OSINFO - Open Sources Information

SEPTEMBER 15, 2008

SPEAKER: DEPUTY SECRETARY OF HOMELAND SECURITY PAUL SCHNEIDER

[*] SCHNEIDER: Good morning. Is everybody awake? Probably going to take me another five minutes or so.

The -- I really appreciate the opportunity to be here this morning. AS -- as you know by watching him on the news, the secretary has been down in Texas and is back and getting ready to go brief the -- the president.

So I have the opportunity and pleasure, really, to talk to you this morning.

First, I'd like to introduce a key -- key member of our organization, who is our focal point for the coordination of the cybersecurity effort, and that's the undersecretary, Robert Jamison.

(APPLAUSE)

Secretary Jamison is the undersecretary for national protection and -- and programs, and as such, he is the one within the department that is responsible for the execution of those cyber efforts that are directly under the direct responsibility of the Department of Homeland Security, as well as -- and I will talk a lot more about this later -- the role that DHS plays in coordination of the entire federal government cybersecurity effort. So he is our key guy.

What I'd like to cover today is based in part by a coincidental meeting that I had with the moderator for the next panel, Kate Kaypoor (ph) from Lockheed Martin.

Unbeknownst to me, I happened to be visiting a Lockheed Martin facility in Suffolk, Virginia, on a Friday, and at one of the breaks, she happened to mention me about this big event that was going to take place this morning and that everybody was anxiously looking forward to having Secretary Chertoff explain what this national cybersecurity initiative was all about.

So I said to her, "He's not going to be here," and she said, "Well, why not?" So I said, "Well, because of where he is and what his plans are." And so I said, "I'm -- I'm the person's that going to be speaking."

So I asked her. I said, "Well, what should I cover?" So she said, "Three things." Let's see if I got it right. "First, who's in charge of this effort? Second, what's the relationship of this National Cyber Security Center relative to US-CERT? And third, how's the federal government going to work with the private sector?"

So I said, "I got it, and I can do that." So that is pretty much what I am going to try to cover today.

First, cybersecurity really is -- it's one of the top priorities of the Department of Homeland Security and the federal government. The secretary, myself, Secretary Jamison and a host of others, not just in the department, but across the federal government, spent and have spent a tremendous amount of effort to formulating the structure for what is this national cybersecurity initiative and laying out the groundwork and strategy for actually executing it.

From my standpoint, and -- and as you heard from my -- my bio, I've been around a long time. This is probably unprecedented in terms of the amount of coordination and collaboration that has to take place within the federal government, and then of course between the federal government and -- and the private sector.

And so it's something that I think everybody really kind of understands the importance and the significance of it, and it clearly will transition from this administration to the next administration.

Part of the challenge that we have is to make sure, in fact, that that is in fact a seamless transition. And I believe we have taken the effort, and I think we've crafted the strategies and put in place clear lines of responsibilities and authorities that will ensure that it is in fact a seamless transition.

Unlike a lot of other areas in homeland security, cyber is not exclusively a -- a federal responsibility or is it -- or -- or it's not something that we could unilaterally impose upon the rest of the nation.

We don't own the nation's IT networks or the communications infrastructure, nor would we want to force an excessively burdensome security regime on -- on something that is clearly very dynamic, very fluid, and one of the most reliable engines of our economy.

So this doesn't mean, on the other hand, that cybersecurity is solely a private sector responsibility either. And so, although the vast majority of the nation's cyber infrastructure is in your hands, the reality is that its benefits are so widely distributed across the public domain and so integrated into virtually every aspect of our economy, we face clear national security risks and consequences with its continued protection.

And so, as you know, no single person or entity controls the Internet or the nation's IT infrastructure. There' no centralized node or database or entry point. As a result, there's no single person nor company or government agency that can fully protect it.

And so what we are faced with is the absolute need for a very unique partnership in order to defend this network.

In April of 2008, Secretary Chertoff gave a speech on cybersecurity at the RSA conference in San Francisco. In that speech he outlined the cyber threats that are facing our country and some of the challenges in addressing those threats.

