Jeh Johnson on U.S. Cybersecurity Readiness

Wednesday, November 4, 2015
Courtesy: Kaveh Sardari
Speakers
Andrea Mitchell

Chief Foreign Affairs Correspondent, NBC News

Jeh Charles Johnson

Secretary, U.S. Department of Homeland Security

Jeh Charles Johnson, secretary of homeland security, joins NBC News' Andrea Mitchell to discuss the state of U.S. cybersecurity readiness. In his opening remarks, Johnson emphasizes the need for robust cybersecurity in an "interconnected, networked world." He additionally stresses the need for government to strike a balance between security and openness. Over the course of the conversation that follows, Johnson describes the role of the U.S. Department of Homeland Security in protecting U.S. critical infrastructure and networks.

This symposium is held in collaboration with CFR’s Digital and Cyberspace Policy Program.

The Malcolm and Carolyn Wiener Lecture on Science and Technology addresses issues at the intersection of science, technology, and foreign policy. It has been endowed in perpetuity through a gift from CFR members Malcolm and Carolyn Wiener.

MITCHELL: Hello, everyone. Welcome. I am Andrea Mitchell from NBC News and MSNBC. And I’m delighted to be here, and to be here to introduce someone whom we have all seen working in so many high-profile roles in this administration, Jeh Johnson, the secretary of Homeland Security. Previously he, of course, was general counsel at DOD, dealing with issues as diverse as Guantanamo and a lot of the other major challenges at the Pentagon. And I’m welcoming you, of course, to this lecture, which is the Malcom and Carolyn Wiener Lecture on Science and Technology, the keynote. Many of you have been here all day talking about cybersecurity, and now we’re grateful to Secretary Johnston to talk about cybersecurity and the perspective of Homeland Security. And afterwards, of course, we’ll have a moderated conversation.

Secretary Johnson, thank you. (Applause.)

JOHNSON: Thank you very much, Andrea. This is the second time in about a month that Andrea and I have done a public session like this together with Q&A. Just before we came out, she said: You mean, I have to read his bio? And so she just totally made that up. It was very good. (Laughter.)

Thank you very much for inviting me here. I am a member of the Council on Foreign Relations, and have been since about 2002. Started working when I was practicing law in New York, attended meetings in the New York office on East 68th Street. It’s a wonderful organization. The thing I always enjoyed most about the Council on Foreign Relations was proposing people for term membership. How many term members are in the room? Just raise your hands. It’s a real terrific opportunity to introduce younger people to the terrific work of this organization and national and international policy.

I’m aware of the discussions that occurred here this morning concerning cybersecurity and how informative they were. I wish not to repeat entirely everything you heard this morning, but I will offer my perspectives. I want to conclude today’s program with the following thoughts: I begin this speech like I end most of them. I tell audiences that homeland security is a balance—a balance between basic physical security and the freedoms we expect as Americans. As I have said many times, I can build you a perfectly safe city, but it will look like a prison. We can build more walls, install more invasive screening, interrogate more people, and make everyone suspicious of each other, but we should not do this at the cost of who we are as a nation of people who cherish privacy, value the freedom to travel and associate, and celebrate our diversity.

The same is true of cybersecurity. Cybersecurity involves striking a balance. I can build you a perfectly safe email system, but your contact will be limited to about 10 people and you would be disconnected entirely from the Internet and the outside world. This too would look like a prison—an information prison. The reality is, we live in an interconnected, networked world. Cybersecurity must, therefore, also be a balance between the basic security of online information and the ability to communicate with and benefit from the networked world.

In the meantime, the reach and interconnectivity of the Internet is growing at a rapid rate. Today, there are more connected devices than human beings on the planet. In just five years, the number of devices connected to the Internet is estimated to exceed 50 billion. At the same time, cyber threats are increasing in their frequency, scale, sophistication and severity. The ranges of cyber threat actors, including methods of attack and target victims, are also expanding. This affects everyone, both in government and in the private sector across the country and around the globe. Not a week goes by without a news report of another organization being hacked. These threats come from a range of actors including nation-states with highly sophisticated capabilities, profit-motivated criminals, and ideologically motivated hackers or extremists.

Cybersecurity is a top priority for me, the president, and this administration. I am determined to make tangible improvements to our cybersecurity before leaving office as secretary of Homeland Security. We are taking aggressive strides in that direction. Today I’d like to report on three developments. First, I congratulate both houses of Congress for passing cybersecurity legislation this year. Congress is actually getting some stuff done, and in bipartisan fashion. The budget deal got everyone’s attention last week. Less noticed was the passage by the Senate last week of S. 754, the Cybersecurity Information Sharing Act of 2015. Earlier this year, the House passed H.R. 1731, the National Cybersecurity Protection Advancement Act, and H.R. 1560, the Protecting Cyber Networks Act. All three of these bills are good for cybersecurity.

