Remarks as Prepared
Good afternoon. It’s an honor to be here today. I’d like to begin by thanking those who made today possible. First, thank you to DHS for inviting me to join you. I applaud Secretary Mayorkas and the whole DHS team for convening such a distinguished group of leaders to focus on cybersecurity as a priority for our region.
Also, my sincere thanks to our host, the Organization of American States, for welcoming us into the truly magnificent Hall of the Americas. As I stand here, I’m reminded of our bonds under the UN Charter and Inter-American system, the pillars of democracy, human rights, security, and development that link us today.
This hits particularly close to home, for while I am the Acting National Cyber Director at the White House, I’m also Caribbean-American. My family is from the Bahamas, where I spent much of my childhood growing up and visiting relatives. There, I learned firsthand the ties that bind us across the Western Hemisphere, and the shared values, culture, and history that unite the Caribbean with partners to the north and south.
And while I know I am discussing the U.S. National Cybersecurity Strategy, I want to emphasize that our strategy recognizes the reality that cyberspace is, at its core, a borderless, globally inter-connected domain. Our collective cybersecurity in Argentina, or the Bahamas, or Peru matters. For we are only as secure as our international partners.
I’ve also seen how rapidly the Bahamas has transformed over the years with new technological developments, and the potential for even more digital transformation in our region. I believe that everyone should reap the benefits of cyberspace. That’s the mission of my office—in the White House—to ensure that all communities thrive and prosper in our digital ecosystem. And we’re hard at work driving that mission into a reality, along with international partners, government at all levels, academia, NGOs, and the private sector.
So, I’m thrilled to be here today to talk about the President’s National Cybersecurity Strategy and why it matters—not only for Americans, but for allies and partners around the world, and especially those in our own hemisphere. The President is clearly committed to moving the United States towards a more equitable economy, a clean energy transition, a stronger democracy, and a more competitive workforce.
And this Administration has made generational investments towards the President’s vision for America – through not only the Strategy but also the Bipartisan Infrastructure Law, the CHIPS and Science Act, and the Inflation Reduction Act. But at the end of the day, all of these initiatives rely upon technology and are strengthened by it. And building a strong cyber foundation at the outset is key to their success.
Cybersecurity’s importance is evident in our critical infrastructure. It underpins the very energy, water, and transportation systems that serve our homes, schools, workplaces, and hospitals. These essential services are vital for the U.S. government, but also for our allies and partners.
They are vital for our industries and companies. They are vital for information sharing and intelligence purposes. And for ensuring data privacy and protection and human rights. We defend our critical infrastructure in cyberspace because it powers our daily lives, economic prosperity, tech innovation, and values we hold dear.
And we know that we can pursue our boldest goals, at home, and around the world, if we start by constructing a resilient and secure cyber bedrock. Goals like rapid, high-bandwidth communications that enable collaboration, commerce, and cultural exchange; goals like a power grid capable of distributing renewable energy across vast distances with acute precision. And goals like an Internet that strengthens democracy around the globe.
And that was our starting point when our office was asked to lead a whole-of-government effort to draft a new National Cybersecurity Strategy. The President signed this Strategy in March earlier this year, which aligns with and nests under the National Security Strategy.
As we shift our perspective, it becomes obvious that cybersecurity is more than a national security issue. We need to broaden our perspective. It’s time to look at cyberspace beyond the hard-security lens.
We’ve been tremendously pleased with the National Cybersecurity Strategy’s warm reception from thought leaders around the world and across the cyber community. We’re also seeing a newfound awareness of the global application of the Strategy, and the clear parallels between our Strategy and those of other countries, including in the Western Hemisphere.
Personally, I have been truly impressed by the vigorous energy of all the people across our government and private sector now focused on bringing the strategy to life through implementation. Turning back to our goals – our ultimate aim in the President’s Strategy is a digital ecosystem that is more defensible, resilient, and aligned with our values. But what do those words actually mean in practice?
First, defensible. Defensible means that defenders, not attackers, are positioned to greatest advantage. And this is because we’ve developed systems that are secure by design, where security is intrinsically baked in, not tacked on as an afterthought. Second, resilient. Resilient means that even if our defenses fail, we are able to avert catastrophe and quickly recover, without lasting systemic effects. And, third, aligned with our values. The Strategy recognizes that technology molds—and is molded by—society.
Technology itself does not generate values, rather it reflects the values of its designers and users. As we’ve seen, technology can propel unimaginable progress, from spreading access to information and education in rural corners of the globe, to delivering medical miracles through lifesaving treatments. But on the other side of the coin, technology can also be abused by designers and users who use it to manipulate, oppress, or disinform communities, sowing doubt and fear in democratic systems.
We have to actively define and assert our values in the way we build our digital world. This strategy was not created in a vacuum. We very intentionally are using past cyber policy and strategies as the foundation for our efforts. But we knew we needed to go even further and be bolder than before.
The truth is that we need to make some fundamental shifts in the way our digital ecosystem works, which will clearly have momentous global implications. This is where President Biden’s strategy takes a new approach. First, we need to rebalance the responsibility for managing cyber risk—rethinking whom we ask to keep all of us secure. Currently, our public and private sectors, not just in the United States, delegate responsibility for cyber risk down to the least resourced actors in our ecosystem.
