October 5, 2018  |  Updated October 25, 2018

#StratComDC – Secretary Kirstjen Nielsen on Cybersecurity Awareness

By Kirstjen Nielsen
On October 3, Secretary Nielsen addressed StratCom DC to outline how DHS plans to strengthen election security and increase cybersecurity awareness.

It is a pleasure to be here with you all here today. I want to first thank you all for participating in these types of events. It has become more and more important, and I will talk a little bit more about this in my speech, for all of us to play a role in understanding cyber threats and knowing what we can all do together to protect against them. So, I want to thank the Council and the House of Sweden for hosting us. These events are important, and I appreciate all of your participation and taking them seriously.

Fred and I go back a bit. We have actually done a few panels on cybersecurity over the years, and a lot continues to change. I think anyone who takes in this speech today, it would be tomorrow and the next day if you can keep up with all of the innovations and different types of attacks. I certainly don’t have to tell anyone in this room, though, that the threats against our nation in cyberspace are many and they are multiplying quickly. I know you’ve talked about this the last couple days.  Our adversaries are weaponizing the technology that has made our world faster, the same technology that makes us more innovative, the same technology that makes us more interconnected than ever before. In the past eighteen months alone, we have witnessed North Korea’s WannaCry ransomware spread to more than 150 countries which held healthcare systems hostage and brought factories to a halt. We also saw Russia probing our energy grid, compromising thousands of routers around the world, and unleashing malware which wreaked havoc and ended up being one of the costliest cyber incidents in history.  Queue a separate discussion about insurance and how we can prepare in that fashion against such attacks.

The headlines truly seem never ending, and to be frank, I don’t think they are going to stop. I think we are going to see more and more front-page news, unfortunately, with respect to cyber-attacks. As we speak, rogue regimes, hostile groups, are probing critical systems worldwide, searching for vulnerabilities. And without aggressive action on our part to secure our networks, it’s only a matter of time before we get hit, and hit hard, in the homeland. What worries me in this conversation is not what has been done but what they have the capability to do. Here, we have changed how we view this in an important way. We no longer assume that because a nation-state or a criminal organization has the capability that they will not use it. We are changing to a posture of assuming that if the capability exists, it could in fact be used against us, and we have to prepare accordingly.

So two weeks ago, the president released the National Cyber Strategy.  This is the first comprehensive cyber strategy we have ever had and the first cybersecurity related strategy we have had in about fifteen years. So, let’s talk a little bit about what has changed in fifteen years and what that means for our posture. Just out of curiosity, who here was working in the cyber realm fifteen years ago? That is consistent with most of us in Homeland Security. When I was at the cybersecurity council fifteen years ago, we would do top 10 lists of what we were concerned about post-9/11, and cyber was very difficult to get on that list. It was in my portfolio at the time and we had created a policy committee around 2004, 2005. It was very difficult to have cyber as part of the conversation because at the time we were so concerned about physical attacks. We also were concerned about the confidentiality of data.

Today, because so many of our critical systems rely on information, I am more concerned about the ability of that data to make our systems work, or even the integrity of that data, and we will talk about that more when we talk about election security. Not only can someone take your data, but they can prevent you from using it or change it in a way that makes it difficult for you to know what the real data is.  Fifteen years ago, a cyber-attack might have invaded a public site with a joke, a banner, or some side of activism. Today, it can manifest in physical compromise. Cyber weapons are deployed to disrupt and distract, which require much more sophisticated and complex defenses on our side. Fifteen years ago, the virtual and physical worlds were quite separate, but today they have collided, and we have seen how cyberattacks can cause actual physical effects. The norms of behavior in cyberspace have not kept pace with this reality. This is important. We have to as an international community begin to more aggressively have a conversation about what is prohibited, what is allowed, and what is expected when it comes to cyber activity.

