Good afternoon, everyone. Thank you for the kind introduction. It’s a pleasure to be here with you today and speak to you at the Georgetown Cybersecurity Law Institute.
As this conference comes to a close, I’d like to take some time today to talk directly to those of you from the private sector attending this conference. I imagine you’ve learned about various manifestations of the cyber threat that our country currently faces. It takes many forms, comes from many sources, and knows no borders:
The cyber threat takes the form of Distributed Denial-of-Service (DDOS) attacks – that have interrupted or suspended the service of webservers at banks.
It takes the form of theft and general invasions of privacy by “keystroke logging.” Installing malicious code, or malware, into a computer, and tracking almost every letter, number, or character you type on your keyboard, including all of the communications you are having over the Internet.
The cyber world has been a useful tool for economic espionage and trade secret theft. Criminal organizations, or even foreign governments, without having to leave their countries or even their offices, can break into the computer system of a private company and steal innovative product designs, formulas, or trade secrets. As a result of this, the company loses the benefit of its investment of money and years of hard work, and more importantly, Americans lose their jobs.
The cyber threat also takes the form of destructive malware. This is malicious software that is capable of deleting everything on a given computer hard drive. This is not an imaginary scenario. In Saudi Arabia, an oil company called Aramco was infected with just such a virus.
Our country’s critical infrastructure is one of the most important areas requiring protection from cyber-threats. Today, most of the important critical functions in our society are run by computer systems. The power grid, hydroelectric dams, nuclear power plants, transportation systems, stock markets and communication systems are all controlled through sophisticated computer systems that allow them to be efficient, effective and coordinate with numerous other critical functions.
By now, you have also heard a lot about what the government can do to help you address cybersecurity issues. But I want to emphasize that government cannot fight the cyber threat alone. And I want to provide you with some thoughts about your role in all of this. What are the things that you can do in the areas of prevention, preparedness, and incidence response. Some of this may seem quite basic to many of you, but it doesn't hurt to hear it again. Unless we work together, we will not be able to address the cyber threat successfully.
Let’s begin with prevention. There are some key things that you and your companies should be doing to build resilience to your networks. Companies should put best practices and technologies in place. For example, each company needs a strong system of network firewalls. You, of course, need an external firewall. This will serve to protect you from the hacker trying to get inside. But that’s not enough. No matter how strong your external firewall is, the likelihood is that a hacker will inevitably break inside. So you also need internal firewalls. These should wall off different departments or divisions in your company from each other. And those areas that contain your company's most sensitive and valuable information should have particularly robust protections. This way, even if a hacker gets onto your network, he doesn’t get very far. Or, at least, he doesn’t get to your company’s most sensitive information.
Companies need to educate their employees on intrusion techniques such as spear-phishing or redirecting websites – the scams that use a combination of email and bogus websites to trick victims into clicking on website links or opening attachments. It only takes the carelessness of one employee to let a hacker into your network. So companies need to train their employees to recognize and avoid these kinds of scams.
And you need to set up a strong system for passwords. The strongest system has multiple layers, and yes, I know it is a pain, but it is so much less of a pain than losing all your data, your trade secrets, or your financial information. This may require the user not only to type in a number of different passwords, but also to send images or even to do a form of biometrics. You should consider using all of these to protect your core, most sensitive network areas.
But you can't do this alone, either. You're going to need up to date information on what cyber threats are out there and what they look like. Participating in information sharing platforms like InfraGard can help you in this regard. InfraGard is an FBI-sponsored initiative that brings together representatives from the private and public sectors to help protect our nation’s critical infrastructure from attacks by terrorists and criminals. Members have access to FBI secure communications network featuring an encrypted website, web mail, list serves, and message boards. FBI uses the InfraGard website to disseminate threat alerts and advisories. InfraGard also sends out intelligence products from the FBI and other agencies.
Beyond InfraGard, you can access other information sharing organizations like the Information Sharing and Analysis Centers – ISACs. ISACs are trusted groups established by critical infrastructure owners and operators. There are different ISACs for different sectors and areas of expertise. Members of ISACs share information with each other and maintain contacts with the government to share and receive cyber threat information. Services provided by ISACs include risk mitigation, incidence response, and information sharing. Depending on the ISAC, you may have access to a 24/7 security operations center, briefings, and white papers.
What can the Government do to help with prevention? Well, for starters, we can share actionable information with you. We have collected and shared hundreds of thousands of indicators of malicious activity with the private sector and over a hundred nations. And this is just in the past six months. These indicators include information like IP addresses associated with malicious activity.
You may have also heard about ECS — the Enhanced Cybersecurity Services program. This is a program that has been available to the U.S. defense industrial base. The Department of Homeland Security has been working with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information. DHS provides that information to qualified service providers to help them counter known malicious cyber activity.
In the Executive Order that the President announced at the State of the Union earlier this year, we committed to expanding ECS beyond the defense industrial base to cover our nation's critical infrastructure. We also committed to redoubling the effort to share malicious indicators not just with members of critical infrastructure, but with the private sector writ large.
Beyond information sharing, the President’s EO gave also the National Institutes of Standards and Technology – NIST – the responsibility, along with the private sector, to develop a framework of baseline standards for cybersecurity. The Framework’s purpose is to assist owners and operators of critical infrastructure to identify and manage risks posed from cyber threats. Once the Framework is established, DHS will establish a voluntary program to support adoption of the Framework. While the Framework is directly applicable to critical infrastructure members, there is nothing that prevents all companies from adopting the framework as part of their cyber program.
