Remarks of Assistant Secretary of Cybersecurity and Communications Greg Garcia at the New York Metro Infragard Alliance Security Summit

Remarks of Assistant Secretary of Cybersecurity and Communications Greg Garcia at the New York Metro Infragard Alliance Security Summit
Remarks of Assistant Secretary of Cybersecurity and Communications Greg Garcia at the New York Metro Infragard Alliance Security Summit

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

Release Date: December 11, 2007

New York, NY
(Remarks as prepared)

New York is such a fitting place to hold a security summit. With its 
storied history and thousands of financial institutions, it is the 
world's financial nucleus. All of you, as leaders in your respective 
companies and organizations, understand the full weight of your 
responsibilities to New York City itself, the nation, and quite 
honestly, the world. Because as Wall Street goes, so does the rest of 
the world. That is quite a responsibility to shoulder.

Yet you have continuously demonstrated your understanding and commitment 
to upholding this reputation. Time and again, whether facing a natural 
disaster or terrorist attack, you have found ways to ensure that roughly 
five and a half trillion dollars flows unabated through our financial 
systems each and every day. That's five and a half trillion dollars a 
day in activities that are critical to our citizens' basic needs and our 
Nation's economy.

It's the delivery of paychecks, utility bill payments, ATM withdrawals, 
and the over $733 million of Internet sales that occurred this past 
cyber Monday -- the first Monday after Thanksgiving, which is considered 
the most active online shopping day of the year.

As New Yorkers know, our adversaries will stop at nothing to destroy the 
infrastructures we have all worked so hard to build and protect. Whether 
they are cyber criminals, hacktivists, or nation states, our adversaries 
are pursuing ever more sophisticated and determined cyber attacks on 
U.S. government and private sector networks.

I'm watching as companies =E2=80=93 household names with huge market 
capitalization and seemingly tremendous resources =E2=80=93 expose their 
networks and data to infiltration and information theft. I'm seeing the 
same with government agencies on a regular basis. So we're all at risk, 
and we're all responsible. We have made some progress but there is much 
more we all have to do to protect our critical systems.

So let me tell you what we're doing at DHS to make the United States the 
most difficult and dangerous place in the world to conduct cyber crime. 
I think you will see that you each have a very important role to play in 
helping to make this happen.

Let me start with an overview of the threats as we see them at DHS. As 
you all know, the threats are real. Hackers are becoming more 
sophisticated and focused in their efforts. Criminal computer code is 
now written at the PhD level, and sold cheaply on the Internet.

Hackers are making massive efforts to compromise computer systems on a 
global scale. What was once a nuisance committed by various individuals 
years ago has now progressed into organized efforts by highly skilled 

Today's professional hackers develop and sell malware toolkits to other 
criminals on the black market. In turn, the buyers of these toolkits can 
conduct online scams and spread malware more proficiently than ever 

Why do they do this? Because cyber crime is big business. The number of 
hackers attacking banks worldwide jumped 81 percent over the past year. 
Botnets, spear phishing, key loggers, and other attacks make up the 
more-than-$100 billion global market for cyber-crime =E2=80=93=C2=AC surpassing drug 
trafficking from a monetary perspective. Worst of all, the money 
obtained through cyber crime can be used to finance terrorism.

The numbers don't lie. From October 1, 2006, through September 30, 2007, 
our US-CERT=E2=80=94 which I'll describe in more detail in a moment=E2=80=94handled more 
than 37,000 incidents, compared with almost 24,000 the year before. This 
increase can be attributed to not only more attacks on our public and 
private networks, but also better situational awareness levels and 
reporting rates.

I'll tell you now: many of these malicious attacks are designed to steal 
information and disrupt, deny access to, degrade or destroy critical 
federal or private sector information systems. Our adversaries are also 
seeking our intellectual capital and proprietary information, which we 
have spent years=E2=80=94 and billions of dollars=E2=80=94developing.

Unfortunately, none of this will dissipate if we do not have the same 
level of organization and coordination that our adversaries are using 
against us. This dynamic underscores the absolute necessity for IT 
security and the importance of a nationwide call to secure cyberspace. 
It's something we can't afford not to do.

Our mission is clear. Securing the systems that maintain and operate 
critical infrastructures is vital to national security, public safety, 
and economic prosperity.

How do we do this? Collaboration and information sharing. It's a common 
theme in many of the speeches you hear because public/private 
partnerships, like InfraGard and the Financial Services and Multi-State 
Information Sharing and Analysis Centers (ISACs), are essential to 
protecting our critical infrastructures.

