Today, U.S. Deputy Secretary of Commerce Bruce Andrews delivered a keynote address at the Internet Security Alliance’s (ISA) Cybersecurity Conference in Washington. The ISA is a multi-sector international trade association combining advocacy and programming on cyber risk management.

Deputy Secretary Andrews underscored the need for private and public sector collaboration to address cybercrime and evaluate risk as the digital economy continues to grow. In his remarks, the Deputy Secretary praised the Federal Communications Commission’s implementation of the NIST Cybersecurity Framework in the telecom sector.

Deputy Secretary Andrews announced the Commerce Department’s Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts. It specifically supports use of the NIST Cybersecurity Framework, a voluntary guidance based on existing standards, guidelines and practices. The Builder is available for download from the Baldrige website.

Remarks as Prepared for Delivery

Good morning everyone, and thank you, Catherine, for that kind introduction. I’m pleased to be here today with the Internet Security Alliance. This organization has played a pivotal role in bringing the issue of cybersecurity into our boardrooms and c-suites. I want to congratulate the entire ISA team, and especially President and CEO Larry Clinton, not just on the release of your “Social Contract 3.0,” but also on your 15 years of driving the national conversation on cybersecurity.

We have come a long way in those 15 years. In 2001, about 500 million people worldwide could access the Internet. Today, 45 percent of the global population - an estimated 3 billion people - are online. By 2020, another two billion will be. From social media to cloud computing, the digital economy is no longer an abstract concept. It is an everyday reality.

And as we speak, we are entering new frontiers in digitization - from the goods we manufacture to the cars we drive. Globally, more and more of our trade relationships are being defined by the data we share across borders. In our increasingly interconnected economy, a technology company in Silicon Valley may hire a team of programmers in Singapore to serve a manufacturing client in Germany. As digital commerce goes global, the opportunities for innovation, collaboration, and economic growth are virtually limitless.

Yet as distance loses relevance, a team of hackers in Russia, China, North Korea – or anywhere in the world – might as well be next-door. The cybercriminals, terrorists, and foreign governments who exploit weaknesses in our digital infrastructure grow more sophisticated every day. Whether it’s a breach exposing customer credit card records or the theft of sensitive trade secrets, stolen data is a valuable commodity.

Cyber-attacks can instantly squander billions of dollars’ worth of private investments in intellectual property and research and development, or disrupt crucial business operations. Government faces unique challenges in defending our nation in this threat environment. The vast majority of the infrastructure that underpins our digital economy, from our financial systems to our telecommunications networks, is owned and operated by private industry. When Iran launched denial-of-service attacks on U.S. banks, when North Korea infiltrated Sony Pictures, when cybercriminals injected ransomware into a California hospital’s patient management system, they targeted privately-owned infrastructure.

Neither government nor industry can confront the cyber challenges we face alone. If we want to realize the vast potential of the digital economy, the public and private sectors must work together to get cybersecurity right.  We need teamwork at every level – technical, tactical, operational and strategic.

The Department of Commerce has a unique role to play with respect to cybersecurity. I say this for two reasons: our mission and our resources. From the Patent and Trademark Office to the International Trade Administration, we are the voice of business in the federal government. Our mission is to create the economic conditions needed for businesses to compete, innovate, and grow. And in the digital age, cybersecurity is indispensable for success. Secondly, when it comes to resources, the Department of Commerce is the federal government’s digital economy agency.

Our National Telecommunications and Information Administration advises the President on far-reaching Internet policy issues, from privacy to broadband access to global Internet freedom. And our National Institute for Standards and Technology, or NIST, has contributed enormous leadership to this issue. We convened thousands of public and private sector stakeholders to develop the Cybersecurity Framework, a common language for cyber risk management. We have established the National Cybersecurity Center of Excellence, bringing industry and academia together to develop commercially-available solutions for institutions of every size. And we have spearheaded the National Initiative for Cybersecurity Education, which focuses on solving our nation’s shortage of cyber-ready professionals.

