Washington, D.C.

May 23, 2024

Remarks As Prepared for Delivery

Thank you, Scott.

A couple of weeks ago, we presented our first-of-its-kind Report on the Cybersecurity Posture of the United States to the President and the Congress. When we rolled it out to the public at the RSA cyber conference in San Francisco, I noted that despite the threats and challenges we lay out, that there’s a real reason for optimism.

As we see it, the progress we’re making can all be attributed to the growing and deepening partnerships across the public and private sectors. We listen, learn and lead along with our partners.

Partnership in cybersecurity certainly isn’t new, a point to which my good friend and partner Anne can certainly attest. And a perfect example is the collaborative spirit that goes back to the beginning of the NSTAC.

The NSTAC has been leading the way since 1982 as a key venue for partnership between the Federal Government, the telecommunications industry, and critical infrastructure providers.

The Office of the National Cyber Director has a much shorter history. In our two years, we’ve come to be known for dynamic work implementing the President’s National Cybersecurity Strategy. We’ve also come to be known as the office that will work collaboratively with our partners to take on the long-term, hard problems.

Today, I want to share how we’re taking three hard problems head on: protecting cyber infrastructure in one of the most complex environments – space, strengthening internet routing security, and building a cybersecurity workforce large and robust enough to protect the Nation. 

Let’s start with space system cybersecurity. We recognize the critical importance of countering the significant threats and risks we face in the vital domain of space.

We often think of cyber as being a key attack vector our adversaries use to target our critical infrastructure. We don’t need to look any further than the PRC activity – commonly known as “Volt Typhoon” – that I testified about earlier this year along with FBI, CISA and NSA U.S. Cyber Command.

Generally, the targeting of critical infrastructure happens across all domains. We can see that in the shelling the Ukrainian power grid has taken over the past two years since the Russian invasion.

But in a report laying out the space threat landscape, the Center for Strategic and International Studies (CSIS), noted that when it comes to space systems, cyber seems to be the preferred attack vector for adversaries.

While countries are certainly pursuing alternative means to disrupt satellite attacks in the cyber domain are the first choice with the lowest barrier to entry – when they’re available. We need look no further than the 2022 attack on satellite modems that took off during the Russian invasion of Ukraine. Today, we know that the PRC continues to consistently focus on cyber means to target satellites early in a conflict. 

The capabilities and intent of our adversaries shows us the urgency of the challenge that our space systems are facing, and will continue to face.

As someone who spent time in the Navy and the IC working space operations, I know how challenging and complex these systems can be.

There are the engineering challenges, logistical concerns, and bandwidth issues.

There are also lifecycle issues, as space systems are often designed to last for eight to 10 years – and routinely outlive their predicted lifespans – which means that they may not be protected against evolving threats.

Designing secure systems for space is inherently difficult. And the consequences are ever increasing as the space economy continues to grow at a breakneck pace.

But, our partnerships are built to solve hard problems.

We started by bringing Government and industry together. Along with our colleagues at the National Space Council, we convened a Space Systems Cybersecurity Executive Forum with leaders from across the White House, the interagency, and the private sector to discuss the risk landscape as we saw it. From that meeting, we all agreed that there was significant work to be done – but that more dialog was necessary to understand the most urgent gaps to address.

So, over last summer, we held five workshops across the country, meeting key players in the space economy in Los Angeles, Colorado Springs, Houston, the Florida Space Coast, and Washington, DC.

We went to those meetings with a clear goal in mind: to listen and learn. We heard about the barriers that companies were facing day-to-day as they attempted to ensure that cybersecurity was as core an element of their mission as safety.

At the same time, we partnered with the National Space Council and the National Security Council to jointly lead a project on space system cybersecurity.

We also talked to space system operators in the Government about their policies and processes to implement Space Policy Directive Five, “Cybersecurity Principles for Space Systems.”

Armed with a better understanding of the policy gaps as a result of our listening and learning, we are now ensuring that the Federal Government is leading the way in improving space system cybersecurity.

