U.S. Secretary of Commerce Penny Pritzker Urges Leaders to Develop Cybersecurity Metrics at National Security Telecommunications Advisory Committee Meeting


Wednesday, May 11, 2016

Today, U.S. Secretary of Commerce Penny Pritzker delivered remarks at the National Security Telecommunications Advisory Committee (NSTAC) meeting. Established over three decades ago, NSTAC brings together industry leaders to advise the President on issues related to telecommunications, national security, emergency preparedness, and cybersecurity.

During her remarks, Secretary Pritzker discussed the important role that public-private sector collaboration plays in securing the digital economy, and urged industry leaders to help develop metrics for better measuring and managing cyber risk.

Remarks As Prepared For Delivery

I am honored to be here today. Mark, thank you for the invitation. The fact that three cabinet members are present is clear evidence of how critical cybersecurity is to our economy and to our national security and the importance the President places on your work. As the voice of American business in policymaking, the Department of Commerce plays an important role on cybersecurity issues. Put simply: the cybersecurity of our businesses is directly tied to the security of our economy and our nation.

In the 21st century digital economy, networks serve as our country’s backbone. Businesses of every size rely on the Internet for basic functionality. Without safe and reliable networks: payments would not be processed. Goods and services would not be delivered. New customers would not be reached. Without safe and reliable networks, our entire economy would be “disrupted” and not in a good way.

The Internet is also a powerful source for innovation. And the fourth industrial revolution is only just beginning.  As manufacturing goes digital, as cars go driverless, as more devices become connected, security becomes even more critical. Safe, reliable networks are essential to global commerce. Today, a start-up in California can win support from investors in London, open up a factory in Singapore, and monitor production over cloud servers housed in Virginia. Markets around the world are now virtually next-door.

Yet as distance becomes irrelevant for business, it becomes irrelevant for bad actors as well. New technologies provide hackers, cybercriminals, terrorists, and foreign governments with new opportunities for exploiting weaknesses in our digital infrastructure. Every consumer, every business, and every government agency, whether federal, state, or local, is on the front lines.

In the digital age, stolen data is a valuable commodity. More than half a billion personal records were compromised in 2015.Cyber-attacks can instantly squander billions of dollars’ worth of public and private investments in proprietary technology, intellectual property, and research and development These attacks, along with threats against our telecommunications systems, financial networks, power grids, and other critical infrastructure jeopardize our national security and our economic security.

Cybersecurity is not a traditional national security issue that can be handled exclusively by our law enforcement, military, or intelligence services alone.  At the Department of Commerce, we believe that cybersecurity starts with business. Government alone is not capable of securing our digital economy.  The vast majority of our digital infrastructure - our financial networks, health care systems, power grids - is owned and operated by the private sector.

When Iran attacked our banks and infiltrated the control system of a dam in New York, they targeted and used privately-owned infrastructure. When North Korea attacked Sony Pictures, they destroyed millions of dollars in equipment and damaged one of America’s largest companies. Threats of this scale undermine not only the strength of our economy but the basic functionality of our society.  And neither the public nor the private sector can handle this alone. We must have close and constant cooperation between government and industry. This must be our guiding principle for cybersecurity.

The Commerce Department has partnered on cybersecurity with many of the companies represented on NSTAC:  several of you have contributed to the Cybersecurity Framework – the common language for managing cyber risk developed by our National Institutes for Standards and Technology. Others are corporate sponsors for our National Cybersecurity Center for Excellence. And some of you have provided guidance on workforce training through our National Initiative for Cybersecurity Education. The work behind these efforts is important. But I am not here to list every example of the Commerce Department’s work. I am here to seek your input on how to better manage cyber risk.

On February 9th, President Obama unveiled the Commission on Enhancing National Cybersecurity, staffed by the Department of Commerce. The Commission is charged with delivering a long-term cybersecurity strategy by December 1st of this year. The President wants actionable recommendations from the Commission that government and industry can implement over the next decade to strengthen our cybersecurity posture.   

This Commission is grappling with many issues. The one I want to highlight for you today is the fact that when it comes to cybersecurity, we still lack reliable methods for: measuring risk; conducting cost-benefit analyses; and making informed investment decisions to defend against cyber threats.  Every company relies on numbers. CEOs think in terms of profit centers and cost centers, long-term projections. Managing financial risk is a basic element of running a business. But we are missing good metrics for cybersecurity.

Only now are we beginning to understand the costs of certain types of data breaches, like personally-identifiable information theft.  Mature actuarial calculations do not yet exist for insurance underwriting of disruptions to business operations due to a cyber attack, intellectual property theft from a network breach, or damage from corporate espionage through the Internet. It is no surprise that according to a recent NASDAQ poll, over 90 percent of board members in cyber-vulnerable companies said they cannot interpret their cybersecurity reports.  And today, it is hard to define a company that is not cyber vulnerable.

Today, when the Chief Information Officer briefs the C-Suite or the Board on a company’s cyber vulnerabilities or proposes new investments, executives do not have a sufficient understanding of the technical terms. Nor do executives have metrics to answer questions like: how costly would a disruption to our business operations be? What are the measurable benefits of one cybersecurity investment versus another? What kind of employee trainings or technical upgrades are the most cost-effective?

Without better metrics for understanding cyber risk, business leaders just have to trust that their IT departments are getting it right. As someone who has run businesses for 27 years and sat on many boards, like you I know that good risk management requires incisive and discerning data. Business leaders need reliable metrics to make smart cybersecurity investments. Too often, actions taken by executives in the aftermath of cyber attacks are mere gestures, even at the most sophisticated and well-resourced companies.  We must move past this notion that doubling your cybersecurity budget doubles your cybersecurity. To do so, we need your help.

Today, I ask the business leaders in this room to turn your expertise into actionable recommendations and share your best ideas with the President’s Cybersecurity Commission. Next Monday, the Commission will be looking into these and related issues at a public meeting in New York. In the coming weeks, there will be opportunities to provide the Commission with your formal input.  Please seize that opportunity and give the Commission your recommendations on how to measure, and ultimately put a price on, the costs and benefits of managing cybersecurity threats and protecting our digital assets.

From e-commerce and social media to cloud computing and the Internet of Things, we live in a time of unprecedented innovation.  That innovation presents the American people with extraordinary new opportunities, as well as new threats.  Government and industry must work together to defeat those threats. Only together can we ensure the opportunities made possible by today’s innovations far outweigh the risks. Thank you.

Related content

Last updated: 2016-05-12 08:31

Bureaus & Offices