Secretary Mayorkas Outlines His Vision for Cybersecurity Resilience
On March 31, Secretary Mayorkas outlined his vision and roadmap for the Department's cybersecurity efforts in a virtual address hosted by RSA, in partnership with Hampton University and the Girl Scouts of the USA. His prepared remarks are below:
Good morning. I am Alejandro Mayorkas, Secretary of Homeland Security. It is a pleasure honor to be here with you today.
Thank you, Professor, for the kind introduction. I am thankful that Hampton University, a historically Black university and recognized Center of Excellence in cybersecurity, has joined us for today's event.
My thanks to the RSA Conference and the Girl Scouts as well, for partnering with us today.
I want to especially commend the Girl Scouts for its program in awarding cybersecurity badges to girls and young women. The program speaks proudly and strongly to our future of greater cybersecurity. It also speaks more profoundly of a better future altogether. Today is the last day of women's history month, and the words of the Girl Scouts' then-CEO, the architect of the cyber badge program, speak especially powerfully now and about the subject of our event: "We don't lead through fear. We are raising girls to be courageous, confident people. We're giving them the skills to be fearless."
Partnering with the Girl Scouts, RSA Conference, and Hampton University is exactly the type of alliance we need to achieve cybersecurity resilience.
Before I share with you my vision for the Department's cybersecurity work moving forward, allow me to share several hard truths.
First, the government does not have the capacity to achieve our nation's cyber resilience alone. So much of our critical infrastructure is in the private sector's hands. We need to work with the private sector to protect the interests of the American people and the services on which we rely. We need organizations like the Girl Scouts and Hampton University to inspire and mobilize the next generation of diverse talent to help us tackle what remains a monumental challenge.
Second, our government got hacked last year and we didn't know about it for months. It wasn't until one of the world's best cybersecurity companies got hacked itself and alerted the government, that we found out. This incident is one of many that underscores a need for the federal government to modernize cybersecurity defenses and deepen our partnerships.
Third, the government seeks to speak with one voice but too often we speak through different channels, which can confuse and distract those who need to act on our information and act fast.
We must confront these realities to develop a vision that allows us to overcome the challenges and improve our cyber resilience.
Allow me to outline the principles that will guide our work in this area moving forward, my vision for the Department as we work to realize the Biden-Harris Administration's cybersecurity strategy, and the road map for how we plan to operationalize it.
Five principles are foundational for how we think about our work.
To start, we cannot ignore the broader geopolitical context and democratic backsliding that is happening around the world. Far too often, cybersecurity is used as a pretext to infringe on civil liberties and human rights.
Make no mistake: a free and secure cyberspace is possible, and we will champion this vision with our words and our actions. At the end of the day, cybersecurity is about people. It is about protecting our way of life and protecting what we hold dear.
Second, we must fundamentally shift our mindset and acknowledge that defense must go hand in hand with resilience. Bold and immediate innovations, wide-scale investments, and raising the bar of essential cyber hygiene are urgently needed to improve our cyber defenses. We need to prioritize investments inside and outside of government accordingly.
At the same time, I promised hard truths and one hard truth is that no one is immune from cyber attacks, including the federal government or our most advanced technology companies. While one can reduce the frequency of incidents through modernized defenses, ultimately it is not a question of if you get hacked, but rather when. We must therefore also bolster our capacity to respond when incidents do happen.
To advance the federal government's ability to prevent and respond to cyber incidents, the Administration is working on nearly a dozen actions for an upcoming Executive Order. More details will be shared soon. The U.S. government will improve in the areas of detection, information sharing, modernizing federal cybersecurity, federal procurement, and federal incident response. The federal government must lead by example at a time when the stakes are so high.
Pursuing cyber resilience requires a third principle, namely a focus on a risk-based approach. Determining what risks to prioritize and how to allocate limited resources is crucial to maximizing the government's impact. A fact-based framework needs to guide the assessment of risk at home and abroad.
Relatedly, addressing the most important risks is a shared responsibility. We must strengthen collaboration between the private sector and government to generate the insights necessary to detect malicious cyber actors. If actionable, timely, and bidirectional information is not distributed quickly, malicious cyber actors will gain the advantage of more time to burrow into systems and inflict damage.
The final principle is to integrate diversity, equity, and inclusion — or DEI — throughout every aspect of our work. Developing sound public policy requires diverse perspectives from communities that represent America. It requires the recruitment, development, and retention of diverse talent. It requires equal access to professional development opportunities to fill the current half million cyber vacancies across our country and to prevent future shortages that threaten our ability to compete.
These five principles are the foundation of my vision. At its center is the Department's Cybersecurity and Infrastructure Security Agency, or CISA as it is commonly known.