And here’s the value of listening. We heard repeatedly from our industry partners that requirements from Federal mission owners varied significantly from agency to agency – or even within agencies, or from contract to contract. So, they weren’t being asked to build to the same set of cybersecurity requirements.

And from our vantage point looking across the interagency, we saw an inconsistent application of best practices across Federal space missions.

These inconsistencies were not only inefficient, they were frustrating many of our mission partners and not allowing us to lead internationally. We knew we could – and must – do better. So, we acted.

At the National Space Council meeting in December, Vice President Harris tasked the creation of minimum cybersecurity requirements for U.S. Government space systems.

These requirements will form the basis of controls needed to combat the evolving threat to space systems – and make it easier for companies supporting our space missions. They will lay the groundwork for future work that ensures the commercial space sector – which is increasingly vital for critical infrastructure of all types – is adequately protected.

So, there is more work to be done. More listening and learning to be done. And more evidence of the fact that Government must lead the way via action– especially when we’re asking more of our private sector partners.

I also want to thank this group for the NSTAC Report to the President on Communications Resiliency, provided in 2021. It offered thoughtful and helpful reflections on the challenges inherent to space systems.  Thanks!

Another hard problem we’re going after is strengthening the security and resilience of the Border Gateway Protocol, or BGP.

We have our fair share of technical folks at ONCD.  And even I may have written some code in my day – although I won’t tell you how long ago that was – except to say that it was the same decade that the Border Gateway Protocol, or BGP, was first sketched out “on the back of three ketchup-stained napkins.”

For those of you not up on Internet history, that was 34 years ago next week.

As many of you are keenly aware, BGP is one of the foundational protocols that enables over 70 thousand independent networks to operate as what we know as “the Internet.” In fact, BGP is used to advertise Internet Protocol –– addresses and to construct the routes to reach them from anywhere in the global Internet.   BGP literally binds together the modern Internet.  It also can be – and has been – abused.

Like too many technologies developed in the early days of the Internet, Border Gateway Protocol was not built with the security needed for today’s internet ecosystem. And malicious actors have taken advantage of that fact.

In 2008, for instance, a Pakistani telecom provider, after receiving an order from a Government censor, advertised that it held the IP addresses for YouTube.

This intentional BGP hijack of YouTube traffic was accidentally leaked to the broader Internet, as a result YouTube traffic was inaccessible across the entire globe for nearly two hours as engineers tried to counter act the “poisoned” route.

More disturbingly, researchers in 2018 revealed that, for two and half years, traffic from Western countries was being routed through the PRC. Take for example, communications between LA and Washington, DC which ended up traveling an excess 13,000 plus miles being routed through Hangzhou. Any idea why? 

More recently, we have seen the sophistication of BGP hijacks increase. These hijacks are often used as stepping-stone attacks to subvert other foundational Internet Protocols, including domain name systems and the web public key infrastructure. The end objective of these BGP attacks is often to gather account credentials or to install malware used to steal cryptocurrency. Recent incidents have resulted in losses in the millions of dollars.

The Internet may have been built on blind trust, but for at least two decades, we’ve known that security remediation is in order.

Thankfully, technical approaches have matured and are available. Through the adoption of Resource Public Key Infrastructure, or RPKI, we can ensure that BGP hijacking is a thing of the past. Although that technology has existed for a dozen years, it was only recently that a bare majority of global Internet addresses were appropriately registered in RPKI to allow internet service providers to filter false routing advertisements and prevent attempts to hijack them.  

To put it more simply, we have had an approach to better secure a foundational Internet technology since 2012, and we’re still struggling to do the basic registration step. What’s more, the Federal Government is lagging behind much of the private sector in registering our own IP addresses. From the earliest actions of this Administration, particularly Executive Order 14028, President Biden has made clear that the Federal Government must lead on issues of cybersecurity.

This challenge came to the forefront during development of the President’s National Cybersecurity Strategy more than a year ago when our partners raised challenges with RPKI adoption during our many listening sessions. They told us about the very real fear that failure to address the risks could put us in danger of disruption and espionage. That’s why one of our strategic objectives specifically calls out BGP as a key protocol to secure.