So I'd like to spend some time this morning talking about our approach in a little bit more detail than has been put out before.

And so you all know that protection of the federal security networks is part of this new comprehensive national security initiative. And -- and so what we have been working on is the details in a priority manner of what our -- our initial focus is going to be, as well as what's our long-time strategy.

Much of this plan -- and quite frankly it's been inhibiting to a large extent -- much of this plan is classified. And it's still in the works. And so -- and so because of that, that has unfortunately put some restrictions on how much we have -- we can actually discuss out in the public domain. That fact notwithstanding, we have begun many discussions at the classified level with representatives of industry in some of the formats, which I will talk about later, so I want you to -- to get an appreciation for the fact that just because it's highly classified, the fact is the government knows how to work with industry in a highly classified manner, and we have begun those types of -- of discussion.

So let's talk about this cyber attack, or cyber attacks. Everybody knows the Internet's been around for roughly two decades, and so has cyber attacks.

Now, some may view cyber attacks as simply the cost of doing business and that there's probably no need to do anything special to protect against them. In other words we have some out there that don't take this very seriously.

I would argue, on the other hand, that in this 21st century we have a new era of threats and vulnerabilities in the cyber domain, and that requires us to act with much greater urgency and a sense of purpose. Many of you understand this, and your organizations are actively working on solutions to address this threat.

We have seen recently in the news cyber threats can impact both individuals and entire nations alike. The two most recent examples: first, the Georgia-Russia conflict. Perhaps that is the first instance of a military action containing a clear cyber component: denial of service.

Denial of service attacks were launched by Russia against Georgia. There were large swaths of Georgians that could not access any information about what was happening in their country, government Web sites. Government Web sites were defaced, and the delivery of government information was seriously curtailed.

A similar denial of service attack was perpetuated in 2007 against the Estonian government networks.

The second instance was involved identity theft. This was a very large United States Secret Service case where 40 million credit card numbers were stolen from nine major retailers due to a very sophisticated international scheme that was perpetuated by war driving.

This led to millions of dollars being withdrawn from the bank accounts of innocent consumers. In sum, it was probably the worst case of I.D. theft in U.S. history, all due to lapses in network security by the retailers.

As a personal aside, I had my identity theft -- I had an identity theft of my own occur about two weeks ago when apparently, unbeknownst to me, I started getting calls from a credit card company about some individual that was operating up in New York state and loading up on a lot of gas and a lot of other stuff, using my particular credit card.

So the company said, "Well, do you have your card?" I pulled out my wallet and said, "Sure." So then I started asking questions like, "Well, how the hell could this happen?"

And so -- so I got a personal lesson in identity theft. And -- and as I started to share that experience with several of my co- workers, what I started to find out was I'm not the only one, and a lot of people that I know, and I see every day, have been experiencing this same particular situation.

So, from my standpoint, I think the reality is that cyber attacks are not decreasing. They're increasing in frequency, sophistication and scope. And this has major implications for our national and economic security.

So how do we protect ourselves from malicious activity, whether it's criminal, an extension of state power, as in the instance I gave, espionage, information gathering or just plain old routine hacking.

So from the government's perspective, the very firs thing we need to do is to make sure that the federal civilian networks are protected. In other words our first priority is to make sure that our own house is in order and to protect national security.

Now, we're not starting from scratch. We already have a foundation from which to build on, and that's through the hard work of the Department of Defense, as well as the Director of National Intelligence and other agencies, as well as our own DHS National Cybersecurity Division.

SCHNEIDER: In January of this year, the president issued a classified national security and homeland security directive that outlined for the first time this comprehensive national cyber- initiative. For abbreviation purposes, a lot of people within the government just refer to it as the cyber initiative.

It's designed to focus the energies and the resources of the federal government, coupled with the knowledge and the expertise of the private sector, to secure our nation's I.T. infrastructure and protect it against significant attacks.

