printable banner

U.S. Department of State - Great Seal

U.S. Department of State

Diplomacy in Action

Cybersecurity Update

Christopher Painter, State Department Coordinator for Cyber Issues
Washington, DC
October 18, 2011


MR. PAINTER: Thanks, and thanks for coming here today. I wanted to do two things. The main focus I wanted to have today is on something that we’re doing in the U.S. but also something we’re working with countries around the world to either emulate or to try to make sure we’re coordinated, and that is something we call – and this is October – National Cyber Security Awareness Month. So it’s all month. It’s the month of October, and it is a particular time for us where we try to engage the government, the private sector, and the everyday user, I mean, people around the country, and really focusing more on this issue of cyber security and what they can do about it.

The particular theme for the last several years – and this is the ninth year we’ve had National Cyber Security Awareness Month – is that this is a shared responsibility. It’s not just a government responsibility, it’s not just a private sector responsibility, it’s not just an individual responsibility, but it’s a shared responsibility because all of us have a role to play in this. And our Department of Homeland Security has done quite a lot of work in this area and is doing events all month long to really resound this theme.

Other countries as well at different times during the year have been doing this. Canada, I believe, is doing it this month as well. Other countries are looking at the same sort of focus and messaging. In part, I think that reflects a growing understanding of our reliance in the world on cyber technologies and for really everything we do in life, for everything from financial transactions to working and to talking to each other and social interactions, and I think also a growing awareness of the possible vulnerabilities out there, the criminal and other actors who could be attacking those systems, and the real challenges that they pose.

Back in the U.S. a couple of years ago now, back in May of 2009, President Obama gave a speech calling the cyber security issue one of the greatest economic and national security threats that we face as a nation. Similarly, many other countries around the world have – now have cyber security strategies, including the UK and Germany and many, many others, the Netherlands and many others. And I think many others are looking at how they’re going to organize this issue, recognizing it’s not just a kind of technical issue but much more of an important policy issue.

That was also highlighted – and I think the last time I came and talked to folks here was when we released our international strategy for cyber space. And this was, for the first time, trying to tie all the different issues in cyber space together, not just cyber security or cyber crime, but also internet freedom, internet governance issues, economic issues, all under one framework that we’re trying to achieve an open, interoperable, secure, and reliable information and communications infrastructure, not just here in the United States but around the world. And when Secretary Clinton launched that strategy, she said in her speech two things that I think are very important to resonate here or to repeat here: one, that this basket of issues – cyber security, cyber crime, internet freedom, governance, all those issues together – are a new foreign policy priority for us and a new foreign policy imperative; and two, that this will require patient, persistent, and creative diplomacy to try to build a consensus of countries around this issue.

So the two things I really want to talk about is, first, what we’re doing here in this National Cyber Security Awareness Month and working with countries – the EU and other countries around the world – to have that similar level of awareness. And I think that’s critically important. And I think that reflects one of the core values that’s in our international strategy and in our discussions with other country partners, too, which is the multi-stakeholder nature of the internet, that it’s not just a government issue, it’s not just run by governments, but the private sector and the civil society have to be involved. And that multi-stakeholder model is what allowed the internet to succeed and to thrive for both economic reasons and for social reasons. And if you think about all these different issues – the economic innovation and the economic growth and the social innovation and the free flow of information at the top of a pyramid, and security and protection from crime and protection of privacy are all on the base of the pyramid, they are all of the foundational things that allow that to happen.

So as we are now in October, it’s important to focus on how we can engage all those different stakeholders both here in this country, but I think it’s imperative for every country around the world to think of how to engage those stakeholders to think about this issue and to protect their networks and to make sure that this incredibly transformative technology continues into the future.

Now, the other thing I wanted to mention briefly is that when I last talked to, as I said, the international strategy had come out. We – Secretary Clinton created my office, the Office of the Coordinator for Cyber Issues, that just began work in the end of February. I think we had handed out a fact sheet about that to you today. The point of that office is to coordinate throughout our Department of State all the different strands of internet policy, whether it be the economic issues and the governance issues or the cyber security and other issues, and put them together and to really lead our global diplomatic engagement to make sure that we are taking forward the important work of working with other countries to make sure that this vision of cyberspace is open, interoperable, secure, and reliable cyber space is the one that prevails, and that we have the kind of growth that we’ve seen before.

