mature. So I think the next administration will have to look and see how they want to integrate these two. There may be value to that. Or do they feel there is some areas in Homeland Security that are -- particularly the disaster area -- that are sufficiently kind of out of the core of national security that they would be subordinated.
I mean, that's a judgment call, one that should be based upon how the people in the White House work, and how they feel comfortable -- what's going to serve the president's needs the best. Because, ultimately, all of these advisory councils are here to serve the needs of the president, to get information and make decisions in a crisp and efficient way.
###
This page was last reviewed/modified on December 10, 2008.