DHS has the lead responsibility to protect the federal civilian domains and networks, which basically means anything with a .gov address.

The Department of Defense has made great strides in the strengthening and the protection of their networks and the .mil environment.

So we are leading the charge to do the same for .gov.

In addition -- and this is one of the points I want to stress today to answer Kay's question about who's in charge -- we are the lead coordinating body to synchronizing efforts for the protection of all federal networks and systems, including .gov, .mil and .ic.

And acting for the secretary, the individual that has that responsibility is Undersecretary Jamison.

So let's now talk about what are some of the main elements of the cyber initiative. We got three key focus areas: first, establishing the front lines of defense, which means reducing the current vulnerabilities and preventing intrusion; second, defending against the full spectrum of threats by using intelligence and strengthening supply chain security; and third, shaping the future environment by taking cybersecurity research and development to the next level by educating the next generation and investing in leap ahead technologies.

As is true for all of our homeland security programs, privacy and civil liberties considerations are at the center of our efforts. We will continue to strike what we believe is an appropriate balance between security, privacy and civil liberties.

This effort is not about sitting over the Internet, like some other countries, and controlling what people see, nor is reading about the personal e-mail of Americans. That is not our interest. That is not our intent.

We're talking about protecting the federal networks. We're talking about protecting against malicious computer code.

If someone is seeking to access our systems and possibly inject some from of malware, it is fully within our right to take a closer look and see whether that code poses a threat, just as you would ask a few questions about a stranger that wanted to enter your house.

Our first goal under the cyber initiative is to protect our perimeter defenses and prevent the intrusions. And the way we're going to do this is by eliminating the external points of access to the federal networks.

At present there are thousands of Internet access points to the federal government networks. This gives our adversaries too many avenues to seek out technical vulnerabilities and exploit potential gaps.

As part of what we're calling the Trusted Internet Connection Initiative, which is being led by the Office of Management and Budget, se are working to reduce these external points of access to 50 or less across the federal government, and thereby reducing the ability of attackers to penetrate our systems.

To support this effort, we're expanding the United States Computer Emergency Readiness Team, or US-CERT, which is our 24-hour early watch warning and detection capability, to provide oversight of these points of access.

Complementing the expansion of US-CERT is the establishment of the new National Cyber Security Center. So now I'm going to talk a little about the National Cyber Security Center, or NSSC (sic).

The NSSC (sic) will connect and leverage the operational postures of the federal agencies that are responsible for defense to provide a comprehensive situational awareness across the federal networks.

It is responsible for coordinating the protection of the .mil, .ic, as well as the .gov domains. It is a coordination, a collaboration, and coming up with a common situational awareness responsibility.

US-CERT is the operator and the consolidation point of a new comprehensive intrusion detection network, and as such, it's going to have real time situational awareness of the federal civilian networks.

US-CERT will push the information down to those federal agencies, and up to the NCSC. NCSC will consolidate that information with information from other operation centers, such as the Joint Task Force GNO -- Global Network Operations -- who has the common operational picture for the Department of Defense networks and will provide products back to US-CERT and JTF-GNO.

While all -- while all the federal agencies have a center that provide situational awareness of their own networks, we do not have a near real time common operating picture that captures the threats, as well as the mitigation posture across all federal agency domains.

So the National Cyber Security Center will serve as the hub for cross-domain awareness and will be fed by the six agencies with responsibilities, one of whom is US-CERT, which has that defense responsibility for federal civilian networks and the private sector.

And so the NCSC will oversee efforts to make sure that these centers are -- have network connectivity, that their I.T. systems can talk to one another, and they're using the same standards and definitions for how to handle data and information, and that they have shared operating procedures.

This will ensure the continuity among the centers, improve the coordination and raise our overall situational awareness. All this is going to be done under the auspices and the leadership of the Department of Homeland Security, and again, the undersecretary, Robert Jamison.

So what I've tried to cover was a little bit about Kay -- what Kay wanted me to do on -- on point number two. I listen when -- when Kay talks, OK? So I think we talked about techs. We talked about NCSC relationship with US-CERT, talked about situational awareness, linking the network situational awareness and common operational picture together, and -- and how we're going to share the information.

