February 7, 2024
Remarks As Prepared for Delivery
Thank you, Jason, for that introduction.
I’m excited to join you all this afternoon to kick off this event.
I had my left knee replaced two weeks ago so I may not be able to kick as hard as before. And I still can’t get into my dress shoes – so I hope you’ll forgive me for wearing my Air Jordans. I heard I needed to kick this thing off so I’ll take the power of any athlete I can get.
In all seriousness, I am honored to stand before you as the nation’s second National Cyber Director. And I’m particularly pleased to be here at ITI’s Intersect Summit. You all have been great collaborators. We are grateful to organizations like ITI for helping create opportunities for engagement that drive meaningful change.
At ONCD, we like to say – “engage early and often.” So, I’m here early in my tenure – and you can expect to see us regularly.
I’ve been in this job for over seven weeks now and I have to tell you that I was humbled – but also excited – to be called back to serve.
After 43 years in the Navy and the Intelligence Community, it truly is a privilege to help a new and critical office contribute to the safety of the American people and their economic prosperity.
Here’s one thing you should know about me: I love to solve hard problems – which was a driving factor in my decision to return to government service.
To quote the namesake of my sneakers, Michael Jordan, “Obstacles don’t have to stop you. If you run into a wall, don’t turn around and give up. Figure out how to climb it, go through it, or work around it.”
You see – hard problems energize me.
I grew up as a cold war sailor in the Navy when our nation faced the hard problem of the Soviet Union. As part of the Intelligence Community, I was extremely proud to take on great power competition. Part of my contribution to those efforts included incorporating the Open Source Enterprise into CIA’s Directorate of Digital Innovation and integrating it with the mission centers.
All of these challenges were hard. But cybersecurity is a different kind of hard problem.
It stems from the threat, which is very real. One example – among many – is the threat from the People’s Republic of China.
Last week, I testified in front of the House Select Committee focused on the Chinese Communist Party with my colleagues from across the federal government, including: CISA Director Easterly, FBI Director Wray, and my friend – and former boss – General Nakasone, the recently retired head of Cyber Command and the NSA.
It was an important moment for us to appear together to articulate the full measure of the threat posed by China and to demonstrate coherence and collaboration across our federal enterprise.
Cyber actors from the People’s Republic of China are actively working to gain access into our nation’s critical infrastructure systems with the purpose of disruption – or worse, destruction.
In the early stages of an armed conflict, they want to disrupt our military’s ability to mobilize, and to impact the systems that allow us to thrive in our increasingly digital world.
Their intentions drive home a point so many of us have known for years: in cyberspace, the private sector – and the American people themselves – are on the front lines.
And, as we all know – the vast majority of critical infrastructure is owned and operated by the private sector.
Folks, protecting and defending America from the growing number of cyber threats is a hard problem.
Ensuring the short- and long-term protection, defense, and resilience of the systems that underpin our increasingly digital way of life is a hard problem.
And ensuring the Internet remains open, free, global, interoperable, reliable, and – importantly – secure, anchored in universal values that respect human rights and fundamental freedoms, is a hard problem.
Harder still is what we do about it.
After all, belligerent states have postured their military forces aggressively for millennia. America has plenty of success responding to hostile actions outside the domain of cyberspace. But, as I said last week, the risk we face within the cyber domain is unacceptable.
There are plenty of actions we can and will take to address counter-normative behavior. And the necessity to partner with so many of you in this room is absolutely essential.
How do we – collectively – seize the initiative from our adversaries?
How do we take the talent at your organizations and channel our energies towards countering the growing number of malicious actors?
How do we leverage the amazing technologies you all create – which improve the ways we work, live, and play – and ensure they are a source of strength, not vulnerability?
And not just a vulnerability to your companies or the federal government – how do we truly help local governments? Or the schools and hospitals struggling to protect themselves? Or one of the more than 50,000 public water systems spread across the country?
Thankfully, the President has started us out on the right foot.
From the very beginning of his Administration, President Biden made cybersecurity a priority.
He brought in some great people and some of them will be with you today.
My dear friend Anne Neuberger, the Deputy National Security Advisor at the National Security Council, who will join you all later this afternoon, has made incredible progress – from driving the development of Executive Order 14028 – to pushing for the creation of a Cyber Trust Mark.
And I’d be remiss if I didn’t mention my White House colleague Mayor Stephen Benjamin, the Director of the Office of Public Engagement, who will also be with you this afternoon. His outreach on behalf of the administration is key to strengthening our partnerships and delivering outcomes.
At ONCD, we have been lucky to have Chris Inglis and Kemba Walden set our organization on the right course. True champions of this office and its mission. I am proud to stand on their shoulders.
We are also standing on the shoulders – and the wisdom – of Congress who established ONCD in 2021 following a recommendation made by the Cyberspace Solarium Commission. I was pleased to meet with many of those commissioners last week. Their insight continues to be of great value to me and to us all.