Yet the success of all of these initiatives hinges on our ability to develop meaningful metrics for cyber risk management. Across industries, many executives still struggle to make smart decisions about cybersecurity because we just don’t have mature metrics yet.

Think about it. When a Chief Financial Officer reports to a Board on the projected returns on an investment or the risk associated with acquiring new debt, the discussion is well-informed. We have hard numbers, hard-won experience, and centuries of economic analysis informing corporate decision-making. But unlike financial risk, we still lack mature metrics for cyber risk. There is little data available to determine the benefit of one investment versus another, or the cost exposure of a specific technological vulnerability.

Meanwhile, the threats we face are constantly evolving. You cannot manage what you cannot measure. Fortunately, we are making some important progress.

Yesterday, I attended Cybersecurity Regulators Forum, where we discussed how to move beyond static checklist compliance and towards accountable, measurable cyber risk management. Today I want to share with you some promising regulatory developments highlighted yesterday, and announce a new effort underway at Commerce that could help more organizations safeguard their digital assets.

First is that the FTC has released an analysis of its 60 enforcement actions for data breaches, which clarifies its “reasonableness” standard using the language of the Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover. This is a big deal. Every company wants to be better than “reasonable.” The FTC’s analysis will help C-suites and boards more confidently evaluate - and improve upon - their current cybersecurity strategies.

Second on the regulatory front is the FCC’s groundbreaking effort to apply the Cybersecurity Framework in the communications sector. More than 100 experts serving on the FCC’s private sector advisory committee have contributed to this effort. Together, they have worked to answer Chairman Tom Wheeler’s challenge for a “new paradigm” of cybersecurity – one that embraces dynamic, measurable, and accountable risk management. These recommendations are the most ambitious real-world application of the Cybersecurity Framework developed thus far. 

And this process advanced a truly innovative idea - the option for companies to voluntarily and candidly engage with the government – through their regulator –  to develop cyber risk solutions without concern about enforcement actions. We at the Department of Commerce strongly support this approach. Our hope is that this collaborative model can be replicated by other sectors in the future.

Finally, I want to close by announcing a new effort underway at NIST that could help many companies use the Cybersecurity Framework to improve their posture in the years ahead.

Some of you may be familiar with former Secretary of Commerce Mac Baldrige, who served in President Reagan’s cabinet during a time of rapid economic change around the world. As global competition heated up and posed new challenges to U.S. companies, Mac organized a Conference on Productivity at the White House. One of the ideas born out of that conference was our need for a national medal for productivity, and new tools for companies to improve efficiency and performance.

While Mac tragically died in a rodeo accident before Congress passed the program, it was renamed in his honor and signed into law by President Reagan. Today, the presidential Malcolm Baldrige National Quality Award is our nation’s premier award for organizational excellence. And at NIST, the Baldrige Excellence Performance Program is globally-renowned for helping leaders gain a “systems perspective” of their organization that enables them to improve quality and performance. This approach is ideal for the challenges of cyber risk management.

That is why, with support from U.S. Chief Information Officer Tony Scott, NIST set out to design a self-assessment tool combing the Cybersecurity Framework with the Baldrige approach to organizational excellence. After months of collaboration between NIST, the CIO’s office, and industry stakeholders, today we are proud to launch our first draft of the Baldrige Cybersecurity Excellence Builder. We are excited to hear what leaders like all of you think. You can download the draft at nist.gov/Baldrige.

Depending on industry interest the weeks ahead, we hope to expand this initiative to add voluntary assessments, recognitions, and best-practices sharing. Our goal is to empower businesses of every size and every sector with the right tools to secure themselves in a threat landscape that is ever-evolving. Static, checklist-style compliance just won’t do. In business and in government, we all must move towards dynamic, accountable approaches to cyber risk management.

Developing the metrics will demand we work together. That’s why today’s conversation – and ISA’s mission - is so important. We can try to tackle the cyber threats we face alone, and risk watching our cyber adversaries threaten our national security and our economic future. Or, we can work together, share our insights, and develop real, proven methods for managing cyber risk.

The choice is clear. Close and constant government-industry cooperation is our best shot at securing – and growing – the digital economy.  Thank you.