Note: This is the text of Senator Susan M. Collins speech, entitled, “Cybersecurity: How to Protect Our Digital Assets,” delivered at noon today at the Homeland Security Policy Institute at George Washington University. The Monday symposium on cyber deterrence is co-hosted by the Intelligence and National Security Alliance (INSA).
Every week, it seems, we learn of additional threats to the security of our cyber infrastructure. The Internet, undoubtedly one of the most significant inventions in history, now connects and enables a great amount of daily activity, from commerce to entertainment to government.
But every innovation carries new risks, and by now, the vulnerabilities of cyberspace are all too evident.
Consider these sobering facts:
· Cyber crime costs our national economy nearly 8 billion dollars annually.
· Hackers can operate in relative safety – and anonymity – from a laptop or desktop anywhere in the world.
· And cyber terrorists have the potential to attack high-impact targets – disrupting telecommunications systems, shutting down electric power grids, or freezing financial markets, causing billions of dollars in damage and threatening thousands of lives.
Examples of recent cybersecurity incidents are myriad and disturbing.
· Press reports indicate that China and Russia have attempted to map the United States’ electric grid and have left behind software that could be activated later, perhaps to disrupt or destroy components.
· The Washington Post has reported that hackers broke into the Pentagon’s Joint Strike Fighter project and stole information.
· Last year, cyber thieves secretly implanted circuitry into keypads sold to British supermarkets, which were then used to steal account information and PIN numbers.
· And, in 2007, the country of Estonia was attacked in cyberspace. Those attacks – which were described in detail by the Estonian Defense Minister earlier today – involved a flood of data that nearly crippled the country’s information infrastructure.
These attacks, and the hundreds like them, whether on our government or private sector systems, have ushered in a new age of cyber crime and, indeed, cyber warfare. They underscore the high priority we must give to the security of our information technology systems.
Despite these ominous warning signs, we have not done enough over the years to effectively secure most government IT systems. The Federal Information Security Management Act – known as FISMA – gives the Office of Management and Budget broad authority to oversee agency information security measures. In practice, however, FISMA is often seen as a “paperwork exercise,” providing little real security and leading to a disjointed cybersecurity regime in which each federal agency haphazardly implements its own security measures.
With federal networks increasingly interconnected, any vulnerability in one system represents a potential vulnerability to all. Computer interconnectivity continues to increase, and this trend increases the threat of cyber terrorism exponentially.
It is fair to ask: What will it take for the federal government to finally get serious about protecting the vulnerable frontier that we call cyberspace?
Will this nation have to endure a “cyber 9/11” before our government finally realizes the importance of protecting our digital resources, limiting our vulnerabilities, and mitigating the consequences of exploitations?
We all hope and pray that such an ominous event never occurs. But we also cannot pretend that such a threat does not exist, particularly in an era of global terrorism with enemies sworn to our destruction. Indeed, to ignore the warning signs and to merely hope for the best would be irresponsible. We must practice vigilance at every turn and that extends to the Internet and the field of cybersecurity.
Chairman Joe Lieberman and I have focused considerable effort on these matters from the Senate Homeland Security and Governmental Affairs Committee. I commend him for his leadership in this area. Indeed, during his tenure as Chairman, we have held three public hearings in addition to classified briefings on cybersecurity. And, over the last few years, our staffs have held numerous meetings and briefings with experts on this issue.
Today, I will state what is no doubt obvious to you: It is time to take action. We must move past the planning stage and into the doing stage. A strong defense against a cyber attack is a key component of effective deterrence.
Clearly, the current state of affairs – this laissez-faire attitude toward protecting our nation’s digital assets – cannot continue. The United States requires a comprehensive cybersecurity strategy backed by aggressive implementation of effective security measures. There must be unparalleled coordination among law enforcement, intelligence agencies, our military, and the private owners and operators of critical infrastructure.
Some have suggested that such an effort can be led from the White House. But truly securing our information technology infrastructure will require more than just high-level strategy and coordination. There must be aggressive oversight, evaluation, and testing of systems. There must be constant, real-time monitoring of security and analysis of threats. In short, effectively managing government cybersecurity is going to require more than a few staff crammed into a cubicle in the depths of the White House.
The National Security Agency and other intelligence agencies possess enormous skills and resources, but privacy and civil liberties demands preclude these agencies from shouldering a leadership role in the security of our civilian information technology systems. The Internet is a critical tool for open, free communication; security in civilian government systems must take that reality into account. The intelligence community must play a critical part in providing threat information, but it cannot lead the cybersecurity effort.
Logically, any effort to secure our civilian government systems and our critical cyber infrastructure must leverage the mission and resources of the Department of Homeland Security. DHS was tapped for precisely this role in the Presidential Directive issued last year, and DHS is already the department within the federal government building partnerships with the private sector to secure our critical infrastructure and key resources.
In fact, DHS has done good work in implementing that Directive. Just last Friday, for instance, Secretary Napolitano opened the Department’s new National Cybersecurity and Communications Coordination Integration Center, a 24-hour coordinated watch and warning center to bolster cyber information sharing and incident response. Despite these efforts, however, the Department still lacks the authority and resources it needs to secure our federal and private sector networks.
Some will argue that a single federal department or agency is not muscular enough to direct other federal departments and agencies to secure their IT infrastructure. But Congress has dealt with complex challenges involving the need for interagency coordination in the past. We have established strong leaders with supporting organizational structures to coordinate and implement action across agencies, while recognizing and respecting disparate agency missions.