President Biden has made cybersecurity a top priority for his administration. We have elevated cybersecurity with the first ever Deputy National Security Advisor for Cyber, Anne Neuberger. That role was filled on day one of this Administration. In just the first two months, the Administration has made significant strides in remediating the impact of the SolarWinds and Microsoft Exchange incidents and we continue to work urgently to make the investments necessary to effectively defend the Nation against malicious cyber activity. Deputy National Security Advisor Neuberger is coordinating a whole-of-government response to build back better and modernize our cyber defenses. We are working closely with Congress and the private sector to get this done.
We know that CISA is integral to this objective. As some have said, the government needs a quarterback on its cybersecurity team. CISA is that quarterback.
Created less than three years ago as the country's national cyber defense center, CISA has already proven its immense value. Last year, CISA protected the integrity of the 2020 election against foreign interference. The agency has also become the Nation's risk advisor and is responsible for much more.
Among my top priorities as Secretary is to strengthen CISA to execute its mission. I am particularly grateful to Congress for further empowering CISA in recent months by providing it with additional authorities and resources.
CISA, as the Nation's cyber quarterback, is well positioned to address the hard truths I outlined earlier.
The new authorities Congress provided to CISA will enable it to proactively hunt for intruders on civilian federal government networks, shortening the amount of time they remain undetected. Once detected, CISA will continue to take action and work with civilian federal agencies to minimize risk. CISA is also expanding its ability to offer shared services based on security-by-design for these agencies. This will raise the bar and make it harder for malicious hackers to gain access in the first instance.
CISA is the private sector's most trusted interlocutor and is clearly best positioned to be the tip of the spear and the front door for the U.S. government's engagement with industry on cybersecurity.
We will therefore soon launch an awareness campaign to ensure private companies — large and small — know of the resources and services CISA has to offer. We also plan to launch an expanded cybersecurity grant program to facilitate and support the adoption of those services.
With its strong and deep network of partnerships, CISA is the ideal nexus for the government to mobilize action and advance cyber resilience across all sectors and at every level of government. CISA's role in leading national efforts to secure the 2020 election illustrates what we can accomplish through strong partnerships, a clear vision, and an appropriate sense of urgency.
Looking ahead, expanding CISA's footprint across the country will be critical to institutionalize and maximize its network of partnerships. CISA is already moving ahead with placing State Cybersecurity Coordinators across the country, deepening its longstanding relationships from coast to coast. The Department is also working on a proposal for a Cyber Response and Recovery Fund that will further augment CISA's ability to provide assistance to state, local, tribal, and territorial governments.
Of course, we know that even the best quarterback can't win a game alone. CISA fulfills its lead role for national cyber resilience in collaboration with other agencies at every level of government. This includes federal law enforcement agencies who bring cyber criminals to justice. Our Intelligence Community, which focuses on better understanding how our cyber adversaries intend to compromise American networks. And other agencies with the capability to impose costs on malicious cyber actors. This also includes the National Cyber Director — a newly created Senate-confirmed position that our Administration is committed to position for success.
Beyond CISA, the Department has other unique capabilities it brings to bear to better protect the nation against cyber threats. The U.S. Coast Guard, which is also part of DHS, plays a critical role in increasing the cyber resilience of the maritime transportation system through which 90 percent of U.S. imports and exports — worth $5.4 trillion — pass through. The Department will continue to implement the National Maritime Cybersecurity Plan released by the previous administration to enable the Coast Guard's important work in this area.
The Department will also empower the Transportation Security Administration to increase the cyber resilience of other transportation systems — from rail to pipelines — that fuel so much of our economy.
Last and certainly not least, the Department will continue to ensure the U.S. Secret Service and ICE's Homeland Security Investigations remain well positioned to combat 21st century crimes.
Let me be clear: the numbers are staggering. According to the FBI, the reported losses tied to cybercrime exceeded $4.1 billion last year alone. The Secret Service arrested more than 1,000 people for cyber-financial crimes and prevented over $2 billion in potential fraud losses.
These numbers highlight that cybersecurity is not some abstract concept or a threat limited to the government or critical infrastructure. Hackers target American citizens directly every day and impact their lives at a time when we have experienced unprecedented hardships. Communities of color across the country are disproportionately impacted through this activity.
Many of these crimes are transnational in nature and require international cooperation to address. Fighting cybercrime more effectively therefore also reflects the Biden-Harris administration's commitment to a foreign policy for all Americans. We must align our foreign policy priorities and international partnerships accordingly.
Finally, and this applies to everything I have said so far: DHS must lead by example. We must have our own house in order before we can expect others to heed our advice. We must model what effective partnerships look like. We must ensure our own workforce is reflective of the communities we serve.
So, how will we move from vision to action?
We will proceed along two tracks.
First, I am announcing today a series of 60-day "sprints," each focused on the most important and most urgent priorities needed to achieve our goals. Second, we will focus on four medium-term priorities that will receive my sustained attention over the longer term.
The series of sprints will mobilize action by elevating existing efforts, removing roadblocks, and launching new initiatives where necessary.
