Collaboration between governments and with the private sector is key to improving global cyber security, according to Jeh Johnson, the head of the US Department of Homeland Security (DHS).
“Cyber security is major priority for president Barack Obama, his entire administration and the Department of Homeland Security,” he told RSA Conference 2015 in San Francisco.
But the government does not have all the answers or all the talent, he said.
“Cyber security must be a partnership between government and the private sector. We need each other and we must work together. There are things government can do for you, and there are things we need you to do for us,” he said.
“In private law practice, where I have spent most of my professional life, I was a service provider to private clients. I bring that attitude to cyber security,” he said.
Johnson said he was proud of the fact that the DHS is building an “agile and responsive” cyber security capability.
In 2014 alone, the NCCIC received more than 97,000 cyber incident reports from the private and government sectors, and issued nearly 12,000 cyber alerts or warnings
Jeh Johnson, US Department of Homeland Security
Setting security goals
He said the US National Cybersecurity and Communications Integration Center (NCCIC), made up of representatives of many government departments and the private sector, is central to his department’s cyber security efforts.
“In 2014 alone, the NCCIC received more than 97,000 cyber incident reports from the private and government sectors, and issued nearly 12,000 cyber alerts or warnings,” he said.
An NCCIC team is almost continuousy working with companies to assess and fix significant cyber incidents and identify numerous vulnerabilities.
“In 2014, the NCCIC identified 265 instances of the Heartbleed vulnerability across dozens of government departments and reduced that to just two in a three-week period,” said Johnson.
“My goal is to see the NCCIC move to an even higher and better level,” said Johnson. As part of those efforts, he said the NCCIC direct will, in future, have a direct reporting and information sharing line to Johnson himself as head of the DHS.
In an initiative similar to the UK’s Cyber Security Information Sharing Partnership (CISP), he said the DHS is enabling the NCCIC to provide near real-time automated information sharing to the private sector.
As part of this initiative, the NCCIC recently introduced the capability to automate publication of cyber threat indicators in a machine-readable format.
This enables the NCCIC to share threat indicators with an initial set of companies, with plans to add others in future and to enable the NCCIC to accept cyber threat indicators from the private sector later in 2015.
Like the UK’s CISP, the US NCCIC has been set up to be the main way for US companies to provide cyber threat indicators to the US government.
To encourage this flow of threat information, in January 2015 president Obama announced plans for legislation that will provide protection from civil and criminal liability for contributing organisations.
Silicon Valley and government talent exchange
Johnson used his RSA keynote to announce that the DHS is also finalising plans to set up a satellite office in Silicon Valley to serve as another point of contact with companies in the technology sector.
“We want to strengthen critical relationships in Silicon Valley, and ensure that the government and private sector benefit from each other’s research and development,” he said.
He said the DHS also wants to attract some of Silicon Valley’s talented workforce to Washington DC to participate in talent exchanges between the public and private sectors through the US Digital Service.
Johnson said this will build capacity on all fronts, and appealed to the RSA Conference audience members to consider serving the US government in this way.
Improving cyber security globally
Underlining the Obama administration’s commitment to improving US cyber security, Johnson highlighted the president’s proposals for a single national data breach reporting system and enhanced penalties for cyber criminals.
Read more about cyber security
- US president pledges to urge Congress to pass legislation to improve US cyber security.
- US president Barack Obama has signed an executive order establishing a framework for the US to impose sanctions on foreign cyber attackers.
- Cyber security key to a single digital market in Europe.
- Cyber security suffers from a lack of execution, says former White House cyber security co-ordinator Howard Schmidt.
“But, we are not just waiting for Congress to legislate. The president has been active in issuing an number of executive orders to strengthen cyber security,” he said.
These include the executive orders to promote information sharing and cyber security best practice in February 2013, to direct Johnson as the secretary of homeland security to encourage the further development of private information sharing and analysis organisations in February 2015, and to create a cyber threat intelligence integration centre, also in February 2015.
Most recently, in April 2015, president Obama signed an executive order authorising the secretary of the US treasury to impose financial sanctions for cyber-enabled activities that are a threat to national security, foreign policy, economic health or financial stability of the US.
Also in April 2015, Johnson visited Beijing to meet the minister of public security and the minister of cyber space administration of the People’s Republic of China.
“Though we have sharp differences with the Chinese government, particularly when it comes to the theft of confidential business information and proprietary technology through cyber intrusions, we and the Chinese recognise the need to make progress on a range of cyber-related issues,” he said.
Johnson said that as the largest economies of the world, the US and China have a vested interest in working together to address shared cyber threats and making progress on their differences.
“We have therefore agreed to further cyber security discussions, which I believe will enable us to make progress on cyber crime and other shared cyber threats,” he said.
The encryption challenge
Johnson said that just as government has a role in improving cyber security and fighting cyber crime, the private sector also has an important role to play through things like improving user security awareness and combating cyber risk in the supply chain by encouraging best practice.
He also tackled the thorny issues of counter-productive government agency turf wars and market demand for encrypted communication services.
When it comes to the government’s cyber security responsibility, I am determined root out any turf battles between government agencies
Jeh Johnson, US Department of Homeland Security
“When it comes to the government’s cyber security responsibility, I am determined root out any turf battles between government agencies,” he said.
Johnson said he was encouraging DHS employees to work in a “co-operative and selfless fashion” with partners at the FBI, NSA and departments of defence, treasury, justice and commerce.
He then appealed to the RSA Conference attendees for the “indulgence and understanding” on the subject of encryption, echoing comments in recent months by FBI director James Comey, former European Cyber Crime Centre head Troels Oerting, GCHQ director Robert Hannigan and Europol director Rob Wainwright.
“The current course we are on toward deeper and deeper encryption in response to the demands of the marketplace is one that presents real challenges for those in law enforcement and national security,” said Johnson.
“I understand the importance of what encryption brings to privacy, but imagine the problems we would have had if well after the advent of the telephone, the warrant authority of the government to investigate crime only extended to the US Mail.
“Our inability to access encrypted information poses public safety challenges. In fact, encryption is making it harder for the US government to find criminal activity,” he said.
Johnson concluded by saying those in government know that a solution to this dilemma must take full account of the privacy rights and expectations of the American public, the state of the technology and the cyber security of American businesses.