Fifteen years ago, we still felt we could prevent cyber-attacks. Now we realize we must move toward resilience and redundancy. It is no longer if or when, but how often and how long can we withstand an attack and how can we innovate while under attack? Given the idea that that attack surface will be constantly manipulated. What do we do in the face of an attack? Fifteen years ago, the attack surface was quite small. Large attacks at times disrupted perhaps hundreds of thousands of devices at most. Today we are seeing billions of dollars of disruptions or damage in a matter of hours. Fifteen years ago, cyber was probably the problem of the “IT guy or gal”, who you might never met, until you got the spinning wheel of death on your email and then you wanted to become best friends with them. But now if your board does not have it at the top of every single agenda at every single meeting, it is unlikely that your company will continue to be competitive without cybersecurity. Today, the internet of everything enables all of us to be online at all times everywhere. What this means is that we are all potentially vulnerable to attack everywhere we go, everything we do, because of our smart devices. Some of us have wearable devices, and there is even digestible technology.

Today’s cyberspace can be seen as a target of attacks, it can be a weapon to launch an attack or an enabler to facilitate criminal and nefarious activities such as cybercrime or ransomware. It is long past time for us to catch up with the innovation that has occurred in the last decade and a half. I thank the president for taking important steps in moving forward with a cyber strategy.

The president’s cyber strategy complements our strategy at DHS, which we issue earlier this year, and together they will guide our efforts. We want to focus more on systemic risk, and I will talk about that a little more, securing networks, information systems, managing risk to our infrastructure, combating cybercrime, and of course, election security. This is another area where if you had asked anybody fifteen years ago if the Department of Homeland Security would have been focused on election security, I don’t think you would have received an affirmative response. So as technology grows, so does our mission space to be able to protect Americans. With only a month until it election day, our role in election security has never been more important. I know some of you heard from the Undersecretary Chris Krebs yesterday. I know he gave you some specific information to mitigate the threat but I want to touch on some of the things the administration is doing. At the heart of it is to ensure that every American can be sure their vote is counted and counted correctly. These are two separate parts of the equation that are equally important.

Unfortunately, in 2016, we did see targeting of our systems by the Russian government. There is a lot of confusion about what happened. There is a lot of confusion about what happened. Many have tried to politicize the issue and mischaracterize it. At the end of the day, it bears repeating, no votes were altered, but we did see things that are extraordinarily concerning. DHS initially identified 21 states that were targeted, mainly in the form of scanning or, in layman’s terms, checking to see if any doors or windows were open. Potentially to prepare for a future attack. All of this appeared to be an attempt to exploit vulnerabilities in our election infrastructure. We now believe all 50 states were likely targeted in the same way. Ultimately, and we want to be clear on this, any attempt, whether successful or unsuccessful to interfere in our elections is an attack on our democracy. It is unacceptable, and we take it very, very seriously. We know our upcoming election is a potential target. Our adversaries have demonstrated capability and will. We have talked a lot about misinformation campaigns and influence in the form of misinformation. I will not touch on that today only to say that we all need to be intellectually curious and make sure the news we read is from a legitimate source, and then make our own determination as to the validity of the information.

The midterms are being watched closely not only because of candidates or politics, but because of security. We are working with states and locals to protect their systems. States and locals are constitutionally charged with the responsibility to administer elections. We are providing information, intelligence, no-cost technical assistance, supporting instant response planning, and as part of that effort, we are working on clearances to make sure those who have a responsibility to operate the systems have the ability to receive information. We are also not letting that stand in our way. We are doing one day read-ins to make sure the people who need that information can receive it. We have provided a classified brief to some of the election sector vendors on the threats we are watching and will continue to do that in the weeks to come.