These bills strengthen the role of the Department of Homeland Security in our nation’s cybersecurity efforts. Both the House and Senate bills incentivize the private sector to share cyber threat indicators with the federal government through a single portal at the National Cybersecurity and Communications Integration Center, also known as our NCCIC at the Department of Homeland Security. At the same time, we are equipping the NCICC to share this information rapidly and in automated fashion with other federal agencies, and to do so with appropriate protections for privacy. For the private sector, the principle incentive for information sharing in these bills is the limitation on civil and criminal liability. The legislation passed by the House and Senate also specifically authorizes DHS to deploy our intrusion detection and prevention system, called EINSTEIN, across the federal government. For reasons I will explain later, this technology is key to DHS’s efforts to protect federal civilian networks.

For their leadership in the passage of these bills, I thank Senators Burr, Feinstein, Johnson, and Carper. And on the House side, Mike McCaul, who I know was here earlier, Bennie Thompson, Devin Nunes, and Adam Schiff. I urge the Congress to proceed to conference on these House and Senate bills as soon as possible, so that we can get to the president’s desk these bills and become law. The action by Congress this year builds greatly on cyber legislation passed last year, the Federal Information Security Modernization Act of 2014, as well as new laws that provide DHS additional authorities to hire cyber talent and codify the role of the NCICC as the federal interface with the private sector for cybersecurity. With the help of Congress, we are strengthening our ability to protect the cybersecurity of the American public, American businesses, and the federal government.

Second point, in connection with the visit of President of China Xi Jinping in September, our two governments announced several commitments to address our differences on cyber issues. In September, the United States and China agreed that both states should increase law enforcement communications regarding malicious cyber activities, including breaches of sensitive information, and provide timely responses to requests for information and assistance concerning those activities. Both nations agreed to provide updates to the other side on the status and results of these investigations, and take appropriate action. The United States and China agreed that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets and other confidential business information with the intent of providing competitive advantages to companies or commercial sectors. Such a commitment was uttered by President Xi himself in a speech he delivered in Seattle while he was here in September.

Finally, as a means of ensuring that these commitments are upheld, we agreed to a regular ministerial-level dialogue on these issues involving, on the U.S. side, the secretary of Homeland Security, that’s me, and the attorney general. The first of these meetings will occur here in Washington on December 1st and 2nd. Time will tell whether the Chinese government’s commitments in writing are matched by action. I intend to remain personally engaged on these issues. These commitments do not resolve all our challenges with China on cyber issues, but they do represent a step forward in our efforts to address one of the sharpest areas of disagreement in the U.S.-China bilateral relationship.

Third and final point, as secretary of Homeland Security, I have directed an aggressive timetable for improving cybersecurity of the federal civilian dot-gov network. As the OPM breach painfully demonstrated, our federal cybersecurity efforts are not where they need to be. But we are improving by detecting and blocking more and more intrusions every day. First, at DHS, we recently made the first phase of our continuous diagnostics and mitigation program available to 97 percent of the federal civilian dot-gov network. We met this milestone weeks ahead of schedule. This program, known as CDM, helps federal agencies identify and fix problems on their networks in near real-time. Agencies are now working diligently to deploy CDM. Once fully implemented, CDM will monitor agency networks internally for vulnerabilities that could be exploited by bad actors and have reached the perimeter.

Second, on October 31st we reached a major milestone in our efforts to automate our sharing of cyber threat indicators. Our system to send and receive this cyber threat information in near real time is now up and running. We are working with multiple agencies and private sector partners to expand the number of those sharing and receiving information through the automated system. Third, as directed by the president in Executive Order 13691, on September 3rd we at DHS announced the selection of the University of Texas at San Antonio as the standards organization to develop best practices for information sharing and analysis organizations. By supporting the development of these ISAOs, we will help companies, regardless of size, location or sector, share information with their peers and with the Department of Homeland Security.

Fourth, we have seen great success from the binding operational directive that I issued in May, based upon the authority provided to me by Congress last year. This directive required agencies to promptly fix critical vulnerabilities identified by the NCICC on their networks. Departments and agencies responded to this directive quickly. When I issued the directive, we had identified 363 critical vulnerabilities across federal agencies. Of those, agencies have now fixed nearly 99 percent of them. But we are discovering more critical vulnerabilities every day, and our numbers of vulnerabilities are still higher than I’d like, although far lower than 363. I recently urged my fellow agency heads to remain vigilant and ensure that they keep up their critical effort to rapidly fix vulnerabilities on their networks.

Fifth, I have directed my team to dramatically accelerate the deployment of EINSTEIN 3 Accelerated, also known as E3A. I have told them to make at least one E3A security measure available to all federal agencies by the end of 2015. We now protect 47 percent of the federal government with E3A. And to date, we have blocked over 700,000 actions that may be trying to steal government data. E3A is the intrusion prevention portion of our broader EINSTEIN program, and has the capacity to both identify and block known malicious traffic. Significantly, E3A will serve also as a platform for future technology to go further in recognizing and blocking suspicious and unwanted intrusions.

