Ambassador Speeches and Articles
Risk Management in the Internet Century
October 20, 2010 | Estonian IT College | Tallinn
Cyber Security: Protecting Our Virtual Lives
Ambassador Michael C. Polt
Good afternoon, and thank you for coming today. A special thank you to Rector Kalle Tammemäe for his invitation. Also, many thanks to Sigrid Tammiste for her efforts in helping coordinate today's event with my staff.
Let me begin with a short story about how I spent a recent weekend. My wife and I saw the movie "Wall Street: Money Never Sleeps." Entertaining fiction set against the backdrop of the 2007 financial market melt-down on Wall Street. The internet was one of the stars of the film (alongside Michael Douglas.) Viral messaging was used both to spread misinformation and ultimately, in good Hollywood style, the bad guys were punished using the net to spread the truth. I enjoyed the movie (and the comfortable seats at Solaris Center) and thought, what a good way to lead into my comments today.
The world dodged a big bullet when the financial bubble burst and in real life, not just the movies, the internet was actually involved. As we continue to lift ourselves out of near economic disaster, what must be addressed, seriously and together, is the protection of the openness and freedom of the internet, as well as guarding against abuse and attacks through cyberspace.
I am pleased to see many students here today. You should really be up here talking and I should be listening to you in the audience. When we discuss cyber space, young people are not the hope for the future. You are the main players in the present and an integral part of the solution to the threats to our digital infrastructure. The role you play today in shaping and securing our information systems is defining a new revolution in human progress.
Revolutions are always about opportunity and risk. America's political revolution in the 18th century was certainly a risky undertaking. So was Estonia's quest for renewed independence in the late 20th century. Both risks paid off -- big! We all know that revolutions, however bold, start off as fragile undertakings. They need defenders.
The Estonian IT College is one important member of the Cyber Defense Community - a community of defenders, both inside and outside Estonia. As we continue to expand and protect cyber space, we will want to expand this circle of responsible actors. The IT College is part of a growing circle -- a unique, collaborative effort initiated by the government, academia, the private sector, an industry association, and a long and impressive list of donors and contributors.
Comprehensive and free use of cyber space involves breaking down the barriers that restrict cooperation, across sectors, across national and regional boundaries, around the globe, and within our own governments. Once these barriers are down, both good and bad things can enter the system. Allowing all of one in and keeping as much as possible of the other out is what I came to talk to you about today: "Protecting our Virtual Lives."
I will not pretend to impress you with my technical knowhow on cyberspace issues, because I can't. I am not an expert. I am certainly not a computer geek. But I am an IT groupie, a fascinated consumer of cyber space products and I want the revolution to continue. I know that there are serious threats out there, and I also want to be a cyber defender.
As American Ambassador, I bring to the table a diplomat's knowledge about making policy, building cooperative networks, exchanging ideas and experiences, raising public awareness, and encouraging action. And I believe that
I have the people skills to make a convincing argument for both the free use and the protection of the most important innovation to affect society since the invention of the printing press.
As an enthusiastic consumer, I, like most of you, represent the single largest interest group in the cyber community.
So what are these much talked about threats to what we call cyber space? For many, it is still an abstraction, and that's not just among folks of my generation.
Many people of younger generations who have grown up interacting with new information technologies do not understand the nature of these threats either. Disruption of or denial of access to cyberspace has many facets, and these are not just measured in monetary terms, but also constitute a threat to the very values that our societies hold dear.
As open, democratic countries we rely on the free exchange of information.
This is also a central element of our market economies. Web-based commerce and communication, e-governance, and the whole-scale conversion of our societal infrastructure to e-services hold the key to our future prosperity.
Yes, this revolution is that dramatic a change.
The amazing gains made by Estonian society in the past two decades would not have been possible without the aggressive application of new information and communications technology. In the United States, during the 2008 Presidential election, and then in Iran in 2009 following their Presidential election, we witnessed the profound impact that the internet and social networking have on civil society, on the way we express our opinions, or gather to support a cause.
On the one hand, new technology enabled people to achieve a positive, democratic goal through even better, more efficient means of communication. On the other, sadly, new technology only allowed them to give voice to their suffering.
