Thank you, Robert, for that kind introduction. And thank you for giving me the honor of closing out an event that has had such distinguished speakers, including Senator Jay Rockefeller—who has been a leader in keeping cyber security atop the national agenda.
I’ve had the privilege of working with the Business Software Alliance since my days as the governor of Washington State.
For 20 years, you have been at the forefront of addressing key policy issues, on innovation, global trade, e-commerce and of course copyright protection and patent reform.
Today’s topic—cyber security—is among the most important issues you have engaged on yet. Because trust and security in our IT system is a prerequisite. Without it, you cannot thrive. And neither can America.
Software companies have generated a continuous stream of good jobs in America for at least a generation—some, for two generations or more.
As America looks to boost our economic security, it is important that we in the U.S. government create the right conditions to ensure your continued success.
As President Obama said 11 months ago, “America's economic prosperity in the 21st century will depend on cybersecurity. . . . [It is] a matter of public safety and national security [as well].”
It’s easy to understand why.
According to private researchers, global online transactions are currently estimated to total $10 trillion. Almost any transaction you can think of can now be done online—from consumers paying their utility bills and people buying books and movies from Amazon, to major corporations paying their vendors and selling to their customers. And these same researchers predict that by 2020, global online transactions will exceed $24 trillion. This is transformational not only in terms of size, but in the evolving way in which we use the Internet.
In the coming years, we will continue to see rapid growth in the diversity of applications, services and devices.
- Single purpose “smart appliances”—like smart air conditioners—will connect to the smart grid.
- Several companies are creating global “cloud computing” systems, which will offer on-demand, super-computing capacity.
- And of course, data will increasingly need to move across jurisdictional borders in order to reduce costs, to improve efficiencies and to help consumers find the products they want.
In short, the Internet has evolved into a national and international nervous system for the global economy.
Given this reality, we need to take a fresh look at the policy framework that underpins the Internet Economy.
We need to ask: are there policy “nudges” that can reduce impediments to e-commerce or that can spread its benefits more broadly?
To answer these questions, last week I announced the Department of Commerce Internet Policy Task Force.
The task force is made up of senior staff from across different parts of the Department of Commerce, including leadership from my office. It includes experts in standards, intellectual property, trade, technology and Internet communications.
Last week, the task force released a formal request for public comment on data privacy issues.
The goal is to determine the impact of domestic and international privacy laws on the pace of innovation as well as on real privacy protection that protects essential trust in our IT system.
The task force will analyze stakeholders’ views, and in the coming months, will provide the entire Obama administration with sound policymaking advice.
The task force has also established three working groups on other important topics, including:
- Non-tariff trade challenges to the free flow of information-based services;
- Online copyright protection issues; and
- Measures to help small and medium sized businesses become successful exporters online.
And of course, the taskforce is looking into how public policy or other government action can improve America’s cybersecurity profile.
I am sure some of you have seen Symantec’s just published 15th Internet Security Threat Repor—which identifies some disturbing trends:
- First, malicious activity is increasingly flowing out of countries where broadband and information technology penetration is growing the fastest.
- Second, so-called “advanced persistent threats” focused on large enterprises are becoming more common as thieves seek customer data, financial information and intellectual property assets.
- And third, mass-market attacks—those that small businesses and consumers usually fall prey to—continue to evolve in their sophistication. This underscores the reality that wherever we encounter a computer attached to the Internet, we will always have to be aware of cyber threats.
The department’s task force will take a close look at these latest realities, and it will ask for your policy input. I do not want to prejudge their work, but I can give you an idea of the areas they are looking at. For instance:
- What are the marketplace incentives and disincentives for better cybersecurity practices? Shopkeepers know to lock up their store and to secure valuables in the safe before they head home for the night. Why aren’t they regularly locking up and safeguarding their digital assets?
- By presidential directive, the Department of Homeland Security has responsibility for coordinating cybersecurity initiatives with those who operate critical infrastructure and those who provide other key resources. For the rest of the private sector, what are the most effective ways to share best practices?
- How can policymakers prevent balkanization of the global legal framework?
- Earlier today, you heard from NIST’s Pat Gallagher. NIST engages in cybersecurity research and it is constantly developing key standards. We want feedback on what, if anything, NIST should do to enhance its contribution to cybersecurity.
- Finally, it’s often said that you cannot manage a problem unless you can measure it. How can the government’s data gathering capability be put to better use in this space?
In raising these questions, I want to be clear on a fundamental point.
Too often, when this topic is raised by government officials, it is perceived as adversarial; the government versus business—the government looking to force the private sector to do something.
To be clear, the focus of our inquiry is on how the government and the private sector can better address our shared responsibility.
I know, of course, that when it came to cyber security over the last decade, many in the private sector felt the conversation was largely one sided. . . and government was doing most of the talking.
But almost a year ago, the president put out the challenge that the U.S. government collaborate more closely with industry to find solutions that ensure our security and promote our prosperity. In the months since, we have made some good progress. Together, we need to continue to step up our game.
Because the private sector owns and operates the vast majority of the Internet’s infrastructure, and develops the applications and services that move commerce through it, the government is not in a position to prescribe engineering technology solutions.
I look forward to your ongoing engagement with us and with other policymakers on these issues.
To that end, I want to announce today that after a round of increased collaboration and conversation within the federal government, NIST has been asked to coordinate the new interagency National Initiative for Cyber Education.
This initiative will call on the strengths of several U.S. government departments in order to address the education, training, and public awareness recommendations laid out by the president in the 2009 Cyberspace Policy Review. The initiative has four main components:
- Number one—the administration will promote cybersecurity risk awareness for all citizens. This will require a comprehensive communications strategy focused on awareness of fraud, identity theft, cyber predators, piracy and cyber ethics. The Department of Homeland Security will lead this line of work.
- Second, the administration will ensure that our education system allows the United States to retain and expand its scientific, engineering, and market leadership in cybersecurity technology. The Department of Education and the Office of Science and Technology Policy in the White House will lead this area.
- Third, we need to define new strategies to ensure federal agencies can attract, recruit and retain skilled employees to accomplish cybersecurity missions. The Office of Personnel Management is the lead actor here.
- Finally, across multiple departments, we will intensify our ongoing training and professional development of the existing federal cybersecurity workforce.
I am confident in NIST’s ability to play the role of coordinator across the federal space and to address these challenges. NIST has both deep subject matter knowledge and a proven ability to work cooperatively in multi-stakeholder efforts.
And as always, NIST will rely heavily on the support it receives from you and others in the private sector.
In the end, all cyber security stakeholders need to “pull together”—to define roles and responsibilities more clearly—and to deliver on those responsibilities.
The cybersecurity landscape is complex, and can seem opaque to the general public.
Our task is to pull the pieces together into a coherent whole—to help ordinary citizens and Main Street businesses understand that improving cyber security is of paramount public and personal interest to everyone in America.
This is what we need to do to ensure that the promise of tomorrow’s digital economy becomes reality. Thank you for continuing on that journey with us. Keep up the great work!