Remarks of David J. Redl
Assistant Secretary for Communications and Information
National Security Telecommunications Advisory Committee (NSTAC) Meeting
May 17, 2018
--As Prepared for Delivery--
Thank you, committee members, for the time you have devoted to this effort, and for your service to our country.
Over the past three decades, the Internet has transformed the American economy, creating a digital economy representing nearly 6.5 percent of the nation’s GDP, or $1.2 trillion in 2016, according to the Bureau of Economic Analysis. America’s leadership in 4G networks helped create hundreds of thousands of U.S. jobs and led to a booming worldwide market for American hardware and software.
A new wave of connectivity is emerging, facilitated by 5G mobile networks and innovation in the IoT marketplace. 5G has the potential to enable powerful broadband applications and nearly universal connectivity of people and machines. America’s wireless industry is already pushing to be front of the pack with 5G deployments, committing billions in new investment to build these next-generation networks.
But we are not alone in this race. Other countries are tapping industrial policies to take the lead in global standards and equipment development. For America’s 5G leadership to succeed, the entire government must work in a coordinated fashion.
From NTIA’s perspective, this means making more spectrum available, removing obstacles to deployment, collaborating on the global standards that will define how the 5G race unfolds, and ensuring we have a collective strategy to secure 5G networks.
Securing our future
As we focus on growth and innovation, we must also be mindful of the rapidly evolving cyber threat environment. President Trump has made it clear that securing our communications networks is a national security priority. Our continued prosperity depends upon defeating attacks on networks and devices that threaten our security, our economy, and our trust in technology.
A year ago, the President issued an Executive Order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order mandated that all federal agencies use the Cybersecurity Framework developed by the National Institute of Standards and Technology. Last month, NIST released version 1.1 of the Framework, which shows how this voluntary approach can provide a first line of cyber defense for companies.
In January, the Departments of Commerce and Homeland Security delivered a draft report on how to improve the resilience of the Internet and reduce the threat of botnets. We were directed to identify stakeholder actions – not government regulations – that could help solve this problem.
Botnets and the cyberattacks they enable have been an issue since the early days of the Internet. These attacks can be severely damaging. Threats are evolving, growing smarter and affecting some of America’s most sophisticated companies. The Center for Strategic and International Studies estimates that close to $6 billion a year is lost to cybercrime.
The rapid expansion of IoT devices has fueled the scale of attacks. The growth shows no sign of abating. Analysts at Gartner predict that there will be 20 billion IoT devices deployed by 2020 up from about 11 billion.
We spent a year collecting broad input from experts and stakeholders in federal government, industry, academia and civil society. We held two public workshops, analyzed over a hundred responses to our requests for comments, and reviewed the NSTAC Report to the President on Internet and Communications Resilience. We expect to deliver the final report to the president soon.
Several broad themes emerged from our work over the past year:
Attacks are a global challenge for the entire Internet ecosystem, and cannot be solved in isolation. We must collaborate across sectors and involve all stakeholders in finding workable solutions. And we must work closely with international partners, as the majority of compromised devices in recent botnet attacks have been located outside the United States.
Many of the tools necessary for a more resilient Internet already exist, but aren’t widely used. We need to increase awareness and education, and help align market incentives to promote a better balance between security and convenience. The administration will work with the private sector to coordinate on our plans based on the report’s recommendations.
I’d like to recognize and thank you for the hard work that went into your report on Internet and communications resilience.
Drawing upon your collective communications expertise, the report clearly identified the risks posed by IoT growth, and priorities for addressing the threats posed to critical infrastructure. You called for a broad, multifaceted response developed through public-private coordination.
We agree that collaboration and partnerships will be critical in addressing these threats. The response we’ve received from stakeholders so far shows we have a solid foundation to build on. At Commerce, NIST is working to develop standards, specifications and security mechanisms that will form security baselines for IoT devices. This will help accelerate the development of more secure IoT devices.
NTIA later this summer will begin working with stakeholders to examine what’s needed to foster a marketplace for greater software component transparency. Knowing what software has been incorporated into a product is a fundamental step toward being able to keep it updated and to block threats from doing damage.
Our research into automated, distributed attacks reveals that this is a fast-moving global problem. Defeating it will take a committed effort by stakeholders to develop policies that will lead to a secure and stable cyberspace.
We’ve seen with other, more regulatory approaches how things can wrong. Take, for instance, the European Union’s General Data Protection Regulation, or GDPR. Implementation of these new, expansive regulations on May 25 is a major concern of our government. Many aspects of our government’s operations will be affected by GDPR, and the same is true for private sector companies of all sizes. GDPR is also threatening to upend the valuable WHOIS service, which could impede our work to curb botnets.
While the United States Government recognizes the importance of privacy protections, and is committed to working with the EU to safeguard personal information, we are concerned that GDPR, as currently framed, creates serious and unclear legal obligations that could have a widespread impact on transatlantic cooperation, law enforcement, and business operations.
And so far, the EU’s guidance issued for implementing the GDPR is vague and insufficient. American companies and the U.S. government do not have an adequate basis on which to comply with the law.
We are seeking a broader interpretation of Article 49 of the GDPR, which provides exemptions for data transfers that are necessary for “important reasons of public interest.” This would not only address our concerns with regard to WHOIS, but would also address the potential interruption of U.S.-EU cooperation in many other public interest areas.
Absent a broader interpretation of Article 49, a short-term moratorium on GDPR enforcement with regard to WHOIS may be necessary. If not, then come May 25, we anticipate registries and registrars will stop providing access to WHOIS directories and services. The loss of access to WHOIS information will negatively affect law enforcement of cybercrimes, cybersecurity, and intellectual property rights protection activities globally. To all of you who know the importance of these issues, I ask that you make your voices heard.
Another major priority area is our preparations for the International Telecommunication Union’s treaty-making conference – the ITU Plenipotentiary – scheduled for October.
The United States will be pressing for changes to the ITU, including establishing effective membership oversight. This is particularly important given the ITU’s roles in radiocommunication and development. We need an ITU that can be effective and efficient in performing its vital spectrum-management functions, and one that fosters pro-competitive policies for telecommunications, particularly in developing countries.
We will also need to push back against efforts to aggressively move the ITU into Internet-related and cybersecurity matters. A government-centric approach to cybersecurity would harm innovation and impede progress toward real solutions. While on the topic of the ITU, I would like to ask you to join our Administration in supporting Doreen Bogdan-Martin, who is the United States’ candidate for Director of the ITU Development Sector. Doreen, a former NTIA employee, was a champion of pro-growth and pro-competition policies during her time at NTIA.
If elected, Doreen would be the first woman on the ITU’s executive team. She is exactly the kind of leader that the ITU needs.
To close, I want to again thank the NSTAC members for your hard work. American innovation and our success in the global economy rely on an open, secure and resilient Internet ecosystem. Botnets and other automated, distributed attacks threaten the vibrancy of this great enabler. I know that if government and industry work together, we can solve our shared problems and pave the way for the next generation of life-changing technologies.