Let's be realistic. Private industry owns and operates more than 85 
percent of the United States' critical infrastructures. That means the 
Federal Government cannot address cyber threats alone. Obviously, if a 
cyber attack occurs, the larger percentage of potential immediate 
victims will also be in the private sector. This includes the financial 
services industry. So not only does it make sense to collaborate with 
each other, it is an absolute necessity.

At DHS, one of our best information sharing mechanisms is the United 
States Computer Emergency Readiness Team, or US-CERT. The nation's cyber 
watch and warning center, US-CERT coordinates the defense against and 
response to cyber attacks in coordination with the private sector.

It also analyzes and reduces cyber threats and vulnerabilities, 
disseminates cyber threat warning information, and manages incident 
response activities with a wide range of stakeholders. US-CERT's 
activities allow us to see potential trends and coordinate appropriate 
deterrence and response activities across sectors.

A prime example of this occurred just last month when the US-CERT served 
as the key data gathering and distribution center for a potential cyber 
threat to both government and private sector systems maintaining 
critical infrastructures.

By taking advantage of its information-sharing relationships, US-CERT 
distributed a notice defining the malicious activity and addressing how 
partners could detect and prevent it from affecting their networks. This 
directly strengthened the security and resilience of our nation's 
critical infrastructures.

The key lesson here is that by sharing our knowledge, we can better 
protect our nation. But we also know that this information sharing 
relationship is not as mature yet as it can be.

The feedback we received from our private sector partners after this 
information notice was, overall, very positive and appreciative.

But it included a reminder that such notices would be more useful if DHS 
could provide more threat-based context =E2=80=93 that is, what is the nature of 
these attacks? Where do they come from? What is their intent?

Well, we continue to be limited in what we can share with partners who 
don't have appropriate security clearances, (indeed that's an issue 
within the U.S. government agencies as well). And we have to find 
better, quicker ways to get you relevant information that you can act 

And, from our perspective, when we provide you information you already 
have, we realize both sides need to better calibrate our exchange of 
information so we make most effective use of our limited time and 

So we're learning, and we're working to improve our information sharing. 
That's one of InfraGard's key tenets and the ultimate goal for all our 

As we move into the discussion portion of this event, I'm very 
interested to hear your ideas about other ways we can share useful and 
relevant information between sectors.

In addition to sharing information with its public and private partners, 
one of US-CERT's most important responsibilities is increasing the 
Federal Government's awareness of its own network activity.

We know from our friends in law enforcement that situational awareness 
is the primary method a beat cop uses to protect a neighborhood. As I'm 
sure Joe can recall from his days on the force, a veteran officer works 
to deter crime wherever possible and catches criminals by understanding 
their environment, watching for trends and patterns, and knowing the 
rhythms of the community.

We know the same is true for cyber first responders. So we created an 
early warning system that watches for malicious patterns in network 
traffic and notes irregular activity. Just as in neighborhood policing, 
out-of-the-ordinary events or activities can tip off agency cyber 
responders to potential trouble.

EINSTEIN, as it is known, is that early warning system. It monitors 
participating agencies' network gateways for traffic patterns that 
indicate the presence of computer worms or other unwanted traffic. By 
collecting this information, EINSTEIN gives our analysts a big-picture 
view of potentially malicious activity on federal networks.

Prior to EINSTEIN, it took cyber security responders four to five days 
to gather and share critical data on federal government computer 
security risks. Today, we can produce that information in as little as 
four to five hours.

By analyzing network traffic for potential cyber threats before they can 
exploit vulnerabilities, EINSTEIN makes it more difficult, more time 
consuming, and more expensive for cyber criminals to reach and impact 
their intended targets. EINSTEIN provides us with unique traffic pattern 
analysis that US-CERT, as appropriate, can share with its partners. Now 
another program that exemplifies knowledge sharing in action is the 
National Vulnerability Database.

Sponsored by my office and the National Institute of Standards and 
Technology (NIST), the National Vulnerability Database or NVD puts the 
more than 28,000 known cyber security vulnerabilities into a single 
publicly available resource. NIST analysts then score them according to 
the severity of their risk.

Accessed at a rate of 48 million hits a year, the NVD's data enables all 
organizations to automate their vulnerability management, security 
measurement, and compliance activities through a series of security 
checklists and metrics.

Recently, your colleagues in the payment card industry recognized the 
value of the database to their cyber risk management efforts. Last June, 
the industry's data security standards required that all credit card 
processing vendors use the National Vulnerability Database to evaluate 
the security of their payment systems.

Essentially, it says that vendors must ensure that their systems do not 
include vulnerabilities that score higher than a pre-determined NVD 
number. This greatly enhances the security of every credit card 
transaction, prevents disruptions of key operating systems, and protects 
consumer information.