So next we have to talk about how do we keep people from getting into our system?

Currently, we have a intrusion detection system that's deployed across the federal works, and it's called Einstein. That allows us to passively detect breaches and intrusions.

In its current from, Einstein gives us only limited capabilities with respect to detecting the source of the attack and raising our awareness. In effect, it lets us know, once we've already been attacked.

We're going to proceed to take Einstein to the next level. For US-CERT we will be deploying a much more aggressive intrusion detection system across the federal government that will enable us to use passive censors to scan for malicious code and detect protocol- based signatures.

We'll be able to look for patterns of malicious code, better characterize the intrusions so that we can very quickly shut them down before the do real harm. We are going to try to operate and defend in real time.

Also, we need to take a look at prevention. While -- while we have a -- a lot of effort that will be going into developing a robust intrusion prevention system, as -- as we start developing the requirements for this, this is clearly an area where we are going to be reaching out to the technical sector to make sure that we have in fact the very best technology that's available to help us in this endeavor. We take a look at -- I want to talk a little bit about counter intelligence. We have to deal with the full spectrum of threats that face the country. The best way, obviously, to deal with the threat, to be aware of it and to understand it -- that requires information and intelligence.

One of our elements of our plan is to develop a government-wide cyber counter intelligence plan specifically focused on foreign state- sponsored cyber threats.

Intelligence is one of our best preventative tools. I don't have to go into any detail. You all know the examples. It starts going back to 200, 300 years, up through World War II with the use of radar.

So we need to have similar types of tools in order to make better use of intelligence in the cyber domain in order to stop our adversaries before they can launch attacks against us.

And that gets us to the discussion of the global supply chain. We all know that the global supply chain and how we do business internationally, how we tap into the global markets, how we share products and expand trade is something that has become one of the underpinnings of our economy and has spurred a tremendous amount of economic growth.

But this also has inherent in it clear risks. There's a large part of the supply chain that we do not own or control, and never will, including a lot of technology and electronics that are produced overseas.

So we need to make sure that the products that we import from foreign markets are not seeded with malicious hardware or software that could compromise our systems and help our adversaries gain valuable national security information -- or even worse, disrupt our networks.

Make no mistake about it. This is a real concern. In some ways it is the high tech equivalent of the intellectual property rights violations we see every day at our ports of entry when we discover adulterated products or fake handbags or DVDs.

Only, in this particular case, it's far more damaging to national security, because these products essentially function as Trojan horses that we conceivably would allow through the gate.

The federal government by itself cannot ensure the integrity of the supply chain. And though we have several programs that are in place, including C-TPAT, which is our public-private partnership to improve security across the supply chain, and our container security initiative, we're going to need your help in order to pursue this effort.

Addressing this risk will require a greater awareness of the threats, the vulnerabilities and the consequences, and it's going to require sound acquisition policies and practices.

And it's going to require a unprecedented level of cooperation and awareness across the entire global supply chain.

As we look to our future environment, a key part of our strategy is -- is our people. The reality is, and -- and it's really well known, that the federal government is not the nation's foremost repository of cybersecurity expertise.

That's not to say we don't very skilled people, but we need to -- to build the next generation of our cybersecurity workforce. So we're going to be focusing a lot of resources within the federal government on education and training and recruiting talent.

And so, after I give this speech, if anybody would like a job with the Department of Homeland Security, you could see me or Robert Jamison afterwards.

This is a little plug for working for the federal government. You don't have to be the secretary or the deputy secretary to make a major contribution to national policy, achieving national goals.

And one of the things we are going to be taking a look at is how do we establish what programs that require -- or that basically emphasize and encourage rotation between the private sector and the federal government.

SCHNEIDER: We've already started, in a couple of isolated cases, loaned executive programs, and we're looking to increase the use of those types -- type programs, because in the end game it benefits the private sector, and it benefits the federal government.