In 2016, there was not a clear process for sharing information. Setting up the right governance structure and making sure we have rules of the road are very important. In collaboration with our state and local partners, we have set up an election infrastructure for providing officials with timely information. We have all 50 states participating and over 1,100 jurisdictions. We are tailoring information, getting it out to those who need it in other sectors, but we are also helping state and locals understand their networks from an intrusion perspective. We have albert sensors deployed, about 94 deployed to date. For the midterms, about 90 percent of voters will live in an area protected by a and albert sensor. The president just issued an executive order to protect our elections from foreign influence. I do think this is a situation where there will be consequences, not only serves as a deterrent, but it makes it clear how seriously we take this in the international community. When you look at our strategy and the president’s strategy, you will see a collective partnership collaboration. It is not a government only effort. It should be clear to everyone now how important the public-private partnership is but cyber security is truly a team sport. We have a responsibility to do everything in our power to protect vital systems, but we know we cannot do it alone.

In July, we had the first ever cyber security summit which brought together some the most senior cybersecurity officials in the country. Some of you in the audience might have joined us there. What we tried to do was restart the public-private partnership to make sure both parts of the equation are getting benefits from it, which, of course, is the core of any partnership. We really try to focus on cross sector collaboration and how we can do it better. We’ve created a risk management center, and at the core of that, we are focused on the systemic layer. Where are the points of failure in our collective infrastructure? Where are the concentrated dependencies, interdependencies, and how will those cascading consequences promulgate, so we can take collective action together? We look forward to telling you more about that. We are working on some 90 day sprints and will have more to announce as we identify critical functions. But most importantly the center is driven by industry needs and we look forward to learning from them and how to help them better, given their unique operational environments.

Why am I here today? October is National Cyber Security Awareness Month. Last month was National Preparedness Month. We spent a lot of time talking about their areas hazards we worked with communities to prepare for. Cyber is one of those were takes all of us to play a role. Cyber truly, today, is an area where if we prepare individually we will fail collectively because we are all interconnected. My risk is your risk, and we have to find a way to collectively protect. There are actions each of us can take. This is the fifteenth year of this month. I hope it will be the greatest in terms of actions we all take together. One way to do it is to educate Americans on the simple steps they can follow. I think everyone here has been told to have a password, have a password that is strong. Your password should not be password or password with a capital p. But we able to find a way to universally strengthen how we do identity management control on the internet passwords really remain core. You must have a strong password. It’s something we’ll think about every day and we encourage others to do. We also want to make sure that we patch. There is a reason updates are sent out. It’s to reduce the attack surface. It’s important to understand what we are connected to and to take seriously the data we put online. Think of that as part of yourself that you are sharing. Be very clear who you are sharing it with and why, and what you expect them to do with it. I know privacy disclosures can go on and on, but they are worth reading at least one time. We are also working hard on the workforce. At DHS, we are looking at ways to better hire, better retain, better compensate professionals in the field. We are looking at creative ways to do that. We will continue to work with inter-agency partners on that.

Other than that, I want to tell you one public service announcement quickly before we go into the final call to action. At 2:18 today, very shortly, we will do the first national test of our National Wireless Emergency Alert System. This is another way we are trying to leverage the positive side of technology. Anyone who has a smart phone should get an alert today. This would be used only at time of a major, consequential national emergency. It’s one we have not used before. It is one we have not exercised before. So, 2:18, your phone should do something. We will see what happens. We really want everyone to be part of the strong links, to take action on your smart phones, your computers, your businesses, within your communities, make cybersecurity part of what you do every day, protect your information. Do the basic hygiene. We have a lot of resources on our websites. We have a lot resources on our website, so I encourage you to look at those, and make sure you implement them in your daily life.

I want to thank the Atlantic Council again for hosting us. We look forward to partnering with many of you. Feel free to reach out to us. We are always looking for new and innovative ways to do collective defense. I think you will see us taking a lot of aggressive action, using the whole of government to provide consequences to nefarious actors and to make sure collectively that we are identifying what is of value and what we can do to protect it.  Thank you for having me.  I appreciate you for taking the time to take part in this.  Hopefully, I will have time at lunch and enjoy the beautiful view.  Thank you very much.

You can find footage of Secretary Nielsen’s address here.

Sign up for more information