Next is preparation for an attack. Even a well-defended organization will inevitably experience a cyber incidence at some point. Therefore, your company has got to have a strong and comprehensive plan for responding to a cyber incident. Determine what kinds of filters to employ in the face of a DDOS attack, how to implement mechanisms to shut down access to important sectors of your computer systems, procedures to change passwords and access controls, and provisions to preserve all your critical data to ensure continuity of your company's operation if your data has been destroyed. And importantly, mechanisms to notify customers or employees if PII has been stolen.
I may be saying the obvious, but these procedures need to be developed before any cyber attack occurs. After an attack has started, it’s usually too late to figure what to do, or to have any hope that it will be effective. And your plan needs to be tailored to your particular company. You and the other IT professionals in your company are the only ones with the expertise and detailed familiarity with your own system to undertake the evaluation of how all your systems work together and how a hostile actor might exploit vulnerabilities. So take the time to really think about it.
Finally, think about your cyber protection program from the perspective of your shareholders. The SEC has issued specific guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The guidance, which was issued in 2011, makes clear that there are particular obligations that apply before, during, and after a cyber incident. But you should think about your disclosure obligations beyond just particular cyber incidents. If you had to explain to your shareholders how you are going about protecting the most valuable trade secrets of your company, or its financial information, or its critical operations, or the personally identifiable information of your customers or employees, what would you want that explanation to look like? What kind of impression would you want the investing public to have about your dedication to cyber protection.
So, your company has followed all this advice. It has put in place a resilient network, and you have set up a comprehensive plan of action for responding to cyber incidences. You have also been able to rehearse your plan repeatedly and have even exercised it in responding to small-scale cyber attacks. But the attack still comes. Unfortunately, it’s inevitable. What do you do then? I know that many companies are reluctant to let anyone know they have been the victim of a cyber attack. They don't want their shareholders or their customers to lose confidence in their systems. So they deal with it themselves, and don't tell anyone about it. But that kind of thinking leads to only one result - more attacks, on you and other companies. I want to urge you, in those situations, to notify law enforcement immediately. We have tools to help you and others who are the victims of the attack and we can use your attack information to help prevent future attacks. And, we are dedicated to maintaining the confidentiality as best we can so you don’t get victimized again through bad publicity.
Let me give you an example of how law enforcement can respond when we learn of a cyber attack.
Two years ago, hackers had infected hundreds of thousands of computers with the Coreflood virus through a botnet. As many of you may already know, a botnet is a group of hacked computers, located in homes, schools, and offices. Botnet creators secretly install special malware on those computers. Once it is installed, those computers beacon back to the botnet creator's master server and do anything the botnet owner desires. That is why these computers are commonly called “zombies.”
This was a particularly pernicious infection, in large part because the malware was continually updated to escape detection by most anti-virus tools. In this scheme, the botnet creators, through keystroke loggers, were stealing peoples’ personal and financial information. Because these criminals were overseas and could not be easily identified, arrested or prosecuted, we had to figure out a way to disrupt the network and stop the theft. We did this through a combination of civil and criminal authorities that allowed us to wrest control of the network from the criminals and shut it down.
First, because the central command computers that operated the botnet were in the United States, we sought a criminal seizure order to take control of those servers. This took the botnet control away from the criminals, and let us respond when the infected computers beaconed back asking for their next instruction.
Second, we obtained a civil injunction that authorized the investigators to beacon back to the zombies and instruct the malware to “go to sleep.”
Finally, although we had put the malware to sleep, it was still on all of the individual computers. With the malware in place the botnet creators could reconstitute the botnet fairly easily. So we went to work with antivirus companies and other industry partners to solve this problem. Software companies and Internet Service Providers offered free self-help tools and advice that enabled users to rid their computers of the malware. By combining authorities and working together with the private sector, we developed an effective solution to address this one network of malicious code.
But in this instance we were lucky. We were able to locate key components in the United States and did some creative lawyering to seize control of those servers. But that won't always be the case. Most of the law enforcement we have today was designed for the 20th century. We are, unfortunately, dealing with a 21st century problem.
So I’ve laid out some key areas involving government and private sector roles and partnerships. But don't sit back and think that's enough. We all need to do more. I referred earlier to the Executive Order that the President signed. It’s a start, but we still need congressional action in this area:
Although the federal government currently has a range of tools at its disposal, we still need to give law enforcement better ways to stop cyber crime without having to piece together ad hoc, creative solutions.
We need to facilitate the appropriate sharing of cybersecurity information like malware codes between the government and private industry so industry can protect itself.
We also need legislation to incorporate privacy and civil liberties safeguards into all aspects of cybersecurity.
We have been and should also continue to engage our Allies and partners worldwide to solidify norms of cyber behavior — to help ensure that the Internet remains open, secure, and stable. It is also crucial for us to maintain a meaningful dialogue with the world’s largest cyber actors and work together to develop an understanding of acceptable behavior in cyberspace.
But above all, we must work together — the government and the private sector — to build closer and even better partnerships. Only by doing this will be able to make the future Internet a place where we can be more confident that our businesses, our privacy, and our personal finances can operate safely. The responsibility of protecting all of this rests not only with the government, but also with, individuals, firms, and companies themselves. We know that you have been working hard to provide security for your systems. We commend you for doing so and look forward to working closely with you as we move forward in addressing and countering the cyber threat.
Thank you again giving me the opportunity to talk with you today about this important topic.