In research and development we will be spending a significant amount of resources in the private sector, and that's because that's where the technology's going to come from.

I would -- I would caution you to temper your appetite that there is a -- a tremendous pot of gold that's about to be delivered to the private sector in this particular area, because, as I emphasized earlier in my -- my talk, our initial focus is on our existing networks, what do we have to do to immediately strengthen them, and as we get downstream I think is when you'll see perhaps a more heavily leveraged investment in the technology.

OK. Now I want to get to Kay's third point, which is the private sector. How are we going to work with the private sector?

So we all understand that it's imperative that we figure a way, and the right vehicles, to work on hardening and protecting the shared infrastructure. We think we have a good basis for cooperating with the private sector when it comes to protecting critical infrastructure.

Under the National Infrastructure Protection Plan, or the NIPP, we've worked across all 18 sectors to develop sector-specific plans that set clear goals and metrics and common priorities for enhancing security.

And for each of these plans, we've looked at the interdependencies with respect to cyber infrastructure and how it potentially has a cascading effect.

Many of you have worked with us on an activity we called Project 12 of the cyber initiative. Over the last few months, we've been working through the NIPP partnership framework to engage with you and your colleagues to develop a series of long-term and short-term objectives regarding how the government can work with the private sector to enhance our nation's critical infrastructure and key resource networks.

And so our plan is to work through the NIPP. First, in the short term we're planning to increase our current public-private information sharing via the NIPP framework. We continue to recognize just how important it is that we have robust working channels to exchange and integrate information with and among our partners in industry.

A lot of good work's been done. We have a long way to go. And we recognize that the individuals within an organization, who take action on cyber issues, are not always the same who address the security issues.

So we're working to make sure that we get the right information to the right people at the right time.

Our effort in this area has already begun through what we call the cross-sector cyber security working group. We have convened an information sharing subgroup to look at ways to facilitate what I would call the bi-directional sharing of cyber information, indications and warning through the operational capabilities within and cross the sectors and the federal government.

We're looking at better ways to how we share this cyber threat vulnerability information to those in the industry who need it. We clearly understand that some of this information is very sensitive, and also the fact is that we have to figure out how we work with our partners in industry to get greater situational awareness of issues that affect critical infrastructure.

So the bottom line on this is each of the critical sectors we know have different business models. We know how its cybers is -- is treated is -- is a little different.

And so we feel the best way to work this problem with the industry is through the sector coordinating councils, different groups that cut across all the different sectors, with a focus on cyber.

I think it's probably -- and the reason being there have been folks in industry that have suggested we set up a different type of infrastructure, set up a different type of group. But the fact of the matter is we believe using a proven structure that we have today is probably the best way to go do that.

If there's any doubts in anybody's minds about how well that works, you just need to take a look at what's happened between Gustav and Ike and -- and the role of the -- the NIPP and the sector coordinating committees have taken regard to giving jointly the state, the federal and the private sector great situational awareness on what to do in terms of rebuilding critical infrastructure that's been either totally lost or severely damaged over the past three weeks.

We're also exploring options as to how to share government intrusion detection capabilities such as Einstein with our interested industry partners. We know that sharing information both ways is -- is very critical, and that's going to be one of our -- our focus.

I think if you take a look at the -- what we're trying to do with -- within government -- just to reiterate this is kind of an unprecedented type of -- of an activity -- if you take a look at what we're talking about relative to the globalization issues, we have established a partnership with DHS with the Department of Defense and the Director of National Intelligence as to how to we -- on this issue of global markets and technology coming in and the like -- to lay out the framework for a future undertaking that we could coordinate with the private sector on that will take a look at some of our fundamental policies and practices, what may be the best course of action for government, what may be the best course of action for the private sector, and -- and to work in concert to tackle some of these long- term strategic issues.

So my bottom line is we have a plan. A lot of it's -- because of the classification -- has come out in pieces. What I've tried to give you today is answer Kay's three questions. What are we doing? Who's in charge? How do these things all lash up? And -- and how are we going to work with the private sector?