One of the key parts of that is to take forward work in the development of norms, to make sure that – and the discussion of norms in cyberspace. And so we laid some of those out in our international strategy, and they include ones that are unique to cyberspace and ones that are not. So the ones that are not are things like upholding fundamental freedoms, respect for property, valuing privacy, protection from crime, the right to self-defense. All of those would apply equally in the physical world to how they would apply in the cyber world. And then there are ones that are more unique to this environment, like global interoperability or network stability or reliable access or this multi-stakeholder governance model that I discussed or states taking actions to increase their cyber security.

So all of those different issues – some of the issues, I think there are some pretty developed ways of thinking about, like cyber crime. There is something called the Budapest Convention, which many countries have signed or are emulating its provisions, to try to get laws around the world to be more compatible, make sure you have a floor of laws and an ability to communicate and to cooperate among countries. But others of these areas that are not very developed, the discussion is not very developed. So it’s critically important that we have this discussion of norms in the international community, that we use this patient, persistent, and creative diplomacy to engage with other countries around the world to make sure that we are advancing this vision.

On that score, I’d just note a couple of things that have happened since that has come out. One is the G-8 Leaders Declaration that happened after the Deauville Summit, and that featured the internet very prominently as part of the declaration and really had all of those components in it. It talked about free flow of information and social aspects. It talked about governance. It talked about security. And I think that was a very important document.

Another is the OECD issued a communiqué with internet policy-making principles. So it’s centered on this idea of the multi-stakeholder governance system. And we’ve also been working in other forums around the world. And as I think many of you know, Foreign Minister Hague is holding a conference in London soon to talk about all of these cyber norms and how we can really begin a discussion and build consensus around this area as we go forward.

I think this is something we’ll be discussing for several years. I think this is an important topic that’s become ever more important both in our government and other governments. And so I think there’s a lot of work to do, but I see substantial progress already being made.

So with that, I’d like to open it up to questions, talk about some of these specific issues.

MODERATOR: As we move to the Q&A portion of the event, please state your name and publication for the transcript and wait for the microphone, which could be coming from either side.

QUESTION: Thanks, Mr. Painter. Eric Weiner, Tokyo Broadcasting System. Thanks for taking time and coming here. What level threat do countries like China and North Korea pose? There’s been – seems to be an increase in state-sponsored cyber attacks on this country and others. And what is the State Department doing to help counter those threats?

MR. PAINTER: So I think President Obama said back even now two years ago that we’re facing a range of different threat actors, everything from sophisticated criminal groups to nation-states to the possibility of – although, we haven’t really seen this yet – cyber terrorists. We’ve seen terrorists using the internet to communicate, but actually to launch attacks is a different matter. But all of those different threats are facing us. One of the problems in cyberspace is attribution. It’s difficult to find out who is attacking you. It’s difficult because of the way the internet is constructed to do that, which makes it very unique and very challenging. So this has been an all-of-government approach.

First, you have to harden your targets. You have to have better security. So it doesn’t really matter what kind of attack that you’re – or what kind of intrusion you’re facing. If you have better security, you’re repelling that.

Second, I think, is to begin – and this is where the State Department comes in – having an engagement, a constructive engagement with countries around the world, both countries we agree with and countries we don’t agree with. So I won’t single out specific countries, but we are, in a very robust way, engaging with countries all over the world. We’ll be engaging with countries at this conference in London. We’ve been engaging countries in the OECD and others, both likeminded and not likeminded countries, because it’s important to begin to build some understanding, build some transparency, and begin building that trust.

So for some countries, we’ll be building what they call confidence-building measures, and there’s been works done on that, for instance, in the OSCE recently. For other countries, it’s going to be rallying around likeminded countries around what the rules of the road should be. And that, I think, has a lot of force, because if a country is outside of that range, over time, that’s going to have an effect. And we’ve seen this in other areas. We’ve seen this, for instance, in money laundering. At one time, many countries were turning a blind eye to that; but over time, you build a global consensus, and that changes the playing field. So State has been working very hard on those issues.

