Remarks by Homeland Security Advisor Thomas P. Bossert at Cyber Week 2017 -- As Prepared for Delivery
Tel Aviv, Israel
June 26, 2017
As prepared for delivery
Thank you for that kind introduction. It is an honor to be here today on behalf of President Trump and the American people.
Thank you, Prime Minister Netanyahu, Dr. Matania, and the wonderful conference hosts for inviting me. I’m humbled to speak at this important event to such a distinguished group.
This incredible event includes cyber professionals from more than 50 countries. Those of you that are here for Cyber Week are among the world’s most accomplished experts in this field. Thank you for what you do, and for what you will continue to do when this week together ends and you return to your jobs around the globe.
Prime Minister Netanyahu, I know our relations are strong; and judging from this audience, it’s clear you can draw more U.S. talent into one room than I can.
I am here to talk about Cybersecurity. I am also here because President Trump understands the U.S. cannot lessen our engagement in this region of the world, lessen our support for Israel, or create a power vacuum for Iran, ISIS, Hezbollah, and Hamas to fill. Doing so would make the world a more dangerous place.
I am pleased to be here with a Prime Minister who voiced his clear-eyed objection to appeasing Iran and enabling its nuclear aspirations. He did so at great professional risk and took political criticism for stating an unpopular truth. He was right. He was courageous. The American people agreed with him. And now, he has a partner in President Trump and the Israeli people have a stronger, deeper relationship with the United States because of it.
PM Netanyahu will continue to defend the State of Israel.
President Trump’s May visit demonstrated our continued commitment to Israel. We remain particularly close on security issues. America’s security partnership with Israel is stronger than ever. The Iron Dome missile defense program continues to keep the Israeli people safe from short-range rockets launched by Hezbollah and Hamas. The David’s Sling and Arrow weapons systems guard against long-range missiles. We hope that someday soon we live in a world where children will never need to rush towards shelter, as sirens ring out.
There is incredible technology in the Iron Dome system. It is that kind of ingenuity that we need to tap as the fight moves from missiles in the air to malware through the Internet.
President Trump said something else on his recent trip here – his first international trip – he said that Israel is a testament to the unbreakable spirit of the Jewish people. From all parts of this great country, one message resounds: and that is the message of hope. That message of hope extends to the Palestinian people as well.
He brought a message that we must build a coalition of partners who aim to stamp out violent extremism.
Cyberspace has emerged as a major arena of conflict between liberal and illiberal forces across the globe, making the interconnected world of cyberspace one of the biggest strategic challenges since 9/11.
Israel is a market oriented, knowledge-based economy with a strong technology sector. You have the highest research and development spending per GDP in the world. And, one of the most talented tech workforces in the world – and a system for developing that talent that we can all learn from.
So, it’s not surprising that the leadership of Israel would support events such as this to bring together the best and brightest minds to address today’s challenges in the cyber environment. While physical borders can be extremely important, cyberspace knows no boundaries.
Nations increasingly have the ability to steal sensitive information, alter data, or even destroy systems. And the trend is heading in the wrong direction.
Destructive attacks are being executed by belligerent nations. North Korea attacked Sony, and Iran attacked Sands Casino and Saudi Aramco. Neither of these countries have near the sophistication and resources of China and Russia. And, we cannot forget the challenges facing our small- and mid-sized businesses – the backbones of our economies – who are facing threats from ransomware to the theft of their intellectual property by foreign intelligence services.
Cyber threats continue to grow. The complexity of the challenge continues to allude us. The question is: What is standing in our adversary’s way?
Part of the answer includes firewalls, anti-virus, good network hygiene, etc. Better and faster information sharing is also suppressing malicious activity. These are all things we are promoting in the United States and improving in the Trump Administration.
Yet, this would have been the same answer 15 years ago.
And, while these are good and necessary things, the adversary doesn’t encounter them until he’s compromised his target’s network.
Today – 15 years later – we’re introducing terms like artificial intelligence and machine learning. We have ways of sharing information and ways to orchestrate defenses in our networks faster than we could have ever before. Again – all good and necessary. Better and faster, but not different. And, always after the adversary is in his target’s system.
I would like this audience, this week, to advance the conversation. The Israelis and others have adopted operational constructs between the public and private sectors that focus on the adversary; what the adversary is doing in the internet; and how to thwart, impede, or otherwise inflict a defensive cost on the adversary, or—when necessary—deter bad behavior with punitive measures.
We must recognize that while we have small differences, free and market-based nations must engage with the private sector in an OPERATIONAL way to identify our cyber adversaries and increase our defenses considerably. And, we can do it in a way that preserves our privacy and security, while safeguarding our intelligence sources and methods.
Cybersecurity is about risk management. Networked technology will never be completely secure, and we need to prioritize our work.
