Good morning. I want to start by thanking the National Cyber Security Centre, organizers of CYBERUK, for the opportunity to speak to this group today.
I would be remiss if I didn’t take a quick moment to acknowledge the face of cyber right now. I’m honored to be here with Lindy Cameron, CEO of NCSC. I also want to recognize Britain’s new, and first female director of GCHQ, Anne Keast-Butler. And I want to note some of my American colleagues: Anne Neuberger on the National Security Council, Jen Easterly who leads the Cyber Security and Infrastructure Security Agency, and Avril Haines, the Director of National Intelligence.
This is what cyber and intelligence looks like in 2023. And it is just outstanding.
It is a momentous time in Northern Ireland’s history. On the heels of the 25th anniversary of the Good Friday Agreement, peace and stability in the region are primary contributors to the thriving tech economy that calls Northern Ireland, and Belfast in particular, home.
It is inspiring to see the technological innovation that is rooted in this dynamic hub of global trade, investment, and talent. We celebrate your success and President Biden remains deeply committed to your political, social, and economic progress.
Not only is this a pivotal moment in Northern Ireland’s history, but it is a similarly decisive moment for the future of cyberspace.
While information and communications technology expand into new areas of the economy and our daily lives, the choices we make today will determine the contours of our digital ecosystem for generations to come.
As we prepare for and adapt to this changing landscape, we also face evolving threats from sophisticated nation-state adversaries and common cyber criminals alike.
Our adversaries increasingly look to cyberspace as a venue to promote their values and advantage their own parochial interests. And we all know that cyber is now commonly used to wage geopolitical conflict.
As a global community of like-minded nations, we must define and pursue an affirmative vision for the future of our shared digital ecosystem – a vision that recognizes that cyberspace’s true purpose is to enable all of the other amazing things we want to do.
Securing ourselves against threats is not the only thing that matters when it comes to cyberspace; it’s not even the main thing!
Fixating on security is a distraction—one our adversaries are all too happy for us to adopt.
If we build a defensible and resilient cyber foundation, we can pursue our boldest goals with confidence.
Goals like an electrical grid capable of distributing renewable energy across vast distances with pinpoint, real-time precision. Goals like high-bandwidth, instantaneous communications that enable collaboration, commerce, and cultural exchange; and goals like an Internet that upholds our commitment to the rules based international order.
Each of these goals depends on—and is enhanced by—technology. And beginning with a strong cyber foundation is essential to their ultimate success. It is this affirmative vision for cyberspace that shapes President Biden’s new National Cybersecurity Strategy, which I was proud to present last month.
In the strategy, we aim to make our digital ecosystem more inherently defensible, resilient, and aligned with our values. Defensible means that we’ve tipped the advantage from attackers to defenders by designing systems where security is baked in, not bolted on. Resilient means that when defenses fail—which they sometimes will—the consequences are not catastrophic and recovery is seamless and swift. And we will tackle head-on the fact that technology shapes—and is shaped by— the rest of our society.
Technology does not, itself, represent a value system. It carries with it the values of its creators and operators. Technology can bring great advancement, from groundbreaking vaccines to essential services for the underserved. But it can also be used to malign people and undermine confidence in our institutions.
We have to actively define and assert our priorities in the way we build our digital world. But to achieve these objectives, we have to make some fundamental shifts in the way our digital ecosystem works, shifts that, to date, the United States government has not required.
First, we need to rebalance the responsibility for managing cyber risk—rethinking whom we ask to keep all of us secure. Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. o This isn’t just unfair—it’s ineffective. The biggest, most capable, and best positioned actors in our digital ecosystem can and should do more.
Government must do a better job of leading by example—defending our own systems and sharing relevant and timely information with the private sector. And we expect that same leadership from industry – like cloud service providers and the developers of software and the manufacturers of hardware – too. We need to step up and work together, shoulder-to-shoulder.
However, simply shifting the burden for security won’t solve all our problems if we don’t start thinking about long-term solutions. We all face very real near-term risks, legal requirements, and commercial incentives. But it’s not enough just to manage the threats of today; we need to make tomorrow more inherently defensible and resilient so that those threats are made increasingly irrelevant.
To do that, we need to make it so that when public and private sector entities face trade-offs between easy but temporary fixes and harder solutions that will stand the test of time, they have the incentives they need to consistently choose the latter.
Putting into practice this affirmative vision for the future of our digital ecosystem will depend upon our ability to work together. And that includes working with our international partners.
Everything we do in cyberspace is made more effective when we do it with our partners abroad.
We are committed to deepening these partnerships in order to:
- Disrupt ransomware actors and other cyber criminals;
- Build the capacity of partner nations to resist aggressors in cyberspace and beyond; and,
- Through this collaboration, we will actively and affirmatively shape the digital ecosystem to further our aspirations, reinforce our values, and defend our interests.
What I find most encouraging about this affirmative vision is how many other countries see things the same way. I think in terms of music, and in my view, the President’s strategic approach is just one voice in a rising global chorus about what “right” looks like in cyberspace.
We all agree that our shared digital ecosystem should be made more secure in order to further our prosperity and our values. Now, we have an opportunity to further deepen our collaboration and partnership to make this vision a reality.
I hope you all will lean in with me. There’s so much we can accomplish together.
So, thank you to the organizers of CYBERUK for creating such an excellent forum to have these discussions.
And thank you, again, for the opportunity to speak before this audience.