Speaking the eve of the 11th anniversary of the 9/11 terrorist attacks, Napolitano said threats to the US’ cyber infrastructure was “one of the most serious and rapidly evolving threats” the nation faces. “The cyber domain has become inseparable from our daily lives” that has transformed society in a positive way, but has “also increased the complexity of a shared risk”, the Homeland Security secretary warned.
Napolitano noted that cyber attacks have increased “significantly over the past decade”, including the more than three years she has served in her current post. To put this into context, Napolitano said the United States Computer Emergency Readiness Team (US-CERT) responded to more than 106,000 reports of cyber attacks during 2011 – releasing more than 5000 security alerts to its public and private sector partners.
Cybersecurity professionals in the US and abroad have made “substantial progress” to protect the country from terrorism and other related cyber threats. The work, however, continues and requires even greater focus, she added. The problem in addressing these threats, Napolitano said, is that these networks are largely controlled by the private sector, yet affect each individual. At DHS, she continued, “we do this by fostering a culture of shared responsibility that engages all levels of society” and stakeholders.
But there are gaps in the current strategy, as Napolitano would highlight: “prevention is key; information sharing is key to prevention; but should an attack succeed, we need the immediate ability to know about it, to share information, to be able to respond, and [have] the ability to go into a mode where future attacks are prevented.”
The insinuation was that the DHS was working on these gaps, as she would subsequently review. But what was clear was Napolitano’s veiled inference to the floundering Cybersecurity Act, which the US Senate recently failed to pass. Senate Republicans, along with the US Chamber of Commerce, took issue with the heavily watered-down bill, criticizing it for its regulatory rather than voluntary incentive approach – and for putting too much power into the hands of the DHS. The department’s chief administrator, conversely, see’s government’s role as that of partner with respect to cybersecurity, rather than as arbiter.
“At the Department of Homeland Security, we recognize that government alone cannot protect our nation”, Napolitano declared. “Security must flow from partnerships at all levels, and in particular with the private sector – where the bulk of the critical infrastructure is located.” She added that the private sector plays the most critical role in this process, because they are “on the front lines” of recognizing the early signs of any potential attack – whether it be cyber or physical. “The private sector has a direct responsibility” in this area, she continued, and part of the mission of the department she oversees is to assist private sector organizations in this effort.
“Information remains one of the most important tools for detecting threats early, and being able to act on them”, Napolitano told the audience. It’s DHS’ job in this area, she said, to provide private sector organizations – especially those responsible for critical infrastructure – with coordinated response and analysis of cyber incidents that culls information from across government organizations, both before and after incidents occur.
The nation’s cybersecurity framework, she opined, operates under a patchwork of statues and executive orders that must updated, clarified and streamlined. “The plain fact of the matter is that we need to address cybersecurity now, not in years to come”, the DHS secretary declared.
Then Napolitano, in parting, dropped the Cybersecurity Act challenge on the private sector: “Together we can – we must – maintain a cyberspace that is safe and resilient, and that remains a source of tremendous opportunity in the years to come. To that end, we need the private sector to establish baseline cybersecurity practices for the nation’s core critical infrastructure. We need the private sector to support capacity building for cybersecurity at a level that gives us confidence that the measures being implemented will achieve the desired effect”.