The President knows that you can’t tackle hard problems without good people – it also takes a good plan and some good old-fashioned grit.
I’m hopeful that this group has heard quite a bit about the National Cybersecurity Strategy: which calls for two bold shifts: one – shifting the responsibility away from individuals and small businesses and onto the large institutions capable of bearing it, and – two – realigning incentives to favor long-term investment in cybersecurity.
That’s been said before and I agree – but allow me to share my take on this important strategy.
I see it as bold because of its underlying vision and tenacity. The work of our office sets out the hard problems we have to solve and takes them head on.
The Strategy says we have to tackle problems like the fact that the Internet was built on insecure foundations: so, we’re finally implementing improvements to the Border Gateway Protocol.
The Strategy says we need to hold software manufacturers accountable when they rush insecure code to market: so, we’re working with academic and legal experts to explore different liability regimes. We will soon be engaging with you to hear industry’s perspective.
The Strategy says that smart regulations minimize the compliance burden on companies: so, we’re working with partners across the interagency to harmonize requirements and using the feedback many of you provided in response to our request for information.
The Strategy says we need to develop a diverse and robust national cyber workforce to meet the challenge of this decisive decade: so, we’re working aggressively to build and foster ecosystems in communities across the nation to fill the more than half a million cyber jobs available today.
To that end, I’ve already been to one job fair at the Community College of Baltimore County and heard from an incredible group of students, faculty, and employers.
It was fantastic and you can expect to see our office across the country engaging and helping to connect talented Americans with employers.
Every one of those is a hard problem in its own right. Each has been studied for decades. Each remains pernicious and unresolved.
But, what makes the National Cybersecurity Strategy bold is its clarity that the hard problems – issues once deemed too complicated – are precisely what we need to tackle in order to seize the initiative from those who consider harming our nation.
My predecessors at ONCD also made a clear commitment to transparency and accountability by publishing the National Cybersecurity Strategy Implementation Plan – an act I found particularly impressive as I’ve come to watch the team put their shoulder to the wheel every day.
Trust is built on openness, and I will commit to you that when we report on our progress, you will hear about not just where we succeeded, but where we came up short. In the coming months, you’ll see us report on our efforts to date and the next phase of the Strategy’s implementation.
I’ll say one additional thing about the Strategy’s Implementation Plan: policy solutions are not self-executing.
It’s true that developing solutions to the hard problems in cybersecurity is a fundamental responsibility of our office – but so is carrying them through to fruition.
Thankfully, I’m not alone. There are 80 incredible people I get to work with every day. Experts who hail from industry, civil society, federal agencies, and Capitol Hill.
Their work includes putting the good ideas, the powerful solutions, the thoughtful strategy into practice to improve the digital foundations of this nation and make our nation safer.
I’m excited about the work ONCD’s talented staff is leading on the open research problem of software measurability that makes it difficult to understand the quality of the code we use. That work has its seeds in a 2016 NIST paper that we are continuing to make progress on.
We’re also pushing government and private sector coders to ensure secure-by-design incorporates memory-safe programming languages. Some of the most dangerous vulnerabilities that criminals look to exploit are memory safety bugs, and memory-safe coding languages prevent these errors from ever making it into production. And yet – developers have been slow to adopt them, even though many have existed for years.
In the coming weeks, you’ll see us put out a paper that addresses both memory safety and software measurability.
Additionally, we are developing guidance to help agencies eliminate unnecessary degree requirements for contracted cybersecurity positions. While this has been mandated for years, it’s another tough challenge that has yet to be fully implemented.
In many cases, it turns out, implementing the solution is the hardest problem of all.
That will take partnership.
Recall, that the first shift in the Strategy is about rebalancing responsibility in cyberspace to the most capable actors. That means the government, yes. It also means all of the organizations represented in the room today. And all of you.
It will take committed partnership to ensure the cloud improves cybersecurity – not becomes a source of heightened, systemic concentration risk.
It will take meaningful partnership to stop adversaries from using our own systems – whether virtual private servers or small office/home office routers – to launch their attacks.
It will take sustained partnership to bring coherence to our Federal mission and coordination to unwind the sea of licenses agencies deal with on a daily basis.
It will take innovative partnership – and your technological know-how – to scale solutions that protect the pipelines delivering gas to homes in Minneapolis or the hospital providing lifesaving care in my hometown of Parsons, Kansas.
It will not be easy – and that is why the Strategy is our North Star.
I appreciate that the Strategy traces its lineage back 25 years. That tells me that cyber was and remains a bipartisan issue. That tells me that public-private partnership was and remains core to our success. That also tells me that, after a quarter of a century, we’re still dealing with some of the same tough problems.
ONCD was built for this challenge.
We have the team, the vision, and the responsibility to make sure we’re not scratching our heads at the same hard problems in 2050. It’s time to lean in.
So, I say again, please continue to collaborate with us. Tell us what’s working and what’s not. Keep giving us your feedback and your ideas. And join us in solving the hard problems for the sake of our nation’s security and prosperity.