U.S. Cyber Policy – Now and Moving Forward

Good morning, ladies and gentlemen, and a warm Bem-Vindos a Lisboa! I’m Robert Sherman, the U.S. Ambassador to Portugal, and it is truly a pleasure to be with you all this morning as you begin the three-day Secure Logistics Through Cyber workshop and summit.

Please allow me to begin by offering my warmest gratitude to a few people:

A sincere obrigado to our Portuguese partner and colleagues from the National Cybersecurity Center for hosting this important event.

A warm congratulations to my colleague, Rear Admiral Antonio Gomeiro Marques, as he begins his work as the new head of the National Cybersecurity Center, building on the excellent work of Vice Admiral Torres Sobral during his many years leading the National Security Cabinet or GNS.

Thank you to the United States European Command – EUCOM – for not only providing the funding to make this event happen but for being a true leader in the cyber realm both within the U.S. government and internationally.

Thank you to my fellow opening panel members – including Rear Admiral Marques and Colonel Brian Vile, Deputy Director of the Joint Cyber Center at US European Command – who truly are the experts in this field.

Most importantly, thank you all for being here and for the important work that you all do on a daily basis.

I do not need to do so with this audience, but nevertheless will underscore that the risks we face in the cyber realm truly are astounding. Just because our adversary is not wearing a camouflage uniform, wielding an AK-47 or strapping on a suicide belt does not make the potential risks and threats any less severe nor damaging.

Instead he or she could be wearing a hoodie and headphones and typing away in a local café or at home, with the ability to cause much greater damage than our traditional adversaries. And the weapon of mass destruction is nothing more than an ordinary personal computer.

Admiral Michael Rogers, Commander of the United States Cyber Command said in April that non-state groups using cyber as a weapon system to inflict harm is what keeps him up at night. Admiral Rogers is not alone in thinking this.

President Obama, Secretary of Defense Ash Carter, Secretary of State John Kerry, CIA Director John Brennan and former Supreme Allied Commander Admiral Stavridis all concur on the magnitude of the threat.

Therefore, agencies across the United States Government have long been prioritizing cybersecurity and international engagement in this realm because they – as you – realize the destructive potential of cyberattacks, whether on power grids, airports, or seaports. Last week, as we commemorated the tragic events of September 11 and honored the victims, we were reminded that that our foes are always searching for unconventional and darkly imaginative ways means to severely harm us.

Cybersecurity is not an issue that can be addressed solely by one country, or one business. Because the threat cannot be contained within boundaries or borders, our response must be a collective one. We must cooperate, we must collaborate, and we must communicate.

Whenever we can, we must share information, we must synch the magnitude of our responses to the magnitude of the threats we face, and we must create an international community that shares and agrees on the principles for what is acceptable behavior in cyberspace.

While we have a long way to go, over the past years, we have made extraordinary progress in the cyber realm. At the G20 meetings last year in Turkey and again earlier this month in China, leaders affirmed that international law, including the UN Charter, applies to state actors operating in cyberspace.

What does this all mean? It means that cyberspace is not some lawless Wild West where anything goes, but rather a place where state conduct is governed by the same rules and the same standards that apply in the physical world. There simply cannot be a free pass for cyber-crimes.

Therefore, G20 leaders explicitly affirmed a U.S.-championed norm that no country is permitted to conduct or support the cyber-enabled theft of intellectual property– including trade secrets or other confidential business information–with the intent of providing competitive advantages to its companies or commercial sector.

Our work to continue to build international consensus in multilateral venues is critical, for freedom and democracy cannot coexist with conflict in cyberspace.

Much of this work is done through the UN – the appropriate and natural place for setting international norms of conduct. In June 2015, the UN Group of Governmental Experts agreed by consensus on peacetime cyber principals:

  • First, no country should attack another state’s critical infrastructure which provides services to the public;
  • Second, no country should impair the computer security incident response organization of another country from responding to cyber incidents, and such organizations should be not be used for malicious purposes; and
  • Third, countries should cooperate with requests from other states to investigate and mitigate malicious cyber activity emanating from that territory;

The applicability of international law in cyberspace, the development of peacetime norms of state behavior just mentioned, and the promotion of confidence-building measures, all make up a Cyber Stability Framework that we are working toward.

Yet our work is not just about engaging governments – for the Internet belongs to everyone—all of civil society. For better or worse, our lives are now on-line, and that makes us all stakeholders.

Because of this, we must form broad public/private partnerships with business, academia, faith based institutions and even the cultural arts community. Anyone who benefits from cyber access must have a voice in its future.

Since cybercrime transcends international borders, so too must our ability to respond. International law and policies need to recognize and encourage information sharing and to support cross border operations.