The establishment of the National Counterterrorism Center within the Office of the Director of National Intelligence is a prime example of a successful government reorganization that implicated the missions of multiple agencies. The NCTC Director is responsible for the strategic planning of joint counterterrorism operations, and in this role reports to the President. When implementing the information analysis, integration, and sharing mission of the Center, the Director reports to the DNI. These dual roles provide access to the President on strategic, interagency matters, while providing NCTC with the structural support and resources of the office of the DNI to complete the day-to-day work of the Center.
I am convinced that a similar construct could improve the security of our civilian information systems and our critical cyber infrastructure.
A cybersecurity “Center,” anchored at DHS, with a strong and empowered leader would close the coordination gaps that currently exist in our disjointed federal efforts. The Director of the Center could help enforce compliance with cyber security standards promulgated by the OMB and the National Institute of Standards and Technology. For example, the Director would have the ability to “Red Team” agency systems, recommend security measures to agencies, and insist that agencies explain the actions taken based on those security recommendations. The Director would also coordinate information sharing on threats and vulnerabilities to our cyber infrastructure from across the federal government.
The Director of the federal cybersecurity effort at DHS should also serve as the Principal Advisor to the President on cybersecurity. For day-to-day operations, the Center would utilize the resources of DHS, and the Director would report directly to the Secretary of Homeland Security. These dual lines of responsibility would give the Director sufficient rank and stature to interact effectively and directly with the heads of other departments and agencies and with the private sector.
That is not to say that the National Security Council would not have an important role to play. Indeed, the NSC – performing its traditional coordination role – would need to ensure that our military, intelligence, and law enforcement activities complement and inform our efforts to protect our civilian networks. But that traditional role does not require a cyber czar. It requires a strong civilian counterpart to the Secretary of Defense, the Director of National Intelligence, and the Attorney General. The Director would serve as that counterpart.
The Director would work with the National Institute of Standards and Technology to prioritize the development of standards and performance metrics, establishing a baseline for cybersecurity at the various civilian departments and agencies. Working with the intelligence community and infrastructure protection experts at DHS and across the government, the Director would be charged with identifying and warning about cyber vulnerabilities and threats to the federal and critical private sector networks.
The Director would also work with civilian agencies to establish policies for personnel security assurance, including mechanisms to ensure the integrity of personnel and contractors to lessen the cybersecurity threat posed by insiders.
Departments and agencies would be required to respond to these warnings – implementing security measures recommended by the Director or explaining alternative steps they have taken to secure their systems against identified threats.
The Director would be charged with developing a supply chain risk management strategy – promoting a risk-based strategy to secure federal information systems from development to acquisition and through their operational life cycle.
We should also consider giving the Director authority to review the IT security budgets and IT acquisition policies across the civilian agencies. The Director should not be responsible for micromanaging individual procurements or directing investments. But we have seen far too often that security is not a primary concern when agencies procure their IT systems. Recommending security investments to OMB and providing strategic guidance on security enhancements early in the development and acquisition process will help “bake in” security. Cybersecurity can no longer be only an afterthought.
These improvements in federal acquisition policy should have a beneficial ripple effect in the larger commercial market. As a large customer, the federal government can contract with companies to innovate and improve the security of their IT services and products. With the government’s vast purchasing power, these innovations can establish new security baselines for services and products offered to the general public. The rising security tide will lift all boats.
The Center could serve as a single-point of contact for the private sector, communicating and educating regarding cybersecurity best practices, ensuring the timely communication of threat and vulnerability determinations to critical cyber infrastructure, and promoting the two-way sharing of breach and vulnerability data.
As the very visible lead for cybersecurity in the federal government, the Director would become the central point of access for small and mid-size businesses that are often at a loss when seeking appropriate guidance on employing industry best practices for cybersecurity. The Director would build on the existing public-private partnership at DHS and work with the relevant lead agency for each industry sector to disseminate best practices and to provide technical assistance to those who request it.
Finally, the Director would be empowered to address directly those cyber threats and vulnerabilities that affect the most significant components of our critical infrastructure.
We are all aware of those who seek to do this country harm in a significant way. And if they can launch cyber attacks remotely on such critical infrastructure as our nuclear power plants or largest dams, we need a process for ensuring that those particularly critical assets have sufficient cybersecurity.
With nearly 85% of the country’s critical infrastructure in private hands, this is no small challenge. But, our government, led by the Director of the Cybersecurity “Center,” could help close vulnerabilities in these critical systems and mitigate the consequences of cyber attacks.
While the development and dissemination of best practices will do much to improve our cybersecurity posture, for this narrow group of critical infrastructure assets where a cyber attack could result in thousands of lives lost and billions of dollars in damage, the federal government needs to take a more active role. We should consider a model where the Director of the Cybersecurity “Center” works collaboratively with the owners and operators of these assets to ensure they have appropriate cybersecurity for the level of risk they face.
This approach would be similar to the current model that DHS employs with the chemical industry. Rather than setting specific standards, DHS would employ a risk-based approach to evaluating a facility’s vulnerabilities, and the owners and operators would develop a plan for protecting those vulnerabilities and mitigating the consequences of an attack. This model would allow for continued innovation that is fundamental to the success of the IT sector.
It is vitally important that we build a strong public-private partnership to protect cyberspace, a vital engine of our economy, our government, our country and our future.
The time for promises, planning, and pondering has passed.
The time for action is now.