There is no one silver bullet for cybersecurity. But we are moving forward urgently to address a shared problem. My goal, for the remainder of this administration, is for the entire civilian government to be covered by a common baseline of security, provided through E3A and CDM, and to maximize the number of companies benefiting from cybersecurity information sharing with the Department of Homeland Security. We’ll face more challenge ahead, but we are taking aggressive action and are well on the way.

Given my own experiences as a New Yorker and a Department of Defense official, I have said many times in speeches that the cornerstone mission of the Department of Homeland Security, created in the wake of 9/11, is counterterrorism. I recognize that cybersecurity must exist alongside counterterrorism, as one of our top priorities, for the protection of the American people, American businesses large and small, and the federal government. Toward this goal, we at the Department of Homeland Security have made considerable progress. There is more to do, and we will continue on this path. Thank you. (Applause.)

MITCHELL: Thank you very much. I first wanted to ask you about fixing the problem, since you’re Mr. Fix-it for this problem. Forty-seven percent? Isn’t it take too long? And the fact that OPM has only notified a quarter of the 21 ½ million people who were affected by that hack, why is it taking so long for them to notify and to get this thing fixed?

JOHNSON: Well, there are two separate issues that need fixing there. One, we have three iterations of our Einstein system up and running now. Number one monitors systems. Number two detects back actors. And number three blocks. One and two are up pretty much across the entire civilian dot-gov. EINSTEIN 3, which came on just recently, is now out there for 47 percent of federal civilian dot-gov. The DOD and the intelligence community take care of themselves. And earlier this year, I told my folks, we need a deadline. You know, like lawyers—I know, because I’m lawyer—you don’t need more time, you just need a deadline very often. (Laughter.) So I said, all right, we’ve got to have at least some aspects of E3A, because E3A blocks known bad actors, up and available by a date certain. And I set the end of this year. So our folks are accelerating that process, but this with respect to a system that came online not that long ago.

In terms of the notification from OPM, OPM I know is doing this in phases. It’s a large number of people. It’s approximately 20 million-or-so people, including presumably myself. And I know they’re working full-time on the effort, but it’s not something I manage. It’s an OPM project.

MITCHELL: Well, the fact is, though, as a matter of national security, OPM first only acknowledged a couple of millions, maybe 4 million, then reluctantly conceded how large that hack was. That hack involves the security clearances of current and former officials, and non-officials, including yourself. Isn’t this a national security issue which they now acknowledge could affect people who have covert roles overseas?

JOHNSON: Well, it very definitely as a national security issue. The original notice went out to those for whom there were background checks. And the second notice, as I recall, goes out with respect to those who may have had their SF 286 compromised in some way. And so it’s a separate notification for a separate fill, is now OPM regards this. And, yes, there is presumably sensitive information that was—that was breached. A lot of—a lot of people in government, including in national security.

MITCHELL: And does there need to be a more aggressive response—

JOHNSON: Actually, let me—let me fix that. My recollection is that the first wave was with respect to personnel files, and I think the second wave was with respect to background checks.

MITCHELL: But there is a sense that the government, that the administration has not been aggressive enough in its response. I know that this is not your personal issue, but as an administration has the OPM breach been handled as aggressively as it should have been?

JOHNSON: Well, let me say this, every agency head is responsible legally for their own systems. DHS, we’re responsible for the protection of the overall system across the entire federal government. For a lot of people, for a lot of agency heads, Cabinet department heads, cybersecurity is something that is not intuitive to them. It’s not their first nature to understand fully. And so very definitely the OPM breach has gotten the attention of a lot of people. When I issued this binding operational directive in May to people, it got a lot of attention. I followed it up with prods personally to Cabinet heads. And we got the response we got because of this heightened awareness. And when I talk to the Cabinet, I remind them that each of you has your own legal responsibility for the security of your systems. I’m not responsible for that, you are, just like a CEO of a business, of a public corporation.

And so I think we’ve very definitely seen this year seen a heightened awareness and a heightened concern, but cybersecurity is—it’s something that I’ve had to learn, myself, to the point where I hope I’m an expert. But it’s not always something that Cabinet heads know—you know, know cold.

MITCHELL: Which brings me to the CIA director, John Brennan, being hacked, substantially invaded by—reportedly by a high school kid. How do we explain that? And your—one of your accounts was also intruded upon, maybe to a less—less invasively, but you were mentioned in that as well.

JOHNSON: Well, the matter is under investigation. I will say on my own behalf that what happened basically was somebody called Comcast and—you know, posing as me, and was able to gain access to certain parts of my account and my house, and a phone I never use. So you know, that’s an issue I am taking up with Comcast. (Laughter.) But—

MITCHELL: I really had to ask that question, didn’t I?

JOHNSON: But the entire matter is under investigation. I can’t comment—I can’t comment about what’s going on with John Brennan. But I’m sure he takes this very seriously. And I know he’s very upset.