While many courageous Iranians were able to share images and experiences of what was happening to them during the Regime crackdown, Iranian authorities, through their repressive control of the information infrastructure, were able to use the same technology to track many of them down and silence their dissent.
As Secretary Clinton noted in her speech on internet freedom in January of this year, new technologies have so much potential to open access to government and promote transparency, but repressive governments can also hijack them to crush dissent and deny human rights. And terrorists are exploiting new technologies -- to spread their hateful ideology, gather new recruits and raise funds.
Technology itself is neutral, but the environment we create for its diffusion and application is not. Our Secretary of State was very clear in drawing a line between what we will do to uphold our principles of freedom of expression and freedom of assembly in the digital age; and what we must do to secure and safeguard our information networks so that governments and citizens the world over can have confidence in these systems on which so much of our daily life depends.
It is up to us, collectively, to ensure that our information systems remain engines of growth, incubators of innovation, and enriching environments for our education and entertainment.
In addition to all of the material damages they wreak on our cyber infrastructure, cyber criminals destroy the trust that is a necessary component of information systems.
Estimating the monetary damages of cyber crime is proving to be a daunting task. Last year the McAfee Corporation, a U.S. software firm, took a stab at calculating the global costs. The estimated cost to corporations alone was as much as one trillion U.S. dollars. That incorporated losses due to theft of intellectual property and the expenses needed to repair the damages from security breaches.
The McAfee survey collected input from 800 chief information officers from businesses around the world, but was still only little more than an educated guess.
On a scale that is a little more imaginable, the U.S. Ponemon Research Institute and the cyber security firm ArcSight, produced a study this year that attempts to calculate the average costs to a company or organization in the U.S. from the damages caused by cyber crime.
They surveyed a mix of 45 medium and large businesses and organizations from a wide range of sectors and found that on average, a variety of cyber threats was costing each of them 3.8 million dollars per year. And this figure really only addresses the resources used in response to attacks on their systems. It doesn't fully capture the dollar amounts of resources used in prevention.
Of course, the individual scope and damage caused by these attacks varied widely, from one million to as much as 52 million dollars. But at least this study is a first attempt to put a realistic price tag on cyber crime. For many of our largest government agencies and corporations, the number of probings, penetrations, scannings, and outright theft are measured in the thousands per day.
Our Deputy Secretary of Defense recently shed a little light on the challenges faced by the Pentagon. Last month, in an article in the journal Foreign Affairs, Deputy Secretary William Lynn pulled back the curtain a bit to reveal the extent of the damages caused by a security breach on a network run by the U.S. Central Command. This attack compromised both unclassified and classified networks and resulted in the transfer of data to networks under foreign control. Fortunately, this breach, emanating from a base in the Middle East, got the Pentagon's attention. Sustained, focused efforts to establish more robust security have been instituted, but when you are responsible for 15,000 networks comprised of over seven million computing devices spread around the world, it is extremely challenging to maintain a proactive security posture.
The threat is changing and improving as fast as the technology changes, and in a few cases there is not a great distinction between an adversarial country's intelligence agency and the organized criminal elements that carry out a large part of the financial fraud on the web.
Much closer to home for Estonia, was the attack that targeted the Royal Bank of Scotland's Worldpay system in November 2008. This is a case that demonstrates the global complexity of cyber crime, but fortunately, it also holds up a great example of what needs to happen if we are to successfully combat cyber crime, both in terms of disclosure from victims and in the areas of cooperation among the private sector and law enforcement within our borders and beyond.
Within the span of a single 12-hour period, a group of cyber criminals from Russia, Estonia and Moldova along with co-conspirators in the U.S., Ukraine, Italy, Japan, Canada and Hong Kong, stole more than nine million dollars from 2,100 Automated Banking Machines (ATMs) in 28 countries. They would have stolen more, but many of the ATMs simply ran out of cash.
Prompt reporting of the security breach by RBS and the immediate response of the Estonian Central Criminal Police insured that valuable, time-sensitive evidence was not lost or destroyed. The close and continuing cooperation among RBS and police in Estonia, the Netherlands, Hong Kong and the U.S. Federal Bureau of Investigation and the Secret Service have guaranteed that these criminals will pay for this crime.