Each sprint has a dedicated action plan to drive action within the Department and energize our engagement with partners in the private and public sectors, both domestically and internationally.
The first sprint will focus on the fight against ransomware, a particularly egregious type of malicious cyber activity that usually does not discriminate whom it targets. It is malicious code that infects and paralyzes computer systems until a ransom has been paid. Individuals, companies, schools, even hospitals and other critical infrastructure have been among the victims.
Let me be clear: ransomware now poses a national security threat.
Last fall, CISA and its government partners issued a joint alert warning of increased ransomware attacks that could paralyze hospitals and other health care facilities. There are actors out there who maliciously use ransomware during an unprecedented and ongoing global pandemic, disrupting hospitals as hundreds of thousands die. This should shock everyone's conscience.
Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits. We must condemn them for it and remind them that any responsible government must take steps to prevent or stop such activity.
We will do everything we can to prevent and respond to these horrendous acts. And we call on others around the world to do the same.
In the coming weeks, the Department will step up our efforts to tackle ransomware on both ends of the equation. With respect to preventing ransomware incidents, we will take action to minimize the risk of becoming a victim in the first place. We will launch an awareness campaign and engage with industry and key partners, like insurance companies. With respect to responding to ransomware attacks, we will strengthen our capabilities to disrupt those who launch them and the marketplaces that enable them.
Closely related to this first sprint, is the second sprint focusing on the cybersecurity workforce. We cannot tackle ransomware and the broader cybersecurity challenges without talented and dedicated people who can help protect our schools, hospitals, critical infrastructure, and communities.
During the workforce sprint, which we will launch next month, we will focus on several elements. Front and center is support for our current workforce, who have done a heroic job protecting the election and now responding to two major incidents.
In addition, we will set an example and launch a DHS Honors Program with an initial focus on cybersecurity. We will also start publishing DHS's DEI data and step up our internal DEI strategy to ensure we are attracting, developing, and retaining the best diverse talent.
Beyond DHS, we will champion DEI across the cyber workforce of the entire federal government.
To this end, I am excited that we are partnering with the Girl Scouts today and exploring additional opportunities for us to collaborate in the future. To further help inspire the next generation of diverse cyber talent, we will also expand our cybersecurity education and training program that has reached over 25,000 teachers so far.
Later this summer, we will launch our third sprint focused on mobilizing action to improve the resilience of industrial control systems. The cybersecurity incident at the water treatment facility in Florida last month was a powerful reminder of the substantial risks we need to address.
The last three sprints for the coming year will focus on better protecting our transportation systems, safeguarding election security, and advancing international capacity-building.
While the series of sprints will drive action over the coming year, we will also focus on several medium- to long-term priorities that will have my sustained personal attention.
First, we need to cement the resilience of our democratic infrastructures. We have made great progress to protect the integrity of elections, which we will need to continue to safeguard in the years to come. We must also improve the resilience of the other infrastructure our democracy depends upon. Several high-profile attacks against our allies and partners are warning signs that we must focus on securing all our democratic institutions, including those outside of the executive branch.
Second, following last year's supply chain compromise targeting the federal government, we must build back better. This cannot be done in a sprint, as it will take months or even years to fully implement. We are grateful to Congress for the support provided to CISA through the American Rescue Plan, which is a down payment to address this urgent challenge.
Third, the exploitation of SolarWinds highlighted that we need to think about supply chain risks holistically. While some risks are clearly associated with certain foreign companies and governments, we need a risk-based approach to ensure we address all systemic supply chain risks. Bearing in mind that 100% cybersecurity is not possible, this includes considering zero trust architectures where needed to reach the level of resilience required.
Finally, we must ensure that our work is not driven only by the crisis of the day. We must get ahead of the curve and think long term. It is imperative to dedicate senior leadership attention to strategic, on-the-horizon issues.
For example, the transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption. While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future.
This is a priority and DHS will start developing a plan for how it can help facilitate this transition. Considering the scale, implementation will be driven by the private sector, but the government can help ensure the transition will occur equitably, and that nobody will be left behind.
For too long, cybersecurity has been seen as a technical challenge couched in bureaucratic terms. But cybersecurity is not about protecting an abstract "cyberspace." Cybersecurity is about protecting the American people and the services and infrastructure on which we rely.
With over $4 billion in cybercrime losses reported to the U.S. government last year alone, it affects the wallets of Americans across the country, often the most vulnerable — elderly and unemployed individuals reliant on government assistance, communities of color, and American families. And as we have seen with the wave of ransomware attacks and intrusions into critical infrastructure, cyber threats are coming dangerously close to threatening our lives.
We need to be clear-eyed that this is also about protecting democracy at home and abroad.
For this reason, today's event is designed to outline a vision and to provide a road map. I could not imagine a more ideal group of partners to launch this call for action than the RSA Conference, Hampton University, and the Girl Scouts. I look forward to what we all can accomplish together in the months to come.