The value of the NVD is not limited to the credit card processing 
industry. If you haven't investigated the potential beneficial uses of 
this program in your companies, I strongly encourage you to do so 
immediately. You can access it by going to US-CERT's homepage 
( and searching for =E2=80=9CNVD.=E2=80=9D 

The NVD is a wonderful example of an industry-lead adoption of a 
valuable government tool. And it also underscores our role in the 
federal government, to provide resources that help all of you do your 
jobs more effectively.

Let's move to another example of collaboration and information sharing. 
You know, in many ways, the enemy is already at the gate. So if we are 
going to secure cyberspace, we must marshal our defenses, learn from 
each other, and work together as never before. I'm a true believer in 
the phrase, =E2=80=9Cyou play how you train.=E2=80=9D This is why exercises are critical 
to our national and financial security.

InfraGard members already understand this. The Vermont InfraGard is a 
key planner in the state of Vermont's first ever cyber exercise, which 
my office is helping to design and implement. The lessons learned from 
next month's exercise will aid in the development of a cyber annex to 
the state of Vermont's emergency operations plan.

At the national level, we are actively planning for the March 2008 
national cyber exercise, Cyber Storm II, which follows the highly 
successful cyber storm I held in February 2006. This exercise examines 
our response and coordination mechanisms against a simulated cyber event 
affecting international, federal, state, and local governments, and the 
private sector.

By organizing and executing an exercise such as cyber storm, DHS is able 
to test our planning, information sharing and response to attack 
scenarios, assess our strengths and weaknesses in those areas, and learn 
how to improve response capabilities.

I am thrilled that the financial services sector, through the financial 
services ISAC, is once again fully engaged in the planning and execution 
of the cyber storm exercise.

Their participation in the exercise demonstrates their firm commitment 
to cyber preparedness and I hope sends a signal to other sectors that 
cyber security measures need to be taken seriously.

Throughout the country, at every level of government and within the 
private sector, people are dedicating themselves to ending cyber crime. 
To do this at CS&C it's necessary for my office to engage in robust 
collaboration and information sharing with our law enforcement partners. 
We do this through a liaison office in the US-CERT, which houses liaison 
officers from the U.S. Secret Service and FBI.

For example, maintaining the necessary division of authorities, US-CERT 
and the FBI worked closely together to identify and investigate cyber 
criminals and threats during Operation Bot Roast II. An ongoing and 
coordinated initiative, Operation Bot Roast finds and captures the 
criminals that overtake people's computers to conduct criminal 

Since it began last June, the FBI, with US-CERT's technical input, 
captured eight individuals responsible for infecting over one million 
compromised computers. We estimate the economic loss to be at more than 
$20 million to date. As the investigation continues, I have no doubt 
those numbers will increase.

At DHS, we know that online payment systems are profitable money makers 
for criminals. A recent 24-month Secret Service investigation of e-gold, 
an online payment system favored by criminals, resulted in the seizure 
of over $16 million.

In Miami, a Secret Service's cyber crime fraud investigation recovered 
more than 200,000 stolen credit card account numbers at a potential loss 
exceeding $75 million.

And here in New York, a Secret Service investigation with the Manhattan 
District Attorney's office led to the indictment of 17 people and a 
company called Western Express, a digital currency transmittal service.

The defendants are facing charges related to global trafficking in 
stolen credit card numbers, cyber crime, and identity theft. Based on 
the over 1.3 terabytes of digital evidence it obtained from search 
warrants and subpoenas, the Secret Service estimates that approximately 
$15 million flowed through Western Express' digital currency accounts. 
Additional judicial action is ongoing with respect to targets identified 

We're starting to really hurt the criminals. Eventually, they are going 
to realize that it is just too expensive =E2=80=93 both financially and in 
potential jail time =E2=80=93 to =E2=80=9Cconduct business=E2=80=9D in the United States.

In addition to catching the criminals, my office also works closely with 
the Departments of Justice and Defense to prepare for and, if necessary, 
respond to a national-level cyber incident. As co-chairs of the National 
Cyber Response Coordination Group (NCRCG), we work with 19 different 
federal agencies, including the FBI and the Secret Service, to ensure 
that the full range and weight of the Federal Government's cyber 
capabilities are deployed in a coordinated and effective fashion.

For example, the NCRCG recently convened to address and respond to the 
denial of service attack against the government of Estonia, a NATO ally. 
Additionally, the NCRCG will be an active participant in Cyber Storm II.

Effective cyber and communications risk management requires us to be 
prepared for a national crisis beyond those caused by terrorists or 
criminals. Now, I've talked a lot about cyber viruses. But we still have 
to contend with the more traditional biological virus =E2=80=93 that is, the 
potential effects of a public health crisis, such as an outbreak of 
pandemic flu.