Recently, close international cooperation between law enforcement agencies thwarted another group of cyber criminals in Ukraine from amassing a target of 220 million dollars. Instead of attacking a large corporation with extensive security measures like RBS, these criminals painstakingly built a network to target small and medium-sized businesses which are less likely to have such a robust security posture, such as the Catholic Diocese in Des Moines, Iowa. Before they could be stopped, they had already stolen 70 million dollars. Unfortunately, only a small percentage of this money is ever likely to be recovered.
So much for businesses and corporations. But how much does cyber crime cost the U.S. or Estonian individual taxpayer? We don't really know.
The damage from cyber crime is initially covered by businesses as a "routine" expense, but of course these added expenses are eventually passed on to consumers in the form of higher prices and fees. Add to that the increasing amount of resources we are dedicating to protecting our systems, detecting intrusions and repairing damages.
Here, too, we currently lack the tools for any accurate assessment of what this is costing us. This is a shortcoming that must be addressed, whether through mandatory reporting required by new legislation, or better yet by expanded efforts to provide incentives for consistent reporting of losses on a voluntary basis.
I know that incentives work better than penalties, but we need to insure that the data we collect is uniform if it is to be of reliable use to policy makers.
As parties to the Council of Europe's Convention on Cybercrime, this is an area that both of our countries should emphasize as we look to ways to enhance this critical document, making it more relevant, and more widely adopted.
Like-minded partners such as the United States and Estonia routinely promote a shared global vision of cyber security that seeks to guarantee the promises of information technology for the betterment of our societies.
That stands in sharp contrast to those governments that would use new technology to restrain individual expression and initiative and also foster a system completely lacking in transparency that would at the same time give sanctuary to cyber criminals.
A key factor that complicates our response to cyber threats is our relentlessly growing dependence on the internet for so many of our critical day-to-day activities.
What essentially began as a communications tool for researchers is now managing such vital systems as our electricity and transportation grids and other strategic elements of our infrastructure. The internet is transforming our lives most positively, but not always with another net -- a safety net - in place.
Security measures have not kept pace with the rapid expansion of services and capabilities to which we have applied information technology. There is the ever present need to add costs to benefits, and cyber security is no exception. In our impatience for instant results in everything we do, security has often been on the losing end of the equation. Secure networks are slower than insecure ones. And even secure networks are actually risk-managed networks.
A completely secure network would hardly resemble much of a network.
So we are seeking to manage risk rather than to achieve absolute security. What then is an acceptable level of exposure? What threats can be countered easily through better system administration, better end-user education? What types of threats will require us to make much greater investments in protection?
And ultimately, what kind of redundant systems must we build in order to maintain essential operating capacities in case of disruption? Some experts argue that we will need to consider having the backup ability to step back from our state-of-the art technology to less sophisticated ways of conducting our 21st century lives.
In short, if a successful cyber attack denies us access to our most advanced systems, rather than being hacked back to the stone-age altogether, but should at least be able to limp along with last century's technology until we get the good stuff back up and running.
That is certainly a U.S. national security requirement, which dictates that operational military and diplomatic resources are designed in a way that prepares us to function in what we call a degraded information environment.
There is much thinking and some acting on these challenges already ongoing, including of course in Estonia and the U.S.
Your institution, the IT College, with already a decade as an early leader in the field under its belt, will soon have a welcome added emphasis on cyber security in its curriculum. There are also a diverse array of initiatives to bring the public and private sectors together to address security issues. In this century, we no longer address human generational change in a timeframe of decades, but in years or even months. This adds more than a bit of urgency to our response.
Estonia has experience with both the bad and the good in the cyber world. You have been attacked and you have responded and safeguarded your systems. The historical milestone of the 2007 cyber attacks that disrupted your banking and other services was a politically-motivated attack directed at a state's critical information infrastructure, and a wake-up call for all of us.
For Estonians, it was an assault on the Estonian way of life, your e-lifestyle, if you will. Three-quarters of your population use computers and the internet, and
99 percent of banking is done online. You have enshrined access to cyberspace as a social right. Rather than showing on a map the places where you can connect to a WIFI network in Estonia, it would be easier to mark the relatively few places where you can't.
Next March, Estonians will have a chance to vote electronically for the fifth time in as many years. And just to show off to the rest of us, I am sure some of you will probably cast your ballot over your mobile phone while cross-country skiing in a remote, snow covered forest with excellent connectivity.
Estonians also appreciate better than most that with the strengths they enjoy from their high degree of connectivity come vulnerabilities. Your Cyber Security Strategy is sound -- clear and concise -- with well-defined responsibilities apportioned where they need to be. The Cyber Security Council brings all the right agencies together with key stakeholders from the private sector.
And the Estonian Informatics Center, the National Computer Emergency Response Team, and the Critical Information Infrastructure Protection Branch all round out a comprehensive team to provide a robust network to monitor Estonia's cyber space. Another innovative element of Estonia's Cyber Security Response is the Kaitseliit's Cyber Defense League.
Its ability to respond in a flexible manner, either as part of Estonia's Defense Forces or as part of a civilian response, makes it an important additional element in Estonia's cyber security. Your Cyber Defense League has already exercised its impressive capabilities with the National Guard of our State of Maryland.
Estonia's internet applications, and its cyber policy and defense are of course aided by your compact size, and the immediacy of interaction among your key players. Scaling your experience up to America's size is something we want to continue to examine. Estonia is an excellent "laboratory" for assessing how well new IT applications and security measures will work, and there are many lessons we can learn from your experience.
For example, we are closely watching the developments of the Estonian e-health program. As the Ministry of Social Affairs, along with medical professionals and patients, deals with your innovative system, we hope to learn how we might apply some lessons in implementing our own e-health system. Your Minister of Social Services will soon discuss such cooperation during his upcoming visit to the U.S.
Equally important is Estonia's ready sharing of e-governance experience with other countries, with those that are developed and developing, as well as many that are emerging from conflict or an authoritarian past.
President Ilves rightly noted in his speech to the UN General Assembly last month, that the more widely we promote the use of information and communications technology as a means of improving public services, and the more aggressively we strive to reduce the digital divide, the greater will be the gains we make in achieving sustainable economic development and meeting our global development goals.
Estonia's approach to cyber security should also play an important role in its development cooperation, and I hope the newly established Eastern Partnership Academy will present some opportunities to share this expertise.
Within the European Union, E-stonia is playing an active role as well. Perhaps all EU citizens will all one day have a fully capable electronic ID card like the one carried by each of you. I must admit that on this point, however, prospects for a similar approach in the United States are far less likely. We have strong opposition to a nation-wide ID card as citizens jealously guard against too much personal data being stored on government accessible servers, no matter how potentially beneficial. We marvel at the Estonian willingness to interact with their government with such trust.
This special relationship and its associated hard- and software are definitely something we want to learn more about.
NATO allies and EU members are natural partners in the use and protection of cyber space. At the NATO and U.S.-EU summits in Lisbon next month, cyber defense will be on the agenda.
A group of experts, chaired by my former boss, Madeleine Albright, has made cyber defense recommendations for a new NATO Strategic Concept, specifically calling for the Cooperative Cyber Defense Center (CoE) of Excellence here in Tallinn to play a greater role, through training, and in improving NATO members' cyber defense programs. I could not agree more and would like to see more of the Center's research being brought into the operational realm.
I like a lot of what I see happening at the Cyber Center, especially the work being done to address the legal aspects of cyber conflict by Ms. Enekin Tiik and her team. On the operational side, Cyber Center scientist Kaur Kasak managed an international cyber defense exercise in May with over 100 experts from seven countries and simulated a cyber terrorist threat to electricity plants. I also think the Cyber Center's cooperative program with its many contributing partners, from SEB and Symantec, to academic institutions and several non-NATO member countries, is another great example of the types of collaborative mechanisms that we need for a comprehensive strategy on cyber security.
I am pushing hard to have the U.S. become the 9th sponsoring nation to the Tallinn Cyber Center. It is high time for us to make good on this commitment made by Defense Secretary Gates here in Tallinn back in November 2008. We are of course already actively participating in the Center's work since 2007, with an outstanding member of our Navy's Criminal Investigative Service contributing his expertise.
We are now at another critical juncture in forging an Alliance approach to cyber defense. With NATO's new Strategic Concept just around the corner, we will soon begin translating it into concrete action. We need to be at the table with you here in Tallinn, and work to attract other allied nations as well, to help guide the Center in a direction that fulfills its potential and helps us achieve the 21st century security the Alliance needs.
In May 2009 President Obama declared our nation's digital infrastructure to be a strategic asset, and charged the U.S. Government to create the means, "to deter, prevent, detect, and defend against attacks." Our government gears began to shift a bit harder after that.
With our Cyberspace Policy Review and another report from the prestigious Center for Strategic and International Studies in hand, we began to put even greater effort behind the Comprehensive National Cyber Security Initiative launched under President Bush.
In December, President Obama appointed a new U.S. Cyber Security Coordinator.
Situated in the National Security Council, his task now is to insure that we address cyber security in a coordinated effort among a wide array of agencies and non-governmental actors and within all of the diverse sectors where we must confront cyber threats.
Policy formulation is the main arena for the Cyber Security Coordinator, and he is working to bring clarity to the division of labor between our defense, homeland security, foreign affairs, intelligence and law enforcement agencies.
In the U.S. Congress, there are several bills under consideration aimed at securing our cyber infrastructure. Some are aimed at updating and clarifying how we will protect critical infrastructure and respond to emergencies. Others have more of a focus on raising awareness and fostering the continued expansion of a highly qualified cyber security workforce. They all contain many necessary improvements, but some may have unintended consequences. The debate on these issues is critical, and urgent.
Our military's new Cyber Command, consisting of the four main components of our armed forces and headquartered at Fort Meade, Maryland, has become fully operational this month. It is tasked with defending the information networks of our Department of Defense, and has been given the mission to conduct the full range of military operations in cyberspace to insure U.S. and allied freedom of action and to deny the same to our adversaries in times of conflict.
But when it comes to cyber security, I am frankly a bit less concerned about our defense establishment's response. I think they have a well-developed appreciation for the threat, especially after the attacks here and in Georgia, and the myriad assaults on their own networks. They have adequate resources and the proper authority to act to secure our tactical and strategic networks.
I am actually more concerned with what I'll simply refer to as the civilian side of the picture. We must look at cyber defense in a "whole of government," or better an "all of society" context, where private and security sectors of our government work together intensively to secure our private sector infrastructure as well as our defense industrial base.
In an effort to more closely coordinate our full national emergency response capabilities, our Department of Homeland Security (DHS) has established the National Cybersecurity and Communications Integration Center. This will allow us to respond in a more rapid and unified manner to cyber incidents. DHS will also focus on industrial control systems.
Another program that seeks to bring the private industrial sector together with federal authorities is the FBI's InfraGard. This organization is a public-private collaboration that is addressing the growing need for cooperation on cyber security between law enforcement and the private sector, particularly within the industrial sector. It has now grown to over 40,000 members in chapters throughout the United States.
The commercial sector isn't the only focus of our law enforcement communities' efforts to create a comprehensive approach to cyber crime. They are also trying to bring in the public, consumers and end-users. One great way to capture this audience and gain their cooperation is through collecting their online experiences.
The Internet Crime Complaint Center - IC3.gov on the internet -- is a collaborative effort between the FBI and what we call our National White Collar Crime Center, a non-profit membership organization comprised of state and local law enforcement agencies from across the U.S. and from many other countries as well. The Complaint Center collects and analyzes complaints from a wide variety of sources.
The FBI shares this analysis with partners around the world to help spot emerging trends in cyber crime.
In early 2010, IC3 analysis played a critical role in helping to stop an organized gang of cyber criminals in Romania who were defrauding individuals over the internet in the U.S. and elsewhere.
Through the close working relationship between the FBI and the Romanian police, IC3 provided detailed information of over 600 cases of fraud perpetrated against American citizens by this gang. This intelligence helped Romanian police bring 34 cyber criminals to justice.
But our best plans will not be effective unless we put them to the test in exercises, realistic training and simulations.
A wide range of actors are fulfilling this need from the U.S. Defense Advanced Research Projects Agency, or DARPA, that actually "invented" the internet several decades ago, to many academic research institutions and our Department of Energy's national laboratories. Cyber Storm, a biennial exercise mandated by Congress, is the most extensive exercise that puts our National Cyber Incident Response Plan to the test.
Cyber Storm III just took place last month, and will no doubt inform our future planning and preparation. Seven cabinet-level departments, eleven states, twelve international partners, and over 60 private sector partners participated in this exercise. It's an impressive collaboration, and I see only one shortcoming: Estonia was not part of the exercise. I want to fix that before Cyber Storm IV in 2012.
But we are already doing a lot together with you here in Estonia. Our law enforcement cooperation will be enhanced further this fall with the opening of our new U.S. Secret Service Office in our Embassy. With its focus on financial crimes, the Secret Service will add a new element to our efforts to cooperate with Estonian authorities to combat cyber crime and internet fraud.
A strong history of exchanges between the Estonian Central Criminal Police and the FBI has already born fruit. We look forward to helping Estonia as it seeks to establish a first-class forensics lab that will enhance its ability to gather digital evidence in a timely manner.
Collaboration on security issues, including cyber, between our Embassy and American businesses operating in Estonia takes place in our Overseas Security Advisory Council, or OSAC. Our Embassy security and other U.S. law enforcement representatives are working with our colleagues at the American Chamber of Commerce to put renewed emphasis on this partnership.
We must boost our cooperative efforts, and at the same time break down the existing barriers that prevent us from working together more closely. There are a lot of great initiatives out there -- bringing together specialists from across borders and from diverse government agencies -- linking them up with private industry from a variety of sectors and civil society groups. Your institution is a great example of such an effort.
The private sector, academia and the government all have an important role to play in fostering the creation of a well-educated cadre of cyber security professionals. The U.S. government sponsors educational opportunities for students interested in digital infrastructure issues through what we call Federal Cyber Service's Scholarships. Similar efforts are at work in Estonia between leading institutions.
I am pleased to hear that the IT College will be putting even more emphasis on cyber security in its curriculum, and that the collaborative cyber security Master's program between Tartu University and Tallinn Technical University will equally add to the pool of skilled cyber professionals.
Protecting our virtual lives requires a common understanding, a common threat perception and awareness and common action to defeat cyber attacks. This month, October, is National Cybersecurity Awareness Month in the United States.
I have taken a look at what's out there in my country in terms of awareness campaigns and initiatives.
My conclusion -- we need to put more effort into making our outreach on this issue more engaging and more relevant, and targeted to multiple audiences.
A message that resonates with young professionals will be quite different from the one we need to reach teenagers, or with people my age. We'll need to engage the pros in reaching audiences.
It certainly wouldn't hurt to bring in a celebrity or two. There is no shortage of actors and actresses who have played very compelling roles as hackers or agents battling cyber criminals. One of my first favorites of that genre was "The Net" with Sandra Bullock. We could also use some great public service programming on
e-literacy across the board, something like putting LOTTE on the job against cyber crime.
The American academic community is answering the call to action on cyber defense. An enduring relationship between Carnegie-Mellon University in Pennsylvania and many of our key government agencies has paid rich dividends. Carnegie-Mellon and its Software Engineering Institute, is home to the Computer Emergency Response Team Coordination Center. And another close affiliate, Carnegie-Mellon's CyLab, is also engaging in cutting edge collaborative research to lay the groundwork for enhancing our cyber security capabilities.
As a National Security Agency-certified Center of Academic Excellence in Information Assurance Education, it is playing a key role, along with over 120 other academic institutions, in producing new generations of cyber security professionals.
In the end, the real challenge of the internet century is not fast changing technology, but its impact on more slowly changing human beings.
Change is a fact of life.
Our parents had more time to adjust to the changes of their era than we do today. Our children will have even less. Slowing down, while sometimes hoped for, is not a realistic option. Using the most sophisticated technology on our planet, the human mind, alongside the machines we create to reshape our world for the better, is. The future is just beginning.