Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, will frame the Biden Administration’s approach to safeguarding U.S. cybersecurity and modernizing cybersecurity defenses to enable the United States to confront threats from sophisticated and persistent nation state threat actors and criminals.
- Hello, it's my pleasure to have the opportunity to address so many practitioners, doers on the front lines of cyber defense. I've been invited to speak about the administration's approach to safeguarding and modernizing our cybersecurity defenses while we confront threats from persistent nation state threat actors and criminals. I know RSA attracts an expert audience. So this is an audience that can give chapter and verse on how the security of our technology remains a challenge, even as it's a bigger and bigger part of our lives. Governments and companies are under constant sophisticated and malicious attack from nation state adversaries, and criminals. So today more than ever as each person here would say, cybersecurity is a national security imperative. Cybersecurity also has geopolitical dimensions. Technology can be leveraged to facilitate participation in democratic processes and advanced human rights and rules-based order. But can also be used by authoritarian regimes to advance mass surveillance, facilitate arbitrary detention and systematize oppression, and to write new rules and standards that are counter to democratic values. I don't think anyone here would contest that cybersecurity is a matter of national security. So I won't spend any more time stating the obvious. Instead, I'll turn to the urgency of the moment and the need for us to renew our commitment to partnership because the stakes couldn't be higher. The administration has navigated two major cybersecurity incidents inside of our first 100 days. One we inherited, and another that broke during our tenure. The SolarWinds and Microsoft Exchange incidents reinforced several lessons. First, adversaries will look for any opening to attack, whether they're hunting for coding errors or compromising supply chains to create an attack vector. Second, partnerships are critical to the safety of our nation in cyberspace. The government needs the private sector and the private sector needs the government's partnership. Third, the government urgently needs to modernize cybersecurity defenses to protect its own data and ensure it can deliver services to the American people. And we have to shift our mindset from incident response to prevention, and prioritize our investments to get ahead of threats and facilitate early detection. I'll take a few moments to reflect with you on this last point, shifting our mindset. Like so many here, I've been in this field at the ground level and I've observed that as a community, we've accepted that we'll move from one incident response to the next. And while we must acknowledge breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate. The national security implications of doing so are too grave. Breaches are costly. Simply put, cybersecurity is not only a national security imperative but an economic security imperative as well. Estimates vary, but in 2019, Accenture and Ponemon study estimates the average company incurs a cost of $13 million per breach. A joint CSIS and McAfee report estimates cybercrime costs 1% of global GDP in 2018. I could go on. The point is that today the cost of insecure technology is staggering, and that cost is borne at the end by the victims in incident response and cleanup. Small businesses, schools, hospitals, and local governments who often have fewer resources particularly struggle. These costs aren't new, and they're well-known. And we can take steps to modernize defenses to mitigate them. That alone should be incentive enough to change our ways. And yet, have we? What does it take? This is the community who can drive the change. This administration is committed to changing the calculus and the president has elevated cybersecurity in a way that no other has. Our approach can be summarized by three complimentary and mutually reinforcing lines of effort. First, modernized cyber defenses. Second, return to a more active role on cyber internationally. And finally, ensure America's better posture to compete. I'll briefly touch on each of these efforts. First, we're modernizing cyber defenses. Following SolarWinds incident response, we were confronted by the hard truth that some of the most basic cybersecurity prevention measures weren't systemically rolled out across federal agencies. Tools like MFA, encryption, constant logging and endpoint detection pull back to an effective sock. We've taken immediate action to roll these out but we have much more to do. And we're starting with the software that we buy. Software supply chain security is an area of particular concern. The current model of build, sell, maybe patch means the products the federal government buys often include defects and vulnerabilities. These are defects and vulnerabilities that the developers are accepting as the norm with the expectation they can patch later. Or perhaps developers decide to ship software with defects and vulnerabilities they decide to ignore. If they, the vendor deems those defects and vulnerabilities are not sufficiently serious to merit fixing. That's not acceptable. It's knowingly introducing unknown and potentially grave risks that adversaries and criminals then exploit. Security has to be a basic design consideration. We'd never buy a car or rush to market knowing it could have potentially fatal defects that the manufacturer may or may not choose to issue a recall and fix. You wouldn't buy that car and decide later whether you want to install seat belts or airbags. But that's analogous to how today's software development model works. Coding securely takes work, but we can take pride in that work. Knowing the cost and time, we're saving thousands. And knowing that the best hackers around the world won't find a hole. On the government side, we want to begin taking aggressive steps to do our part to ensure that the software the government buys is built more securely from the start by potentially requiring federal vendors to build software in a secure development environment. Our efforts will pay dividends outside of the federal government because much of the software the government buys is the same software that schools, small businesses, big businesses and individuals buy. The starting point for building more securely is where you build your software, which should be separate and a secure build environment. This includes things like using strong authentication, limiting privileges, and of course, encryption. It also includes knowing the provenance of the code you include in your builds and using modern tools to check for known and potential vulnerabilities. This is hard, but it also may seem basic to you, maybe even obvious. But we all know that these basic practices are not universal. For those of you already following these practices, thank you, and thank you for your leadership. Thank you for investing in security at the beginning of the process and by extension, investing in national security. And thank you for setting the tone for the community by leading by example. You