We need to mitigate and manage risk; this includes identifying key data and the functions that must be protected, and then deliberately planning for their protection. We must centralize policies in government and industry, and decentralize their execution. And, we need standards and metrics to hold managers accountable. We must implement fundamental cybersecurity practices; to include regular patching, multifactor authentication, encrypting data, at rest and in motion, and white-listing applications.
We must also secure our nations; this includes defending our critical infrastructure and focusing on the energy sector, communications, financial services, and transportation; the lifeline sectors. There is a clear role for government in this work. This priority, while it has been subject to countless discussions, has not seen the progress it deserves.
Across the globe there are countries that do this with greater success than others. Israel is an example. We cannot achieve the security we need without partnerships. Partnerships with industry, partnerships with the owners and operators of infrastructure, and partnerships with likeminded countries.
Increased defense is critical. As is deterrence. We must get serious about a deterrence strategy. The stakes are too high and the risks are too grave not to. This requires a foundational understanding of what constitutes responsible behavior, and what is unacceptable.
Progress has been made in building consensus around responsible state behavior and the Trump Administration will work to expand that consensus. We must move from talking about norms to implementing them. But we must also hold those who violate these norms accountable.
This may not be achievable through a UN effort. Just last week, we saw the limits of the UN Group of Governmental Experts, which had achieved some good results in the past, but came up short. They were unable to even reach consensus on their final report.
It’s time to consider other approaches. We will also work with smaller groups of likeminded partners to call out bad behavior and impose costs on our adversaries. We will also pursue bilateral agreements when needed.
Deterrence may require limiting bad actors’ access to our markets and other benefits the Internet brings. These are the questions we must ask. There should be incentives for cooperation and consequences for disruption. I think that needs to be stated out loud.
While not abandoning our multilateral efforts, the United States will move forward internationally in meaningful bilateral efforts, such as the one we enjoy with Great Britain and now Israel, while continuing to build a likeminded coalition of partners who can act together.
The cyber strategies of the future must draw upon the clear experience of history. The only way to provide a safer and more secure future in a digitally connected world is to embrace the principles of individual property; the rule of law; and an unwavering commitment to free markets. And, to exclude those who do not.
We share these values with many nations around the world, including Israel. We know nations that are economically and politically free will always be stronger than nations that are not. There has been no better engine for capitalism and growth than the internet. Consider the wealth and development that cyberspace has enabled. The internet reflecting our values is where we will find partners sharing those values.
Nations that share these values also know the role of government is to apply rules to protect them. The free market succeeds because of basic rules observed between individuals and also rules designed by government to protect contracts and promises and transfers of goods and services. When this is threatened within a nation or internationally, it is appropriate for the government to respond.
The system works in part because those who violate the rules suffer consequences, and those who act well do well. So, if individuals or nations choose to manipulate cyberspace for financial gain or geopolitical advantage, we must act to protect our shared values.
The Internet is a great example of the free market at work. No capitalist is surprised that the Internet was invented in a free society. The Internet was invented in America, by Americans—and one Brit—with government help. Yet, it was private industry that turned the Internet into one of the world’s greatest tools. Despite this success, the Internet is vulnerable to fragmenting and we need to push back.
The next step must be gaining international cooperation to impose consequences on those that act contrary to this growing consensus.
To accomplish this, likeminded states should work to develop options for imposing consequences within a coalition structure, if possible. Until then, the United States must seek partners bilaterally.
And so, it is with great pleasure I can announce TODAY the commencement of a U.S.-Israel bilateral cyber working group, led by Mr. Rob Joyce, the White House Cybersecurity Coordinator and Dr. Matania (weren’t they great?), along with the Department of State and representatives from the Departments of Commerce, Defense, and Homeland Security, and the FBI.
The U.S. delegation will meet with senior leaders from Israel’s National Cyber Bureau, Defense Force, Shin Bet and Ministries of Foreign Affairs, Justice, and Defense. The meetings this week will focus on a range of cyber issues – critical infrastructure, advanced R&D, international cooperation, and workforce development, among others. These high-level meetings represent the first step in strengthening bilateral ties on cyber issues following President Trump’s visit to Israel, and they make good on the promise he made to Prime Minister Netanyahu at their meeting on February 15.
The bi-lateral working group of experts from across agencies will work with an eye towards developing a different operational construct: focused on finding and stopping cyber adversaries before they are in your networks; before they reach critical infrastructure, and identifying ways to hold bad actors accountable—a different conversation indeed.
We believe that the agility Israel has in developing solutions will result in innovative cyber defenses we can test here and then take back to America.
Over the course of this week, the assembled group here today will develop ideas that will advance cybersecurity and produce recommendations from industry on best practices, implementation, and execution concepts. Perfect security may not be achievable, but we have within our reach a safer, more secure Internet. I look forward to the progress we’ll make together in this endeavor.
I thank you very much for your time and I look forward to the future.