October 12th, 2007 06:54 EST
Greg Garcia at the Dartmouth CIO/CISO Executive Workshop on Cyber Security
I want to thank all of you for making the commitment to be here. As you all know, this happens to be National Cyber Security Awareness Month. It is an annual event officially sanctioned by the Congress through a formal resolution, and supported by DHS, the national cyber security alliance, the Multi-State ISAC and numerous companies and organizations around the country. And it is fitting that this event helps lead off the October schedule because forums like these exemplify the month's very purpose -- building knowledge and awareness of cyber security. The intent, put simply, is to make informed activists of us all.
Given the evolving threats against us, we have to be. I suppose I’ve been appointed as the chief activist. This is in fact the one year anniversary of my tenure as Assistant Secretary for Cybersecurity and Communications – one year from tomorrow to be exact. And let me tell you that over the past year, I’ve been watching with increasing consternation as our adversaries – whether they're cyber criminals, hacktivists, joy riders or nation states, pursue ever more sophisticated and determined attacks on U.S. Government and private sector networks. I'm watching as companies – household names with huge market capitalization and seemingly tremendous resources - expose their networks and data to infiltration and information theft. I’m seeing the same with government agencies on a regular basis. And I have increasing concern about vulnerabilities in the digital control systems that manage processes and manufacturing throughout our critical infrastructures. This makes me see red. I know you're seeing it too.
All of us here know a few things about cyber security. But, as some of my university professors used to say, you can never have too much information - the key is in how you organize it so you can use it. In the case of cyber security, the key is in how we organize and use our defenses - the people, the processes, the technology.
And it's a lot about the people, isn't it? The people who run the systems, who protect the systems, and the people who attack the systems. Our adversaries have gone professional, and we now see criminal computer code written at the PhD level. What is our response? How are our people able to design the systems and protect them against the people who are attacking them? I want to spend some time exploring this question with you because this is precisely the forum - the intersection of higher education and business - where the people variable of the equation needs to be resolved.
I'm proud to say we've shown a number of tangible accomplishments in the human resources area over the past year since I've been in office. For example,
This year we added 12 national centers of academic excellence in information assurance education. This joint program between the National Security Agency and DHS/NCSD is now educating students for careers in IT security at 86 centers in 34 states and Washington, D.C.
NCSD’s sponsorship, with the National Science Foundation, the Office of Personnel Management, and the Federal Chief Information Officer Council, of an annual scholarship for service symposium/job fair increased placement of Scholarship for Service students in Federal jobs and summer internships to over 90 percent.
The second annual national collegiate cyber defense competition, sponsored by NCSD, involved 44 schools - up from 5 original schools – and capped a series of state and regional cyber security competitions. This effort continues to expand.
But we're not quite where we need to be.
The fact of the matter is, we’ve all been going at the issue of training and educating our IT security workforce in an individual, rather than collaborative manner and that just isn't going to work anymore. Our adversaries are united in their desire to harm us and they will take advantage of every division they can find.
Presently, our training standards and certifications are designed to meet the needs of specific sub-sets of the IT security community. While these are valuable, they are stove-piped and focus on specific contexts, environments, or markets. There is no single, foundational document that synthesizes all of the information into a single resource conceptualizing the needs of the entire IT security community.
I am proud to announce that yesterday (October 3rd) my office published the IT Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce Development in the Federal Register for public review and comment.
The EBK is an initiative to map IT security competencies to specific roles and functional responsibilities that apply equally in government and private sector environments. It speaks to both curriculum development in an academic setting, and to the practitioner in the enterprise.
Let me be clear about this initiative. It is not a substitute for the hard work that has already been done. Its objectives are simply to:
Improve cyber security education for IT professionals;
Establish a national baseline representing the essential knowledge and skills necessary to ensure security; and
Promote widely-recognized, vendor-neutral cyber security guidelines.
The EBK was developed in collaboration and coordination with private industry, higher education, and all levels of government. It incorporates the best practices from already existing, widely used resources, and the opinions and expertise of a wide variety of IT security stakeholders. In short, we’ve essentially integrated the common elements from the best our community has offered up, including DoD's workforce directive 8570; the Committee on National Security Systems training standards; the National Institute of Standards and Technology 800 series; the ISO/IEC standards; COBIT; and several others.
The EBK is critical to everyone in this room because once finalized, it will help determine the skills and expertise our IT security professionals need to keep the systems running now and into the future.
The convergence of voice and data communications systems, the reliance of organizations on those systems, and the ongoing threat of sophisticated adversaries and criminals seeking to compromise those systems, underscores the need for well trained, well equipped IT security specialists. These specialists need to be good, innovative chess players, because this really is something of a technological chess match, only check mate is not an option for us.
But it's going to take investment. I know we don't have time this evening to start another discussion about the business case; that's the topic for an entire forum. But I should just give one or two examples. Your presence here tonight certainly demonstrates your companies' understanding that the cost of investing in cyber security is considerably lower than the economic consequences of an incident.
Here's one way to look at it:
If executives are willing to invest $2.3 million for a 30 second super bowl television ad, then they should be willing to spend the money to protect the infrastructures that allow them to do business - to protect proprietary information, customers' personal information, company brands, and stakeholder trust.
Or just think about how dependent your supply chains are on the cyber and IT infrastructure. I saw a report from an organization called Crisis Management International, which stated that 73% of businesses that have a prolonged disruption of their supply chains for 10 days or more -- close, or suffer long term impact. Cyber and IT system security are essential to keeping that supply chain operational and secure. This is about business continuity; it’s about customer and shareholder confidence; and it's about risk management and liability avoidance. It’s just good business sense.
So I need you to use your substantial influence in the markets to encourage other companies to make the same type of investments in their own enterprises. To make the same investment in their people.
I believe that the IT Security EBK will help organize these efforts, and think you will come to the same conclusion.
Call to action
Since we are at an Ivy League institution of higher learning, I’m going to assign two pieces of homework related to the EBK, and one related to cyber security in general.
The first assignment is to go back to your offices, download the EBK from the Federal Register website, and send it on to your colleagues. In the e-mail, be sure to tell them that they now have homework, too. Ask them to read the EBK and look for ways to improve it.
Your second assignment is to write a report analyzing the components of the EBK most directly affecting your industry sector or source of research. Give us your opinion on the ideas and practices we are proposing and offer your suggestions for areas of improvement. In other words, I am asking you to respond to the Federal Register notice. This report is due in 56 days.
Your third, and final, assignment is to be cyber security ambassadors. We need you to share your knowledge with your professional networks, friends and families, and invigorate their engagement on securing cyberspace. Using layperson language, encourage people to take the common sense steps that can directly influence the security of our cyber and physical infrastructures. It’s a complex problem, but the dangers are easily understood. Help them understand what you already know–that cyber security is everyone’s responsibility.
With increased knowledge and awareness comes increased security. Together, we can make this happen. We must make this happen.
Hanover, New Hampshire
(Remarks as prepared)
Stay in Vero Beach, Florida!
Fully Furnished Weekly or Monthly Rentals
Two bedrooms Beachside villas More Information