deserve recognition for your commitment to security and you deserve more than that. You deserve credit in the marketplace. But today, that's hard. Today, there's no way to gain that in today's marketplace. Why? Because the government and indeed all consumers, we don't have visibility into what software is developed securely, and what's not. So while visibility and accountability are key drivers of software security, we literally are unable to factor them economically into our buying decisions. In order to make the market to put money on this issue, to give developers the economic credit they deserve for secure code, and to empower consumers to make informed buying decisions, we need to integrate that visibility into the security of our software. Visibility engenders trust. And today we place our trust in vendors but we largely do it blindly for the most part because we don't have a way to measure that trust. And I want to talk more about that. I'll turn out to our critical infrastructure. Many of the systems that run our critical infrastructure, the systems that deliver the gas that heats your homes and the electricity that powers our schools was built before anyone had heard of an internet. We simply didn't plan for the interconnectivity and related cybersecurity risk we see today. And most of this infrastructure is in private sector hands. In April, the administration announced a pilot program in which we're working with electric sector leaders to modernize cyber defenses, a program that will facilitate private sector efforts to install new technologies that provide timely visibility detection, response and blocking capabilities to protect the technologies on which our critical services depend. This will take time, but it's the first step of a series of efforts we'll be working on to ensure we can trust the systems underpinning our critical infrastructure. And that trust is relying on having the level of visibility needed to match the consequences if a system is degraded or disrupted. Let's think about that for a moment. The level of visibility we need is built on the trust we need, and the trust and visibility we need is based on the consequences if a system fails. That's an important point to think about, particularly as we build systems here. Our second line of effort is revitalizing America's global leadership role. While we modernize our cyber defenses and safeguard existing infrastructure, we're also strengthening our global partnerships to counter adversaries that leverage technology to undermine national and global security. The administration is coordinating with allies and like-minded and international partners through initiatives like The Quad Security Dialogue to develop, promote and safeguard our cybersecurity and counter adversaries and competitors that may seek to use technologies to undermine our economic prosperity and national security. We're also collaborating with our allies and partners on efforts to counter cyber threats and hold malicious actors accountable. As one example, we built a coalition of dozens of countries to support our attribution of the SolarWinds intrusion to the SVR, and bolster the US government's actions to hold Russia accountable for its malign actions in cyberspace. One of our first global initiatives will be a cooperative effort to counter ransomware. Criminals use ransomware to target everything from individuals, utilities, hospitals, and large companies. Extortion through ransomware presents a national security threat for countries around the world because it can disrupt schools and hospitals and governments and companies abilities to deliver services. And because of the huge financial cost, it's concerning that ransomware often exploits known weaknesses such as targeting endpoint and software vulnerabilities. Proactive prevention through effective cyber hygiene, cybersecurity controls and business continuity resiliency is often the best defense against these criminals. However, we're also concerned about growing sophistication of these groups, both in their exploits, such as the use of fileless ransomware and in their operational models, including the evolution to big game hunting, the growth of ransomware cartels and the increasing prevalence of double extortion schemes. International cooperation to address ransomware is critically important because transnational criminals are most often the perpetrators of these crimes. And they often leverage global infrastructure and money laundering networks to do it. Finally, the administration will ensure America's better posture to compete in cybersecurity, technology, and beyond. While we take steps to bolster cybersecurity and secure the technology and infrastructure of today, we must also invest in and facilitate the innovation of tomorrow. As the president said, we're at an inflection point. Federal investment in research and development is at its lowest in decades as a percentage of our GDP. And the president's committed to reversing this trend to ensure America remains a global leader in emerging technology. The American Jobs Plan includes a proposal to invest $180 billion in R&D of new and emerging technologies, technologies like quantum computing, AI, and microelectronics. This investment is a significant down payment on the future of American innovation. The American Jobs Plan also includes proposals to secure critical supply chains on which our technologies rely, including investing $50 billion in domestic semiconductor, manufacturing and research. Before closing, let me speak to why ensuring America remains a leader in emerging technology is so crucial to our national security. Take quantum computing. Quantum computing promises to revolutionize certain unsolvable computing problems across a variety of military and civilian applications, from pharmaceuticals discovery and healthcare to advanced materials and batteries, to machine learning. But quantum computing will also be disruptive in other ways too. It will fundamentally disrupt cybersecurity and the technology platforms on which it's built while offering new vectors to compromise critical information systems and networks with potentially devastating impacts on certain encryption methods like asymmetric encryption, the foundation of our economic and national security communications. The president's American Jobs Plan reflects a commitment to accelerate US leadership in quantum computing and quantum information science more broadly, while protecting the country from the adversarial use of these technologies. Bolstering the nation's cybersecurity, safeguarding our critical infrastructure, and renewing America's advantages broadly are fundamental to the Biden Administration's commitment to our national security strategy. Continued partnership with you, the private sector, is critical to achieving these objectives. In closing, thank you for your role in building more secure systems. That role's become evermore critical. At your keyboard, you're saving the users of your code time, money, and sharing the innovation we're all so proud of. It's also secure against the sophisticated threats we face. Be well, do well, and thank you.
Policy & Government
cyber warfare & cyber weapons legislation supply chain
Share With Your Community