MODERATOR: Okay. We’re going to take a question from New York. Please go ahead, New York.

QUESTION: Hi. This Chen Weihua from China Daily. I want to ask a related question. Actually, there is being, from time to time, accusation from U.S. congressman about cyber espionage from China, but I haven’t heard much talk from the Administration. So – but some say that actually the noise from the Congress is motivated by some interest group who tried to push for their own software agenda in the U.S., actually that could endanger the privacy of the U.S. citizens using China or maybe country Russia as scapegoat. So what’s your comment on that? Thank you.

MR. PAINTER: I said I’m not going to comment on any particular country or their activities, but what I will say is that I think the threats are real and I think the threats are serious. And I think we have to take it upon ourselves, both our country and others, to look at those threats, look at the source of those threats, and look at what we can do to try to reduce them.

I don't think that our Congress is using this as a stocking horse for software or other issues. I don't think that’s what happening. I think there’s a legitimate concern in the Congress, in the Administration, and in other countries around the world about this issue because we are so dependent on these technologies that it’s very important. So I think that that’s something we are all looking at and the threat is real across the board.

QUESTION: Hi. My name is Charlotte Harder. I’ve from Danish Broadcasting. I did read a story in the New York Times with great interest that it was actually considered, concerning both Libya and when one was to get bin Ladin, that one would use cyber techniques in these wars or these operations. Can you in any way comment on that, if the technology is now so developed that it’s actually a question of time when the U.S. will use this as an actually weapon?

MR. PAINTER: So I’m not going to comment on any specific story or use of that. What I’ll say is this: I mean, I think we have to be prepared, and we have to be prepared defensively as well. I think we laid out in the international strategy that there is – we reserve the right to use whatever tools we have in our arsenal to respond to a sufficiently serious cyber incident. But that requires a couple things: It requires attribution; it requires a lot of predicates. But we said we would use diplomatic tools, we’d use economic tools, and we’d even use military tools, but only as a last resort. And I think that’s important to understand the context to that, and that’s laid out in the international strategy, too. So I think we have to make sure we’re adjusting the realities, but again that highlights the importance of some of the defensive measures we need to take.

MODERATOR: Okay. We’ll break away, take another question from New York. Please go ahead, New York.

QUESTION: Hello. This is reporter Guangjin Cheng with China Daily. There was an article in the spring’s Strategic Studies Quarterly which envisioned a cyber war between China and the U.S. in 2020 and which lasts for about two months. And it is actually a competition in the Asia Pacific area. So do you think, is there a possibility that a cyber – a large-scale cyber war will break out between the two countries? And if there is a such war, what will be the possible causes? Thank you.

MR. PAINTER: So, again without commenting on particular countries and how this might work, I think that the – our job is to avoid any kind of cyber conflict. First, I don't think you would have a cyber conflict outside of a normal conflict. I don't think that that’s likely to happen. But in any event, I think the work that we all need to do is to build this understanding, this international understanding, so you don’t have a cyber conflict. People talk a lot about cyber war. Frankly, I don't think we’ve really seen it, or to the extent we’ve seen it, I think it’s much more over-emphasized in terms of the threats that we’re actually seeing out there.

So yes, it’s a concern. Yes, we have to build this understanding between nations. One way to do that is to do these confidence-building measures, to have – to sort of build confidence with countries who maybe don’t talk to each other all that much to say, “Well, let’s exchange strategies. Let’s exchange information between our CERTs.” Let’s think about how we can build that confidence over the long term so you never get to this point of a cyber conflict down the line or even a larger conflict. So I think that’s our ultimate goal.

And I’d also say that one of the things we see is countries are becoming very interdependent – interdependent in the whole range of different issues. So that plays into this too. But I think focusing on some of the things that we can do defensively, some of the things we could do diplomatically to make sure we have this dialogue going – the whole point of that in the long term is to build that sense of community, to make sure these rules of the road are there, so that people don’t – so you don’t have that kind of eventuality.