MITCHELL: I can only—I can only imagine. (Laughter.) I wanted to talk about state actors, because the administration was relatively quick to accuse North Korea publicly of the Sony breach, but has been much more discrete about any finger-pointing toward Russia or China regarding the State Department breach and what has happened with China more recently. I know there are a lot of different equities, but how are we ever going to be effective against state actors if we don’t take stronger action when we find them getting into the most sensitive White House and State Department records?

JOHNSON: Well, you’re correct that there are lot of equities and factors and consideration that go into the mix as to when we publicly identify someone that we believe was responsible for a cyberattack. It is also the case that the book is not necessarily closed with respect to responses to various attacks that have occurred in the past or may occur in the future. The book is not necessarily closed. And so there are a variety of things that get evaluated and considered. And that’s pretty much were we are.

MITCHELL: Why should we take this—

JOHNSON: Sorry to be so vague.

MITCHELL: Well, why should we take this breakthrough between President Obama and President Xi seriously when there’s plenty of evidence that there are military players in China—we have pictures of the building in Shanghai of one unit, The Wall Street Journal has done extensive reporting on one particular military person posing as a corporate person. There’s plenty of evidence of military involvement from the Chinese military in some of the more extensive hacks here, in both the corporate and the public sector.

JOHNSON: Well, as I said in my prepared remarks, time will tell whether actions match the commitments that the Chinese government has made. I and others believe that the agreement we reached in the run-up to the president’s visit and at the president’s visit is significant because we now have a baseline of agreed-upon behavior and unacceptable behavior that even the president of China himself uttered in his speech in Seattle. We have a baseline commitment from the Chinese government to what they regard as acceptable and unacceptable behavior. And I have to believe that the Chinese government that is anxious to be considered a world player and a world actor and a partner would take very seriously the commitments they make at the highest levels of their government.

MITCHELL: Regarding the Senate bill, and we know that the legislation has to go through conference, but the critics of the bill, including the ACLU who have cited privacy concerns, say that this is basically giving the FBI and NSA a backdoor into their—into Internet accounts. Why are they wrong?

JOHNSON: We worked very hard with the Congress to establish DHS, which was a civilian agency, as the single portal through which we are encouraging the private sector to provide cyber threat indicators, for which there is a limitation on civil and criminal liability if you do. And at DHS, we have constructed a system for real-time and near-real-time information sharing with a privacy scrub built into the system where a privacy scrub is necessary. And that is unique among all the federal agencies.

And we’ve set it up that way so that when information is shared with other federal departments and agencies, we have vetted it to ensure privacy. And that was a critical component of the Senate bill in particular, and there’s a different version of it in the House bill, which I hope gets worked out in conference. But I am satisfied that both pieces of legislation provide for adequate privacy protections coming with respect to information from the private sector. And it’s something we’ve worked hard on. And I think we’ve struck the right balance.

MITCHELL: Terror groups, notably ISIS or ISIL, have become increasingly sophisticated in their online presence and in their use of social media as a recruitment tool and as a propaganda tool. How are we progressing in this moving target of trying to keep up with what they’re doing online?

JOHNSON: Well, not as fast as I would like to see us. I just two days ago met with some executives from tech companies in New York to talk about this exact issue. And I’ve spent a lot of time around the country with leaders of Muslim communities and talking with them about developing the counter message to the ISIL message, which is very slick and very effective. The counter message exists in some quarters, but it needs a larger microphone. It needs a larger platform, which is where I think the tech companies can help. And so I’m hoping to take our countering violent extremism efforts to that next level, to partner the tech sector with those who want to counter this message. And I think that’s got to be a top priority. That should happen yesterday because the Islamic State is out there targeting young people now with their message.

MITCHELL: Ted Koppel in his new book is raising concerns about our vulnerability to the power grid. How vulnerable are we in terms of infrastructure?

JOHNSON: We have—I think Mr. Koppel has raised the visibility on an issue that is definitely an issue. Of the range of homeland security threats out there that we have to be responsible for, I would characterize this one as low probability relative to others, but high risk, high cost, and so—with potentially far-reaching consequences. And so we do have to be prepared.

Following the earthquake in Japan in 2012, the power grid sector itself came together in something called the Electric Sector Communications (sic; Coordinating) Council—I think that’s—ESCC, I think that’s the acronym. And DHS and DOE are a part of this. We meet regularly to talk about scenarios, to build scenarios, to talk about scenarios in which, for example, transformers have to be moved from one part of the country to the other. We do tabletop exercises, another one I think later this month at which the deputy secretary’s going to participate. And we do have a National Cyber Incident Plan that is a working document. It hasn’t been finalized yet. And potential attacks on the power grid are part of that plan.

But there is more we can do there. But we—this is something that we have, partnering with the private sector, with critical infrastructure, in thinking about actively.

MITCHELL: Before I move it out to our colleagues in the audience, you’ve admitted to binge-watching “Homeland.” (Laughter.) What are the biggest similarities or differences—(laughter)—between your job and Carrie Mathison’s? (Laughter.)