This means we are asking—small businesses, individuals, and local governments—to take on the load and responsibility for defending us all. We ask my elderly relatives to maintain constant vigilance against accidently clicking suspicious links. We ask local hospitals to go head-to-head with transnational criminal organizations, mostly by themselves. And while this is unjust, it’s also not working.
The largest, best positioned, and most capable actors in our digital ecosystem can and should take on a greater share of the burden for managing cyber risk and keeping us all safe. And that includes the U.S. Federal government, along with you, our allies and partners’ national governments.
Together, we must do a better job of leading by example—defending our own systems and sharing relevant and timely information with the private sector and with each other. But it’s not just on us. We expect that same leadership from the private sector too. That includes: Multinational companies; cloud service providers and other internet infrastructure companies; the developers of software and the manufacturers of hardware; and other key players in our technology ecosystem. It’s time for us to work side-by-side, together.
Everyone should be able to benefit from cyberspace. But every citizen should not have the same responsibility to keep it secure. Yet, re-orienting the responsibility for cyber risk won’t solve all our problems if we don’t re-orient our thinking away from quick fixes. It’s time for us to think in terms of long-term solutions.
Second, we must invest in cyber resilience. It’s not enough to manage the threats of today; we need to make tomorrow more inherently defensible and resilient. While I know how often our attention as national leaders is drawn to the crisis of the day or short-term solutions, that mentality will not help future generations. From government bureaucrats and policymakers, to industry titans or average citizens, everyone is trying to make smart decisions online. But we all are confronted with pressing near-term, risks, legal requirements, and commercial incentives.
And we have to admit that we are not moving fast enough in this whack-a-mole game of tackling each threat one-by-one. Instead, we need to change the underlying rules of the game to give ourselves the advantage.
It’s time for us to make sure that the odds are stacked on our side. To do that, we need to make it so that when public and private sector entities face trade-offs between easy but temporary fixes and harder solutions that will stand the test of time, they have the incentives they need to consistently choose the latter.
Rebalancing the responsibility to defend cyberspace and incentivizing investments in a resilient future: — these are the fundamental shifts that guide the President’s strategy.
We understand that we cannot accomplish any of the shifts outlined in this Strategy without you – our allies and partners. And so, I’d like to turn to pillar five of the Strategy—forging international partnerships to pursue shared goals.
Regional coalitions are the foundation of our efforts—and in the Western Hemisphere we recognize the tremendous role that the OAS, and particularly the Inter-American Committee Against Terrorism plays in buttressing cybersecurity training, capacity, and national cyber strategies and policy development in our region. I commend CICTE for their significant investments and ongoing efforts.
When it comes to capacity building, we will reinforce our efforts to partner with other countries –both in enhancing our ability to provide support in response to acute cyber incidents and through long-term, institutional capacity building. And that’s why when Costa Rica was hit by destructive ransomware attacks last year, the U.S. government announced we would provide assistance dollars to help establish Costa Rica’s national cybersecurity operations center.
At the same time, we at the White House know that cybersecurity at its core is not about technology. It’s about people. Making sure that all levels of government understand their roles and responsibilities is essential, and that’s part of our job here in America.
And so, we’ve gone out to share our lessons learned with other countries as they structure their own national cybersecurity strategies and interagency, from military to civilian agencies involved in cyber. For example, my team has traveled to Bogotá on multiple occasions to meet with the Colombian government and Congress and share our experience and lessons learned as Colombia looks to establish a national cybersecurity agency.
In addition to capacity building, the United States is committed to promoting a values-driven, norms-based approach to upholding responsible state behavior in cyberspace. And we will continue advancing accountability when states fail to live up to their commitments.
Finally, we are focusing on building secure and resilient global supply chains for information communications technology and operational technology products and services. We know the importance of ensuring that trusted vendors are baked in at the forefront of our critical supply chains and 5G and next-gen wireless networks.
Now, some of you may be asking – what comes next? My office, along with our interagency partners, and the kaleidoscope of stakeholders involved in cybersecurity, are now putting our energy behind the implementation of the President’s Strategy.
We released a public-facing Implementation Plan earlier this summer, which is a clear roadmap that specifically outlines which departments and agencies are leading more than 69 high-impact federal initiatives from the Strategy. My office is leading several of these initiatives, as well as coordinating the whole-of-government progress towards these goals, and will update this plan annually to ensure we are transforming the Strategy into reality.
To that end, I want to highlight two opportunities for interested stakeholders to provide your feedback on two initiatives in the strategy –regulatory harmonization and open-source software security. We currently have two requests for information available on White House.Gov that are open to the public for comment and they close next month.
Also, this summer, as part of the Strategy’s implementation, we released a National Cyber Workforce and Education Strategy to address immediate and long-term cyber workforce needs, which we know is a critical issue for our allies and partners as well. As we implement the workforce strategy, we know we have much to learn from our hemispheric partners and look forward to working together to tackle this challenge around the world.
In closing, thank you again for the opportunity to speak this afternoon. It is a privilege to be here discussing the importance of cybersecurity in the Western hemisphere. I look forward to rolling up our sleeves and working together to advance a digital future that is defensible, resilient, and aligned with our values.