QUESTION: Hi. It’s Xavier Vila, Spanish Public Radio. How do you build confidence with countries that are – they are accusing the U.S. and Israel to build a worm or a computer virus as to put down the whole atomic installation that they may be building in a nuclear plant in Iran. How do you talk with these countries? To what extent it’s possible to build confidence with them?

MR. PAINTER: So I think let’s take this out of the cyber realm entirely. If you think about in the physical realm, there are certainly countries we agree with and there are certainly – there are countries we don’t agree with, and there are countries in between. That’s true in any endeavor. That’s true for every country around the world. In this area, I think it’s important to begin that dialogue. There’s obviously countries that are closer to us in our views, but we need to have that discussion with countries that are not.

We believe that the future, the vision that we put forth in this international strategy, this open, interoperable, secure, and reliable future, is not one that just benefits the U.S; it’s one that benefits the entire world; that there’s no country around the world that ultimately will not benefit from that in an economic sense and a social sense; and that if you try to have a different vision, if you think about a Balkanized internet or if you think about a governing system that’s driven by the government without input from these other stakeholders, at the end of the day that hurts you, not just it hurts you in terms of a cyber sense, it hurts you economically and socially. So I think that’s the discussion we want to have, and we’ll have it with countries around the world.

MODERATOR: Back there.

QUESTION: Hi. Tolga Tanis from Hurriyet. Some cyber activities may threaten the stability in some countries like Turkey, and I’m wondering if those countries is – are asking an assistance from State Department to handle those kind of activities.

MR. PAINTER: So, again, I won’t comment on any particular country, but I will say that one of the things that we think is important is that the greater international cooperation generally, both in terms of the policy development, the kind of international policy development, but also in really operational and practical terms. So I mentioned cyber security awareness; I mentioned our Department of Homeland Security and US-CERT, which is a core part of the Department of Homeland Security which helps the watch and warning within the U.S.

There’s a lot of outreach they do to a lot of different foreign countries around the world. There’s a lot of institutions that have grown up to have that kind of technical cooperation between countries. There’s a lot of law enforcement cooperation, and that’s something I think we’ve seen increase significantly over the years. One part of my, I guess, past life is I was – or I still am – chair of G-8 high-tech crime group that has a 24/7 network that now has about 55 countries in it. And that’s meant to increase cooperation to allow very quick, real-time requests for data, given the way these cases work, so you can actually track down attacks or intrusions into your systems or other uses of electronic evidence.

The more we can bring the world closer together to have that kind of both operational cooperation and the policy cooperation, I think the better off we are. But that is happening. So again, it will depend on the country, it will depend on the event, and it will depend on what’s available, what data is available. But there’s a lot of operational cooperation going on. I think we’re trying to encourage more of it.

QUESTION: [Follow up to previous] (Inaudible.)

MR. PAINTER: No. Well, I’m at the State Department, and I work on a lot of the policy issues there. We have a whole structure within our government so that our Department of Homeland Security plays the lead role in terms of protecting our government systems and working with our industry. So they try to share best practices and work with other countries on that technical issue with CERTs. Our Federal Bureau of Investigation, our Department of Justice, the Secret Service, they’re the law enforcement and investigative agencies, and they work closely with their law enforcement counterparts around the world. So yes, we all play a role in that. We come together.

One thing I think I’ve seen, and this is something else that we’ve seen in governments around the world too is – I talked about this multi-stakeholder model. It’s also true of governments. We produced this international strategy. We started with 16 – or I think 18 different government agencies in a room discussing this. And it took a while to come up with this strategy because it was everything from the economic side, our Department of Commerce to our Department of Defense to our Department of State, all that range of interests. One thing I think the U.S. has benefited from, and I’ve seen this personally over the last few years, is having all those different departments and agencies come together and coordinate and discuss. And also, it’s led out of a coordinator on cyber-security at the White House, that that’s very helpful.

And I think that one of the lessons, I think, that’s useful for countries as they’re beginning to stand up this process – and many of the countries around the room are very advanced in this and had actually done a lot of this work – is to have that interagency coordination within their country. So you have the technical people talking to law enforcement people talking to the people who do policy, and that they understand how they all work together, and then to make sure you’re reaching out to the private sector in your countries and to the civilians in your countries.

And I’ll also say one of the things when we’re developing this international strategy is we did talk to the private sector about it and we talked to privacy and civil liberties groups as well because we wanted to get all that input.

QUESTION: Charlene Porter with the State Department’s international news service. You have a couple of different poles in this whole issue. You have the democracy/human rights access issue, you have the criminality sabotage issue, and you have the free commerce and economic resource issue and regulation that would inhibit that. In those three poles, where is the greatest concern? What is the greatest threat? That the internet is going to be shut down, that it’s going to be ransacked, or that it’s going to be part of an economic hijack?

MR. PAINTER: So think of it this way: Security, cyber security, it’s not an end in itself. It’s an end to something else. And it’s a continuing path. You have to continue to work to have that level of security and that resilience of your systems, which is what we’re talking about in this month, this awareness month. That enables the other things that you talked about. That enables the economic growth and the economic, really, innovation on the internet. That enables the social growth and the free expression and internet freedom on the internet.

All of those things can be compromised if, for instance, the criminals ran roughshod on the internet, for instance, so it wasn’t a reliable place for people to do commerce or for people to discuss their views. All of that is compromised if governments take a very limited view of what the governance structure should look like so that it’s far more regulatory and doesn’t allow that kind of innovation. All of those things, although they may initially seem like different poles, are really, I think, substantially interrelated. And that’s what we tried to express in the international strategy as these are not separate cones, these really all do interrelate, because you can’t have one without the other.

It’s frequently said you can’t have security without – you can’t have liberty without security and you can’t have security without liberty. I think that applies here, too. You need to have all these things working and to make sure they’re balanced. Security should not be a proxy for, in any way, inhibiting the free flow of information on the internet. But at the same time, we have to understand about – we have to understand and deal with the threats that are out there.

MODERATOR: Are there any other questions? We’ll come down here again.

QUESTION: Eric Weiner, Tokyo Broadcasting System. Coming from that last question: Do you, does the State Department, see eye to eye with the DOD strategy? Are you working on different facets of the same strategy? Are you guys pretty much in coordination?

MR. PAINTER: So DOD’s – DOD came out with a strategy recently, the defense strategy for operating in cyberspace. That strategy was tailored, and I think you saw during the rollout of that strategy by then-Deputy Secretary Lynn, really to the fact that DOD relies so greatly on cyber systems and they need to be able to protect those systems for their selves. And we work closely with DOD just like we work closely with the Department of Justice and Commerce and others. I mean, we are all talking and discussing these issues. So their strategy, I think, is one part of the overall government strategy. It doesn’t drive the government strategy; it’s one part of it.

I think there were people who said at the time that this was an attempt to militarize cyberspace. It’s not. I mean, it explicitly wasn’t. It even said, I think in the context of the strategy, that they recognize that this is predominantly a civilian space and that they had to be able to operate in this space. And I think that’s the way they’ve tried to phrase it.

MODERATOR: Are there any other further questions? Okay. If not, this event is now concluded.

MR. PAINTER: The one thing I would just say is that, first, for Cyber Security Awareness Month, there is a website that’s set up – that’s, and that’s a DHS and private sector site that talks about all the events that are going on this month and what the focus is. And it talks about various themes, including as a shared responsibility, a catchphrase called “Stop, think, and connect,” which is a good catchphrase. (Laughter.) There’s a week that deals with formal education and workforce development, a week that focuses also on cyber crime and law enforcement, a week that deals with online safety for small and medium-sized businesses. Secretary Napolitano is, I think, up in New York talking about some of these issues today, and I think that’s important.

The other is our website. My office’s website is an easy one – -- and that has collected on it a number of things, including Secretary Clinton’s speeches, also a description of what our office is trying to do, which is a new venture. It’s the first time I think any foreign ministry has tried to create this kind of position, and it’s now being created in a number of other countries as well. And I think it recognizes that this is increasingly a real foreign policy priority for this. So I’d say watch this space, we’ll be back to talk about this more. I’m sure we’ll be doing that in the coming months. And if you have any questions, we’ll be happy to follow up with you. Thanks.

MODERATOR: Thank you all again. This event is concluded.

# # #