JOHNSON: Well, the reason I binge-watch “Homeland” is because the similarities are almost zero. (Laughter.) I’ll leave it at that. But yes, I was—that was a—I never thought I would be in the—I never thought I would be in The New York Times Style Section. (Laughter.) But that—

MITCHELL: And on page one, no less.

JOHNSON: But that was a pretty cool discussion, yes.

MITCHELL: Well, clearly it is time to go to the floor. So let me start right here in the front row, if you could bring the microphones around.

Q: Thank you. Alan Raul, Sidley Austin.

Mr. Secretary, you mentioned EINSTEIN and EINSTEIN 3, and that it’s being deployed across the dot-gov and the civilian government sector. What about for the private sector? A lot of the—a lot of the important assets that are being compromised are in the private sector. Is there anything that DHS can do to make EINSTEIN or other technologies available to the private sector to help protect that? And are there privacy concerns? Has—for example, has Office of Legal Counsel done any legal analysis with regard to EINSTEIN 3 as they did for the earlier versions of it, and could that be made available?

JOHNSON: Well, the answer is yes, we do share information about latest technology. There are, depending on the sector, depending on the size of the company, some really, really sophisticated private actors out there that do cybersecurity internal to themselves really well, and I know that there are other EINSTEIN-type systems out there. The virtue of the EINSTEIN system is that it has the ability to incorporate classified information into its own thinking in terms of identifying malicious bad actors, and that’s—so therefore that’s unique to the federal government, and which makes the system unique. But we do share information about latest technologies.

And the point that I think bears repeating over and over again—which I hope was repeated this morning—is that very often the most sophisticated, devastating attacks from the most sophisticated actors are caused simply by a simple little innocent act of spear phishing and somebody opening an email attachment that they shouldn’t have. And so there’s an education and an awareness that we could all do with our colleagues, with our workforces at a place like Sidley and Austin, where you educate the associates about the hazards of opening an email that they shouldn’t open that they don’t recognize. And that really can raise awareness.

Within DHS we had a neat little exercise on this. We send out these test emails to people to see if they will open them. So there was one that went out to a large number of people: “Free Redskins Tickets”—(laughter)—“Click Here.” And the attachment says, show up in Room 120 or whatever it is on Monday, November 2 for your free Redskins tickets. And so a lot of people showed up and they got a cybersecurity lecture instead. (Laughter.) So there are neat little things you could do at Sidley and Austin like that. But I can’t stress enough that, you know, cybersecurity is a hugely complex subject, but there’s a real basic element of education we can give to people about the hazards of spear phishing at Sidley and Austin, NBC, wherever, that could prevent a lot of this.

MITCHELL: Yeah.

Q: Hi. Joe Marks from Politico.

Secretary Johnson, you said that December 1st and 2nd is going to be the U.S.-China ministerial meeting. Is that going to be an important deadline for determining whether or not China has been complying with the no commercial hacking agreement? And if you are not seeing compliance—if you aren’t seeing those numbers drop by then—what’s going to happen?

JOHNSON: I would not characterize our first ministerial as any sort of deadline, and I think we will assess compliance with the written commitments as we go. But I do think that assessing compliance and assessing actions in accordance with agreements is fundamental to the agreement itself.

MITCHELL: It’s been noted that during one of the panels—the second panel today—that Chris Painter noted that sanctions are not the only tool against government actors. What other tools are there at the disposal of the government?

JOHNSON: There is a range of things that—

MITCHELL: Hypothetically.

JOHNSON —the U.S. government could do in response to a cyberattack by a state actor. And going back to my lawyer days at the Department of Defense, they don’t necessarily need to be in kind in response. So there’s a range of proportionate actions that could be taken in response, but that is—that is a—you know, a government action.

MITCHELL: Yes, ma’am.

Q: I want to thank you both for being here. This has been an extraordinary day in terms of, I think, opening our eyes to the cybersecurity—the breadth of issues that you’re all dealing with.

And I apologize, you mentioned Guantanamo. I was in Cuba two weeks ago on a returned Peace Corps volunteer association meeting, and one of our members—a lawyer—suggested that Guantanamo should be turned into a national park jointly supervised by the U.S. and Cuba. And I only tell it to you hoping you might pass this on to somebody else who might consider that as a solution. (Laughs.)

JOHNSON: I will say this: our president does not need any additional motivation to close Guantanamo. (Laughter.)

Q: No, I know. I just—what to do with it.

JOHNSON: He’s very committed to closing Guantanamo.

Q: Yeah, no, no, that I know. This was just a suggestion for what he might do.

JOHNSON: OK.

MITCHELL: Thank you. Let’s go to the back.

JOHNSON: By the way, my deputy secretary, who is the highest-ranking Cuban-American in this administration—Alejandro Mayorkas—just returned from Cuba. He had not been there since he was one year old. And he left in 1960 with his parents, and this is the first time he went back, last week. I said to him I cannot imagine the emotion within you with such a visit, and it was truly special for him, and historic.

Q: It’s very vibrant.

MITCHELL: And was he meeting with his counterparts in Cuba on mutual issues?

JOHNSON: Yeah. There were—there were—there were meetings with government folks, yes.

Q: Steve Flynn with the Kostas Research Institute at Northeastern University.

Mr. Secretary, you’re struggling, I think, like everybody else for talent to deal with this threat, and the private sector obviously is trying to hire. We’re heard today, obviously, this is a global issue for talent. How’s it going in the Department of Homeland Security with making sure that you have the kind of people who can help manage the scale of the threat you’ve talked about today?

JOHNSON: Yes, the struggle for cyber talent is like the struggle, perhaps even more pronounced, for good lawyers. (Laughter.) And so, you know, I make probably about what a third- or fourth-year associate at Sidley and Austin makes, and my job is a Cabinet official and a CEO of an organization of 240,000 people. My basic appeal, when I go to campuses and universities and colleges around the country, is, to the young cyber talent, is please consider serving your country for a couple years. I’m not asking you to stick with us for your entire adult life, for your entire career, but how about servicing your—how about serving your country for a couple years? It will benefit you in the long run when you—when you go work for Citigroup or JPMorgan Chase or a cybersecurity firm.

But we did get some help from Congress last year in enabling us to hire more cybersecurity talent, but it is a real, real need. I lose really good people to the private sector who are experts in cybersecurity, and I want to attract more.

MITCHELL: There’s a former NSA director who actually went to hacker conventions to try to recruit wearing T-shirts.

JOHNSON: Right.

MITCHELL: Have you ever thought of doing that?

JOHNSON: We’ve done that too. Yeah, we’ve done that too. (Laughter.) The deputy secretary went to one, and I think he took out his cellphone and said, OK, who can make my phone ring in the next minute. (Laughter.)

MITCHELL: And how did that turn out?

JOHNSON: He hasn’t told me. (Laughter.)

MITCHELL: Yes?

Q: Beverly Lindsay, University College London. I have a—oh. (Comes on mic.) Beverly Lindsey, University College London.

I have a follow-up question about the talent. You mentioned that the University of Texas-San Antonio, which is a Hispanic-serving institution, as one of the sites in your point number three. Your alma mater is Morehouse College, which has some very good linkages with Georgia Tech, dealing with some of these STEM areas.

JOHNSON: Yes. Mmm hmm.

Q: My question—and I also have research in London dealing with underrepresented groups—Pakistanis, Bangladeshis, African, Caribbean. Less than 2 percent of our doctoral programs in the United States are awarded, particular in cybersecurity and related areas, to people of color. Are there some particular examples that we might think about, or new initiatives? I know you were also at DOD.

JOHNSON: Well, first of all, DHS—the Department of Homeland Security—is probably the most diverse department of our government I’ve ever worked for, from the level of secretary and deputy secretary on down. I am interested in recruiting diversity in cyber talent, which is why I have been to HBCUs to talk about cybersecurity, as well as other large and capable colleges and universities, and I think there’s a real interest there. And I know the virtue of diversity in a workforce and diversity in a high-skilled workforce, so it’s something I’m committed to.

Q: Hi. Sean Linges (sp) with SCW (sp).

Picking up on something Andrea said about kind of the buck stopping with DHS on cybersecurity, I realize OPM is its own agency. But with the national security implications of that breach, can you describe behind the scenes what happened with you, your officials, and OPM in reviewing their security protocols after the breach? And have you looked at their plans for IT modernization where they’re moving all these applications to a new environment that some say hasn’t been fully vetted by security experts?

JOHNSON: We have—I mean, both before and after the intrusion was revealed, DHS was called in to do, you know, basically a diagnostic. And we’ve been working with OPM ever since, DHS along with other agencies that are expert at this. And we’ve been working with them ever since, and we’ve been working with other agencies to make sure that their house is in order too. So, you know, what I mentioned earlier about the 363 critical vulnerabilities, people are motivated now and they’re motivated to reduce that number.

You know, we’ve talked previously about the events at OPM. And you know, they did eventually discover what happened, with our help, and we’re—and I know Beth Cobert is very focused on this and is going to continue to work with us.

MITCHELL: Is one of the vulnerabilities our reliance on contractors—OPM’s reliance on contractors for security clearances?

JOHNSON: I would not—only in the sense that the more systems on which you have to rely to be the custodians of sensitive information, that’s a vulnerability. If you have to rely on five systems versus one to be the custodian of sensitive information, that’s always a vulnerability just by sheer virtue of the—of the numbers. But I would not—I would not say that reliance on private contractors in and of itself creates a vulnerability. It might provide a lot of expertise, in fact.

MITCHELL: Go back over there. Yes? On the aisle, thank you.

Q: Hi. Chris Castelli with Inside Cybersecurity.

DHS is working on a 2015 Cyber Strategy. What can you tell us about that document? How soon do you expect it to come out? What sort of value do you expect it to add? Do you anticipate major changes in that strategy?