The spread of pandemic disease across the U.S. will be rapid and 
unpredictable. We estimate that as much as 40 percent of the workforce 
will be unable to report to work during peak periods of an outbreak =E2=80=93 
and you don't get to pick which 40 percent that could be.

Naturally, telecommuting will be a key mechanism to keeping our 
businesses and government operational during a pandemic flu.

Preparing for the increase in telecommuting is a demonstration of 
public-private collaboration in action. A working group led by my one of 
my components=E2=80=94 the National Communications System=E2=80=94and including experts 
from the Federal Reserve Board, the Department of the Treasury, the 
Financial and Banking Information Infrastructure Committee, and the 
Financial Services Sector Coordinating Council, meets monthly to plan 
for the potential communications consequences of a pandemic influenza.

What the working group found is that, while the telecommunications 
backbone is unlikely to experience congestion, the so-called last mile =E2=80=93 
to the home and the enterprise =E2=80=93 could experience disruptive congestion. 
But it concluded that this disruption could be mitigated if certain 
safeguards and practices are implemented by enterprises and 

In collaboration with major internet service providers (ISPs), 
telecommunications carriers, and equipment and service vendors, the 
working group developed the following best practices that we strongly 
encourage businesses and government agencies to consider:
1. Limit remote access to users critical to maintaining business 
2. Limit access to business critical services through the enterprise 
3. Adjust or retime automatic desktop backup software and software 
   updates for telecommuters;
4. Obtain a telecommunications service priority (TSP) for enterprise;
5. Subscribe to government emergency telecommunications service (GETS) 
   cards and/or wireless priority service (WPS) capabilities for 
   critical it staff; and
6. Enhance your cyber security posture due to increased reliance on 
   communications and it, reduced support staff, and increased threat of 
   cyber attack.

Implementing these practices will help reduce significant impacts on our 
nation's economy. All of us must do everything possible to keep our 
nation operating and delivering critical services under even the most 
challenging circumstances.

I consider everyone in this room today a key partner in the effort to 
strengthen our nation's cyber infrastructure. You understand that the 
Internet, and the many enterprise networks that depend on it, is one of 
the central platforms for business operations, supply chain management, 
and business continuity.

However, I'm more concerned about the people who aren't in this room 
because, as a recent business roundtable report suggests, they don't 
understand that this is a matter of their own business survival. 
Cyberspace is a profitable marketplace and enabler of market activity. 
But if businesses, whether in the financial services sector or 
otherwise, haven't made the investment in the people, processes, and 
technologies that will keep them operational in a crisis, our economy, 
in fact our very way of life, is at stake. We can't let this happen.

So here's what we all need to do.

First, memorize US-CERT's website address =E2=80=93 =E2=80=93 and give it 
to everyone who needs it. Tell your partner organizations and businesses 
to sign up for the cyber security alerts and to report any potential 
cyber incident, threat, or attack they find.

We can only act upon the information we know about. The information our 
partners provide increases our understanding and awareness of the health 
of the overall cyber infrastructure and improves our response and 
protective measures.

Second, encourage your partners to participate in public-private 
partnerships like InfraGard and the financial services ISAC. These 
collaborations act as force multipliers for increasing awareness of 
cyber security challenges as well as implementing actionable and 
enduring solutions.

Additionally, they serve as an easily accessible mechanism to educate 
people on how cyber vulnerabilities can have real world consequences to 
our physical infrastructures.

Finally, encourage your colleagues to make security a part of their 
everyday business operations. It doesn't take long for cyber events to 
have real world consequences. Have them look at every step of their 
business lifecycle=E2=80=94from system configuration to in-house software 
development=E2=80=94to see if common security practices are being followed and 
that response plans are prepared accordingly. Help them realize that 
when they build a culture of security within their organizations they 
make great strides in ensuring the resilience of their business 

Laws such as Sarbanes-Oxley, the Gramm-Leach-Bliley Act, and the Health 
Insurance Portability and Accountability Act (HIPAA) place a fiduciary 
responsibility on them to ensure the security of their customers' 
information and their systems. However, in reality, these 
recommendations are simply the right thing to do for their companies, 
their customers, their fellow citizens, and the nation as a whole. So 
let's work together to make it happen.

Before I close, I would like to make one last comment. Thank you for 
your commitment to cyber security and your active participation in 
InfraGard. I have had a chance to work with members across the country 
and know what an important role you all play in our cyber security 
awareness efforts.

I urge you to use the time at this meeting to learn as much as you can, 
and then share your knowledge with your colleagues, professional 
networks, friends and families.

Cyber security is a complex problem, yes, but the dangers are easily 
understood, and the solution is simple: you can't guard all of 
cyberspace, but you can protect your piece of it.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Visit InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods