New York, NY

November 13, 2024

Remarks As Prepared for Delivery

Good afternoon, everyone. I’m delighted to join you all today to talk about an issue that’s been a major focus of the Biden-Harris Administration: changing incentives to improve our Nation’s cybersecurity posture.

But before I dive into our perspective from the Office of the National Cyber Director, let me say a few quick words about our host. Jay Healey is one of the original plankholders at ONCD. His fingerprints are all over America’s National Cybersecurity Strategy.

What’s more, his strategic vision animates so much of our work. He believes – as I do – that cybersecurity is an asymmetric domain, and the key to success is ensuring defenders are harnessing scale more effectively than attackers.

But my favorite thing about Jay is his commitment to teaching.

The Cyber 9/12 Policy Challenge – which he helped create while at the Atlantic Council – is one of the best tools I’ve seen to develop new policymakers to tackle the hard problems in cybersecurity. And ONCD likes tackling hard problems.

Jay’s commitment to the discipline is unparalleled, and I’m grateful that he and his partners at Columbia and the great state of New York have brought us together for this important conference.

Of course, I am also a bit disappointed. The last time I was on stage with Jay was at DEF CON – and there was whiskey! And Jordans! But I digress.

We’re here today to talk about incentives. But to understand why, we have to start at the root of success in cybersecurity policy: partnership.

Yes, it is cliched. I will say it nonetheless: the majority of the critical infrastructure we depend on is owned and operated by non-Federal entities, from private businesses to state and local Governments.

Borders in cyberspace are ephemeral. They are always changing. They are short-lived. Every company, every local government, every entity that owns and operates critical infrastructure is on the front lines dealing with threats from nation-states in a way that is completely unlike the traditional domains of land, sea, air, and space.

Our National security – our way of life, the quality of our lives – depends on adaptability and, more so than any other domain, a strong and constant partnership between the public and private sectors.

But we must recognize that our interests are not always aligned.

Sometimes, being first-to-market – not secure-to-market – is the behavior consumers reward.

Sometimes, firms lose market share to competitors when they invest in cybersecurity controls and are then undercut on price.

Sometimes, key recapitalization efforts on IT networks are sacrificed on the altar of quarterly profits.

None of this is to ascribe malice to critical infrastructure owners and operators. I have never met anyone who is looking to get hacked.

But, as policymakers, we must recognize that –absent Government intervention – we are taking on risk as a Nation that is not merely imprudent, it is simply unacceptable.

In fact, that phrase – “unacceptable risk” – is exactly how I described the presence of PLA cyber actors on civilian critical infrastructure when I testified before Congress earlier this year.

The status quo is not tolerable. To live in the world envisioned in our National Cybersecurity Strategy, where we are able to fully reap the benefits of cyberspace, we must take collective action. Individuals, governments, allies, civil society and the private sector – we are all mission partners.

As per the Strategy, that action must be aligned against two imperatives:

  • That the more capable actors in cyberspace – including the Federal government –shoulder more responsibility for cybersecurity; and,
  • That we do more to invest in long-term cybersecurity and resilience.

Incentivizing action in furtherance of these two objectives requires that we use all tools available.

That includes market forces, whether it’s increasing the information available to purchasers of information technology products or improving the cyber insurance market to let firms price risk.

It includes leveraging the immense purchasing power of the U.S. government, as we have in implementing Executive Order 14028, championed by my friend and colleague Anne Neuberger who we heard from earlier.

Another tool to incentivize action is information sharing, as some entities underinvest in cybersecurity simply because they don’t understand the threats arrayed against them.

And, the Government can directly subsidize investments, as we have with the first-ever state and local cyber grant program enacted as part of the Bipartisan Infrastructure Law.

These are all important tools, and ones that the Government is using as we turn the Strategy into reality through the National Cybersecurity Strategy Implementation Plan process.

But a key legacy for this Administration will be our, prioritized, all-of-the-above approach to solving cybersecurity challenges – and that includes the regulatory tool.

Since the ransomware attack on Colonial Pipeline led to impacted gas lines in Virginia and North Carolina, the President has made clear that we must have minimum cybersecurity requirements for critical infrastructure to protect our fellow Americans.

I know that can seem to add strain to a relationship that is supposed to be grounded in partnership. Yet there are clear cases where the regulatory tool is most effective at driving us towards the outcomes we want.

Talk to any CISO, and they’ll tell you – regulation can and does incentivize investment. It changes behavior.

It’s also no accident that some of the industries that are most heavily regulated for cybersecurity, like financial services, are held up as models for cybersecurity maturity.

But, as with any tool, regulation can be misused.

Not every cyber problem demands a regulatory solution. And not every regulatory solution is tailored to maximize efficacy when weighed against compliance costs.

How, then, do we decide what situations warrant regulatory approaches? How do we nudge goals into alignment without burdening industry with compliance activities that do not add to – and can actively detract from – cybersecurity outcomes?

I wish we had easy answers. Instead, we have the trappings of a hard problem, one that requires synthesizing dozens of agencies’ regulatory authorities to drive coherent, harmonized approaches while also improving the Nation’s cybersecurity posture and lowering the cost of doing business. At ONCD, we are built specifically to tackle hard problems.

So let me share some of the initiatives we have underway to ensure we employ the regulatory tool appropriately and effectively.

Earlier this year, the President’s National Security Telecommunications Advisory Committee – the NSTAC – put out a report on ways to better measure and incentivize adoption of cybersecurity controls.

One recommendation in that report really stood out to us. It noted that there is not a lot of literature or a good understanding of the gap between cyber risk that is in a business’s self-interest to mitigate, and the risk that is in society’s interest to mitigate.

In other words, when we are thinking about interventions to change critical infrastructure owners and operators’ incentives, we need to spend more time looking at the national security and societal consequences of a cyberattack on a company.

One of the challenging aspects of living in our free-market, profit and loss-driven economy is that the societal benefits of critical infrastructure companies exceed the value their shareholders are able to capture.

Their value is so much greater than what we see on a balance sheet.

We, as a community, benefit – even crave and need – power when we flip on a light switch or water when we turn on the tap. And there’s more value than we acknowledge when we have the convenience of having our payment processed at the grocery store.

But that amazing feat of economics also means that it will never be strictly in these entities’ business interest to mitigate the full spectrum of the cybersecurity consequences.

Making up that gap on behalf of the American citizenry is the clear job of Government.

However, if we can’t target the gap itself, we may end up unnecessarily subsidizing investments businesses would have made anyway – or requiring them to fill out mounds of paperwork that doesn’t shift behavior.

At ONCD, we have taken up the NSTAC’s charge and are looking at quantitative frameworks that can tie technical cyber risk with societal consequence modeling.

In particular, we are interested in understanding the interplay of economics and engineering at the level of the C-suite and the board – as that is the level where we expect and need to have the most influence through public policy.

And here’s why I raise this: we want your insights!

We are so pleased to join this august group of thoughtful cybersecurity leaders – yours are exactly the perspectives we need. So I hope you will take the opportunity to talk with me or any of my ONCD colleagues here today about how we should approach this hard problem.

The other initiative I want to talk about is our efforts on cybersecurity regulatory harmonization. An issue as timely as it is impactful.

Timely because, as most of you know, there is some very important legislation that would greatly help our ability to streamline well-meaning regulations to provide more security for the American people and more clarity and efficiency for American companies.

Before I dig into the work by our partners on the Hill – folks we have talked with at length, as you can imagine! – let me share some important lessons after our year plus of work on the issue.

First: the compliance burden is real. It is startling. And it is unfair.

One of the statistics that is seared into my mind came in response to the request for information we did on this topic last year.

In a survey of CISOs in one sector, they reported spending 30 to 50 percent of their time on compliance activities. And, in many cases, much of that time was spent on duplicative requirements.

I mentioned earlier that the Federal Government, as one of the most capable actors in cyberspace, has to shoulder more of the responsibility for cybersecurity. This is a clear example of what we mean.

Duplicative requirements – where there is no avenue for reciprocity or mutual recognition of another regulator’s findings – does nothing to incentivize stronger cybersecurity. In fact, it can – perversely – result in worse cybersecurity outcomes, because teams have to focus on compliance instead of directly mitigating cyber risk.

The Government must do a better job of coordinating internally and speaking with more of a unified voice when it comes to setting minimum requirements.

Which leads me to our second observation: the regulators largely understand this.

What I find most heartening is that when you get the regulators in the room – which, thanks to the leadership of FCC Chair Jessica Rosenworcel, is increasingly happening under the auspices of the Cybersecurity Forum for Independent and Executive Branch Regulators – the talk naturally turns to harmonization.

Regulators understand that, for sector-specific controls, a bespoke approach may be necessary.

Take, for example, the unique operational technology that powers our pipelines.

TSA has had a leading role in this Administration with cybersecurity regulatory requirements specific to their sector. After the breach at Colonial Pipeline affected millions along the east coast and southern US, we took action and, subsequently, we have learned a lot.

When you consider how to better secure the flow of oil and natural gas that flow through our Nation’s pipelines, it requires us to look at the IT enterprise technologies that support business operations. But it also requires a very clear look at the operational technology that controls the flow. It’s an element unique to the security of our Nation’s pipelines.

There’s already a tremendous amount of work by those who own and operate pipelines to ensure they remain secure.

As new regulations come online, it’s important that we consistently and reliably preserve the ability of regulators to address risks unique to their sectors. And, while we’re at it, we need to address duplication where it occurs.

That is why I am personally so grateful to Chairman Peters and Senator Lankford who have joined our efforts to effect real change in the regulatory landscape.

Their bill – one that is bipartisan – would empower ONCD to bring all relevant parties – including independent regulators – to the table to make policy. It would charge us, collectively, with creating a structure for harmonization and reciprocity that could serve as a model going forward. And I am eager for Congress to pass this bill.

Listening is another key part of our ethos at ONCD, and this legislation would empower us to work with all relevant stakeholders to collectively design a more harmonized regulatory approach.We need regulators to join us in delivering a regulatory regime that is good for America – American citizens and American buisnesses.

Both of these initiatives will take time to get right. But cybersecurity always has been a nonpartisan issue – and I expect it will stay that way.

So regardless of who is in the White House or Congress, I have an abiding faith that we will continue to invest in cybersecurity, partner with critical infrastructure owners and operators, and continue to work together to find reasonable solutions that will best protect the American people while allowing our economy to prosper.

After all, the moment demands it. We will never get a handle on the unacceptable risk we face without bringing all tools at our disposal to bear on the issue.

Regulation is not the only answer, but it is part of the answer – and we need all of you in this room to ensure we get it right. And that we’ve got the systems in place to ensure we can keep listening, keep learning and keep adjusting.

Jay, thank you again for the invitation to join you all today, and I look forward to our conversation.

Stay Connected

Sign Up

We'll be in touch with the latest information on how President Biden and his administration are working for the American people, as well as ways you can get involved and help our country build back better.

Opt in to send and receive text messages from President Biden.

Scroll to Top Scroll to Top
Top