JOHNSON: Well, in general I want to finish it up. I want to complete it on my watch. And I have told my folks that I want to see tangible improvements both in the department and across the entire federal government on my watch, which is why I have our folks working pretty hard to meet the timetable that I’ve set out for various different milestones, including that one, but others as well—CDM, which I’ve talked about; real-time information sharing; deployment of E3A. And so these are things across the board that I have set for our people. And we’re going to stick to it, and as far as I know they are on schedule.

MITCHELL: Yes?

Q: Thank you. I’m going back to the workforce issue because I—my name’s Tony Summerlin. I work with the FCC.

I’ve worked very closely with Karen Evans on Cyber Challenge, and the number-one question of all those kids who do red team/blue team is why they can’t get hired by the federal government. And—

JOHNSON: They should come talk to me.

Q: Yeah. It’s, I mean, the hiring process—and we’ve gone through it—is absolutely brutal. And usually you want people that look like the enemy and can be like the enemy, and I mean, I remember in the ’70s in my poly they said, well, did you ever do drugs? And I said, well, don’t be ridiculous; of course I did. I mean, everyone did. (Laughter.) But you know, they have bans on people if they’ve smoked marijuana or if they—and all of these things are indicators of a serious problem. I mean, NSA issues waivers on this. But I think the hiring process—I don’t know if anyone’s—the question is, is anyone looking at the fact that the people you’re trying to hire really don’t exist because—(laughter)—the people that are really good at this—I mean, I hired a 17-year-old and I said, I bet you in 48 hours he can break this, and he did it in like six. But he can’t get hired in the government and the FBI hires everyone they bust, so those people are out of the market. (Laughter.) So I just wonder if we can just realign our chico priorities so that we can actually hire the people that want to do this, because Cyber Challenge is putting out hundreds and hundreds of these people and they cannot get hired by Bank of America and they cannot get hired by us, the federal government.

MITCHELL: Maybe you should hire the kid who hacked into John Brennan’s—(laughter)—email instead of busting him.

Q: The FBI already hired him. (Laughter.)

JOHNSON: Look, I think you’re making a decent point. And I’ll speak for myself: if somebody comes to me and says I’ve never smoked a joint in my life or taken—or induced any illegal drug, I’d say are you sure you’re telling me the truth? (Laughter.) And that’s kind of—a moderate, minimal use is kind of within the range of normalcy, so—in one’s life experience—not recent experience; in one’s life experience. (Laughter.)

And I—you know, I think you’re making a decent point. I want to see us be creative, innovative, aggressive in who we recruit to come serve the country and support our efforts. And so, you know, there is the basic problem of competing with a lot of really sophisticated actors in the private sector. And again, I like to try to appeal to the patriotism of people in doing so, to come serve their country at least for a couple years and learn what you can about the government’s capabilities to carry with you for your entire career.

MITCHELL: Yes, ma’am?

Q: Hannah Arc (ph) at the Department of Defense.

Cyber is a dynamic, fast, nimble threat. Government is often seen as being large, slow, bureaucratic. So what are key changes that you think we need to make in order to either keep apace or abreast—ahead of the threat?

JOHNSON: Say that again? I’m sorry. The question—

Q: What key changes do you think we need to make as a government in order to basically become more nimble, more able to address a threat that’s so dynamic, so nimble, so fast?

JOHNSON: Heightened awareness and understanding among every Cabinet secretary and agency head across our entire federal government. That’s number one.

Heightened awareness among our workforce across the federal government.

Firm deadlines and timetables, like I’ve set for DHS, to get stuff done. We shouldn’t be simply reacting and responding to a crisis each time a crisis occurs.

And a continued—a continued commitment and focus. Be up on the latest technology.

And just making it a national priority. In my closing I said I came to this job believing that counterterrorism should be the cornerstone of the DHS mission. I now believe that—and I’ve believed this for some time—that, given the prevalence of it, cybersecurity—given the prevalence of attacks, which occur on a daily basis, hourly, cybersecurity, for our mission, needs to exist right alongside counterterrorism. It’s got to be a national priority. And if our leaders across government—not just federal government, but, you know, our military leaders, very—most often the people in the military, they get this. But if across our civilian leadership and state and local leadership we all make this a national priority, I think we can get a lot done.

MITCHELL: We have time for maybe two more questions. Yes, sir.

Q: Mr. Secretary, Jack Gocke, and I’m with Marsh & McLennan.

You’ve probably looked at this more than anybody, but when it comes to cracking the problem around cyber risk for the country, how do you think market forces can be harnessed better to solve the problem? What kind of cooperation do you think can be put in place with private companies to sort of crack the problem without going overboard on the regulatory side? Certainly the bills that are—you know, that are—that are before us will help, but what else could be done, do you think?

JOHNSON: There’s a—there’s a tremendous differential between the range of private actors in terms of sophistication level. The most sophisticated companies out there are really sophisticated, but you’d be shocked at the number of businesses out there with which we are all linked that are really basic and have a lot of learning to do.

So you talk about incentives—you know, supply-chain incentives, subcontracts. You know, in the subcontract you make your subcontractor guarantee to a certain level of cybersecurity. And a recognition that it is in everyone’s business interest not to have a basic theft of their intellectual property, their business secrets, their trade secrets, their employees’ personal private information. That’s not a hard calculus. That’s not something for which people should need a lot of education as something that is in their—in their business interest, to maximize shareholder value.

So I don’t think this is a hard case to make, but there is a lot of awareness that needs to occur in the private sector. It is not something that necessarily or even should be done by regulation. I think it’s in everybody’s interest to have a certain level of cybersecurity. You know, if you’ve got clients out there with sensitive information that you store or you’ve got, you know, trade secrets, you know, client list, the like, it’s a basic business interest to maintain the confidentiality and the integrity of that information.

MITCHELL: Sir, all the way in the back.

Q: Mr. Secretary, my name’s Charles McLaughlin from Censeo Consulting.

And I’m intrigued by what you mentioned about the NCCIC being the sole coordinator or portal from the federal government to the private sector. How do you envision—

JOHNSON: For cyber threat indicators, which is a very specific kind of information.

Q: Oh. Well, that’s a—that clarifies my question immediately, because I was—(laughter)—

JOHNSON: Yeah, it’s not—

Q: I was going to ask how other elements in the government that do that—

JOHNSON: Yeah, don’t misunderstand what I said. You know, for law enforcement purposes, for example, the FBI and its field offices are still going to have relationships with a lot of the public businesses around the country for matters of law enforcement. But with respect to cyber threat indicators, the way we and the Congress are setting this up, we want to encourage a single portal—it minimizes public confusion—through which this stuff passes and we share it with the rest of the federal government.

Go ahead, sorry.

Q: Well, what I was wondering about were other entities like the National Cybersecurity Center of Excellence under Commerce. Will there be increased coordination, perhaps, there so that the private sector knows that it’s through DHS that they reach these other elements in the government that are focused on the private sector?

JOHNSON: Yes. The answer is yes.

MITCHELL: All right. I think that’s all the time we have for today.

JOHNSON: One more question.

MITCHELL: One more question.

JOHNSON: I always regret it when I say one more question. (Laughter.) OK. Please don’t make me regret it.

Q: Well, hopefully I can fulfill your expectations. (Laughs, laughter.) So Karl Rauscher with the Global Information Infrastructure Commission.

So cybersecurity is obviously very important to the department, Mr. Secretary, and you are very well-informed and very articulate on the subject. And no doubt the department has tremendous resources and authority, and is also a default role model for many organizations in the private and public sector for what it does.

And my very specific question is about measures of success. Does your organization have very clear, quantifiable objectives that establish what success is going forward? And who sets those? And who is the organization accountable to? Thank you.

JOHNSON: With the passage of legislation last year we created the ability for me to issue what I referred to earlier: binding operational directives, which are very specific benchmarks for eliminating critical vulnerabilities. And my measure of success for my department with regard to just federal cybersecurity is how much of the federal civilian dot-gov do we have covered, how many intrusions have we blocked, how many suspicious actors have we detected, how many times have we sent a team out to do CDM, how many times have we sent a SWAT team out to the private sector. There are—I mean, unlike a lot of other areas of government policy, you know, like how many—how many terrorist plots have you stopped, this I think lends itself to a quantifiable—readily quantifiable set of metrics. And so, you know, again, it’s how much of the federal government do we have covered, how many intrusions have we detected, how many have we blocked.

And that number—the good news is that those numbers are continually rising. They need to rise aggressively, but those numbers are continually rising.

MITCHELL: All right. Well, our thanks to you, Secretary Jeh Johnson.

JOHNSON: Thank you. (Applause.)

(END)

This is an uncorrected transcript.

Top Stories on CFR

Iran

Virtual Media Briefing: Iran's Attack on Israel and the Threat of Escalation

Play
CFR experts discuss Iran’s attack on Israel and the escalation of the conflict. FROMAN: Well, thanks very much. Thanks, everybody, for joining. And thank you to our six senior fellows here who’ve …

Virtual Event with Elliott Abrams, Max Boot, Steven A. Cook, Michael Froman, Martin S. Indyk, Linda Robinson and Ray Takeyh April 16, 2024 Middle East Program

India

India’s 2024 General Election: What to Know
The election date for the world’s largest democracy is set to begin April 19 and last six weeks. What would the results of a third term for Prime Minister Modi mean for India’s economy, democracy, and position in the Global South? 

Expert Brief by Manjari Chatterjee Miller April 2, 2024

RealEcon

Baltimore Bridge Collapse Tests U.S. Supply Chains
The response to the temporary closure of the Port of Baltimore—from a deadly tanker collision—demonstrates the resilience of U.S. supply chains despite fears of costly disruptions.

Expert Brief by Zongyuan Zoe Liu April 18, 2024