It’s also why we’re working with interagency partners and the private sector on a roadmap to drive RPKI adoption across the board.

Of course, that starts with getting our own house in order. Two weeks ago, several agencies of the Department of Commerce signed model contracts, Registration Service Agreements, to register their address space and create “route origin authorizations,” Or ROAs.

These contracts – which themselves were based on pathfinding work done by the National Oceanic and Atmospheric Administration (NOAA) – are models for other agencies across the Government to follow.

It’s not enough to just listen and learn, we are acting. By the end of the year, we expect over 50% of the Federal advertised IP space to be covered by Registration Service Agreements, paving the way to establish ROAs for Federal networks.   

We recognize that implementing RPKI is a first step in improving internet routing security.  Collectively, we have much more to do to secure the technical foundations of the Internet going forward, and we look forward to the government and private sector working together to address these critical challenges.

Finally, let’s look at an issue close to my heart: building our nation’s cybersecurity workforce.

I will tell you that I have yet to meet with a leader in the Government or industry for whom the workforce issue does not resonate.

It is persuasive, as people intuitively understand the appeal of good-paying, cyber jobs.

It is pervasive, in a way that an estimated 500,000 open cyber jobs across the country helps illustrate.

Yet it is also pernicious. There are challenges with our cyber workforce that we have been battling for decades.

We need to broaden the pool of talent.

We must be relentless in our search for talent because our country needs it. I’ll say again: today there are more than 500,000 open cybersecurity jobs in the Nation –  good-paying jobs that we desperately need to fill in every city in America.

Years ago, I viewed the Government as being in a competition with the private sector for skilled cyber professionals. My thinking has evolved.

Today, I know that cybersecurity workers across Government and industry all have a vital role to play. They are all in national security jobs, whether working for a three-letter agency, as I once did, or for my hometown hospital in Kansas. In order to best protect our Nation, we need them all filled.

So, looking for talent means looking in underrepresented communities, certainly. But it also means focusing on what we’re really after: skills.

Getting the best talent requires workers to be hired based on the aptitude and/or skills they possess, not just the degrees they hold.

Three weeks ago, at a symposium we hosted at the White House, we announced that we are now committing to overhauling the relevant Federal hiring process. Thanks to great work by our partners at the Office of Personnel Management, we are converting an entire series of technical employees that work in every Federal agency, and represent a majority of the Federal IT workforce, to skills-based hiring. 

This is a major milestone in our national effort to move to skills-based hiring and represents an important commitment and vital work ahead. And while this process will take time, we’ll get it done in the summer of 2025.

Perhaps just as important, thanks to our partners at the Office of Management and Budget, we made a similar commitment to skills-based hiring with Federal contractors, the employees that work shoulder-to-shoulder with Federal employees to advance our mission. 

More than 70 organizations – across Government, industry, non-profits, and academia – have stepped up to commit to helping us build a strong, national cyber workforce. In order to fill our workforce gap, it will take all of us.

All of these challenges – space systems cybersecurity, the technical and far-reaching challenge of Border Gateway Protocol, and building the cyber workforce are addressed by the National Cybersecurity Strategy. It lays out two fundamental shifts we need to see to achieve the President’s vision: rebalance responsibility to the most capable actors in cyberspace and incentivize investments in long term cybersecurity and resilience. Those principles guide everything we do.

We need partners as we drive coherence across all that we do. We also need our private sector partners for their expertise and because they, too, are critical to our national security. And all of us need to lead because as some of the most capable actors in cyberspace we have the responsibility to do so.

I look forward to continuing to work with each of you to support the NSTAC’s mission. Thank you again for your service to our Nation.

Stay Connected

Sign Up

We'll be in touch with the latest information on how President Biden and his administration are working for the American people, as well as ways you can get involved and help our country build back better.

Opt in to send and receive text messages from President Biden.

Scroll to Top Scroll to Top