Cybersecurity: the Digital Economy, the Cyber threat and the Public-Private Response
Building Resilience through Public Private Partnerships Conference
Department of Homeland Security
July 31, 2013
Vice Chairman, CIB, Citi
It is a great pleasure to welcome you here today. I would like to thank our hosts the Department of Homeland Security, FEMA and the American Red Cross for a fantastic day yesterday and for bringing us all together --private and public sectors -- again today, as we move from the discussions on emergency preparedness to cyber security.
My job this morning is to wake you up, and tee up our speakers and the debate we will have through out the day. I may even get you to spill your coffee.
In 1940, with 17% unemployment, an anti-business philosophy and the 18th largest army in the world, FDR began preparation against the greatest threat of his time by reaching out to the private sector – the CEOs of General Motors, US Steel, Sears, among others. And there began the most successful public private partnership of our time.
As one reads the recent Defense Science Board Task Force on CyberSecurity, one can not help but conclude that our nation faces, our industry faces, and our citizens face the digital era equivalent of an alarming military threat that yet again will require public private partnership of historic proportion. The conclusion of the Task Force report is sobering: “It is not possible to defend with confidence against the most sophisticated cyber attacks.” “The adversary is in our networks”.
The digital era can be characterized by an explosion of data --to the tune of 3 zettabytes --mobile device proliferation, home banking, cloud storage, social networking, software as a service , GPS and NFC, remote access and bring your own device (BYOD), and IT out-sourcing, just to name the most important. Each of the above holds out the hope of great promise for our society; yet each brings with it the potential perils of cyber-security threats.
The digital era reality is that hacking is now a service, Saudi Aramco can be shut down and NASA hacked. The Syrian Electronic Army can pretend to be the AP and spook the markets. At the rate of 7,000 per day, Distributed Denial of Service attacks continue. Three out of four financial institutions have been attacked. Dropbox cloud storage can be penetrated. IT outsourcing service providers create new vulnerabilities, as do SME service providers to governments and large corporates. Blackhole malware toolkits delivered through "Software as a Service" target our networks. Mobile device hackers target the weakest links in the chain, a chain through which citizens and customers increasingly utilize PII and execute financial transactions. There were 74,000 new unique malicious web domains in 2012. 25% of data is encrypted during exfiltration. Over 600,000 identities are exposed per breach. Large-scale attacks seek to destroy infrastructure, not make money and web based attacks are up by a third. The US hosts 2/3 of the global spear phishing sites and over a third of the world’s botnet Command and Control servers. The newest technologies, from NFC to location based capabilities act like a lightning rod for cyber criminals. Server side polymorphism, where code is mutated from the server, is now at unprecedented levels. The number of phishing sites spoofing social media sites is up 125%.
Worse yet, we have government actors able to fund the modern day equivalent of a nuclear arms race. Single tier traditional perimeter security systems are today’s maginot line. Industrial control systems (SCADA) that control chemical facilities and public utilities have blurred the lines between cyber and physical security. Hardware is as vulnerable as software. Networks that control our financial markets and hospitals are under siege. Tier V and VI attackers have redefined "fat tail risk" not just for the financial system but for the entire US economy. And the red teams are still winning.
The digital age of public private partnership:
Today, amidst these challenges, we explore new public and private partnerships. Let me throw out a few examples and ideas for our discussion.
First, we need to profoundly expand R&D partnerships to explore cyber-security challenges; think RAND in the 1950s and 60s. This will of course require new conceptual frameworks for who to bring inside the tent and who should be left out. The lines are more difficult to draw than they may have been in the past.
As government works together with the private sector on protecting citizen and consumer identities, multifactor identity security (including biometrics, data analytics, and device identification) will replace passwords. The framework for identity protection in the future will require intense cooperation among multiple players.
As was discussed yesterday in the sphere of natural disasters, we need resilience and redundancy , testing and metrics in order to be successful. We should systematically develop national core financial enterprise resilience with the same vigor that we fight physical wars and protect our nuclear capability. A critically important tool is war gaming. An excellent example of public private cooperation in this area is the work that has been done between the securities industry and the DHS Science and Technology Division to develop technologically compatible ways to mimic cyber attacks on our capital markets.
Data analytics is another area for increased partnership: Cooperation in the area of big data analytics that for example will allow a further move away from manual intrusion detection to analytics that detect intrusion from within networks is vital. This area is often a highly classified arena. Exploring ways to deliver select black box capabilities to the private sector, and to develop clearance procedures in this space will be critical to exploiting this powerful tool.
Continued increased communication: We already have some replicable experience in public private communication to build on. For example, 3 days after the 2012 Distributed Denial of Service attacks on the financial services industry, the FBI brought together industry participants, law enforcement, intelligence and national security officials to quickly establish communication protocols that have been extraordinarily effective. The recent fizzle of the Al Qassam attacks in part reflects the intensity or this communication.
We have the day to discuss these and other ideas on how we together confront the challenges of cybersecurity. It is a call to action. May it meet with the same success that we have had at other times in our nation’s history.
Thank you.