There's a -- there's a lot more that will start coming out in the weeks and months ahead, but I think the -- the thing that we all recognize within the government is that this is an all-encompassing challenge. It's going to require unique coordination and cooperation, unprecedented to date.

I'm personally very encouraged by what I see in terms of the coordination collaboration within the federal government. When you get as many diverse departments and agencies coming together to make this happen in, frankly, what is a relatively short period of time, I think it's a testimony to the folks that are in the leadership positions that recognize just how important this particular effort.

So I want to -- appreciate the opportunity to be here today and -- and talk to you. I know, based on the panel discussion that's going to take place, if you have any real hard questions about DHS or about the effort, please ask Secretary Jamison, and not me.

(LAUGHTER)

And with that, we have time for -- for a couple of questions.

QUESTION: Secretary, thank you very much. Roger Ralls with GD. How does the Homeland Security Information Network play into the -- what you were talking about in terms of the sector coordinating councils and the overall information sharing through the NIPP?

SCHNEIDER: Well, I believe -- and, Rob, you can correct me, if -- if I'm mistaken -- one of the things, as -- as you probably know, we're trying to revitalize and strengthen the HISN -- Homeland Security Information Network.

We -- the folks that run the HISN have worked very closely with Assistant Secretary Bob Stephan, who worries about critical infrastructure.

As part of our effort -- and I believe we awarded a contract a couple of months ago basically changing the architecture, identifying portals to each of the communities of interest, or -- or sectors that meet their specific needs -- so HISN is in terms of what I would say our -- our backbone.

HISN is -- is being modified to basically meet the requirements of the individual sectors. And -- and it's -- this is a really big deal, OK? It's one of the reasons why what we have decided to do is focus our dealings on the sectors.

And -- and the reason is they're up and running. It's a -- it already is a government-industry partnership, which seems to work very well. I guess I would use the term "self-governed." It's really self-governed.

And the fact of the matter is, who better than those individual committees can determine what the I.T. information needs they want to see in terms of a push-pull? So it's key to -- to basically acting as an enabler for the sectors.

QUESTION: Hi. It's Andrew Noyes with Congress Daily. Quick question. You said that you're working on this with an eye toward the new administration. Can you tell me in a bit more detail about -- about kind of what -- what you all -- what's -- how you're -- how you're planning to do this, since you all only have a few months left and...

SCHNEIDER: I didn't say with an eye toward the new administration. What I said was this thing will transcend the existing new administration to the new administration.

QUESTION: But is there a -- a framework in place? Can you give some detail about -- about how you're looking ahead in -- in...

SCHNEIDER: Well, the way -- the way you look ahead is to build on the existing framework that's been put in -- in place. And that's why we've basically institutionalized, through our infrastructure protection arrangement, the individual sector coordinating committees and that whole governance structure best.

And so by and large, when you take a look, and -- and if your issue is you know what happens with the transition of political leadership, you know there's a -- I mean I just can clarify a little bit for you.

The fact of the matter is, contrary to what is popularly covered in the press as -- the fact is that there will be a wholesale departure of people -- and I can talk about Department of Homeland Security -- the fact of the matter is that's just not true.

And so the majority of the people that are running these programs, the fact of the matter is that they're running the programs today, they'll be running these programs on January 20th and the 21st.

So by and large, in a lot of these efforts across government, what you will see is a seamless transition, and the change in political leadership will be transparent relative to the execution of many of these particular efforts.

Now, obviously, any new administration can come in with new policies and the like, but the -- if you take a look at where we are putting our current emphasis, OK, reduction of the number of trusted Internet connection sites, getting real time situational awareness, hooking up the centers to get I.T. connectivity, common situational awareness, moving information up and down the line -- those are kind of foundation pieces of what would be any cyber security strategy.

So you know I -- this -- this is so the transition from one administration to the other relative to something like protection of critical infrastructure -- I don't see that as being an issue.

(APPLAUSE)

END