The Council of Europe’s Budapest Convention on Cybercrime does just that – it creates common language and legal processes by party countries in order to, for instance, make admissible in a court in the United Kingdom evidence collected in, say, Ghana.

The United States is a party to the Budapest Convention and we urge other countries around the world to sign on as well.

What should be obvious from my talk thus far is this: Rarely does a day go by when we aren’t hearing about some major cyber-attack or vulnerability—whether it is the United States Government’s Office of Personnel Management or Sony Pictures or Saudi Aramco.

Indeed, this week the Washington Post reported that Israeli researchers at Ben Gurion University determined that the emergency response phone system in the United States —our 911 system, which we consider critical infrastructure—can be hacked and disabled.

And while international laws and policies are developing, they are still immature. One area that continues to be a gaping hole in our defensive architecture, is in the area of cybersecurity due diligence. What that means is the need to vigilantly review the governance, processes and controls that are used to secure our information assets.

These due diligence obligations need to exist between nations, between non state actors like private corporations and between state and non-state actors. No standards have been set as yet. What should those obligations be? When for instance should a neutral transit country be obliged to police its network to thwart a cyber-attack?

So in light of these difficult challenges, how do we in the United States think about our international engagement on cybersecurity issues? Well, we have six primary areas of focus.

First, we encourage countries to develop a comprehensive cybersecurity strategy. These strategies form the framework to raise public awareness, disrupt and deter malicious cyber activity and respond to incidents through internal and external engagement.

For instance, in July, President Obama approved a Presidential Policy Directive known as PPD-41, codifying clear principles that will govern our government’s response to large scale cyber incidents.

PPD-41 articulates five principles:

  • shared responsibility—individuals, along with the private and public sector bear responsibilities for protecting the nation from malicious cyber attack.
  • risk-based response—our response and resource allocation is proportional to our national interests at stake.
  • respecting affected entities—privacy and civil liberties will be respected as willsensitive private information
  • unity of governmental effort—once one government agency becomes aware of an incident, it will rapidly noticy all others reulsting in a unified response; and
  • enabling restoration and recovery—the federal govenment will focus on repairing the damage to the entity subject to the attack while balancing investigative and national security interests.

PDD 41 recognizes that accomplishing the directive will require law enforcement, technical assets and intelligence support.

Second, we encourage government information sharing and coordination with the private sector. With so much of our critical infrastructure owned or managed by the private sector, these partnerships are critical for our success.

Third, we must simultaneously address cybercrime with targeted laws and develop best practices for effective prosecution.

Fourth, we must develop incident management capability that can coordinate cybersecurity watch, warning, response, and recovery efforts; this capability is frequently housed in a national Computer Emergency Response Team (CERT).

Fifth, we must build a culture of cybersecurity awareness increasing citizens’ and industries’ understanding of their critical role in protecting cyber systems. Some of that is very basic. Threat analysts warn that one of the greatest threats to our cybersecurity is ourselves – our weak passwords and our poor administrative practices that make us vulnerable. While easy to remember, many people still use a child’s or pet’s name as our system password, which means once we are penetrated, so is our network.

Sixth, we must identify, develop and connect experts, in government, in civil society, in academia, and in business who understand the competing demands underlying a comprehensive cyber policy and who are able to work across borders to address these issues.

And that is exactly what you all are doing over these next three days. And that was the case last week, here in Lisbon with some of you in attendance, when Idaho National Labs conducted training on industrial control systems. And it is only fitting that this conference is in Portugal. Portugal has been an excellent partner in advancing strategic thinking on these difficult issues.

Portugal convened NATO cyber conferences in April 2015 and May 2016, and will be host to the NATO Cyber School due to open in 2018, repeatedly demonstrating a leadership role within NATO on cyber policy.

I know the issues you will discuss over the next three days are not easy. Many competing values are at stake. A conversation on cybersecurity can easily morph into a conversation on internet freedom or internet governance. Discussions on protecting against cybercrime can quickly bleed into conversations on what appropriate behavior online.

Understanding our society’s values intersections is important.

Our cyber adversaries do not share those values, nor our ethics. They can probe and experiment with reckless abandon and make mistakes with little consequence; they are looking for the slightest vulnerability. For us, we can have no room for mistakes. And every time we think we’ve built the perfect mousetrap, the mice get smarter.

So over the next three days you have a great opportunity to get to know your fellow participants. That is an important step in developing the kind of international networks so important to our collective efforts.

For it is through our partnerships, and our collaborations that we will be able to ensure that not only cyberspace, but our way of life is safe and secure.

Thank you again for your time and good luck. Obrigado e boa sorte!