Remarks by Director John O. Brennan at the International Conference on Cyber Security at Fordham University (August 8, 2013)
Remarks as Delivered by Central Intelligence Agency Director John O. Brennan at the International Conference on Cyber Security at Fordham University
8 August 2013
Thank you very much, Father McShane, and thank you all for being here today. It really is an honor and a privilege to be back here at Fordham. I feel as though I am at home. And I want to thank the people who put on this conference this week. And having Fordham and FBI join together on such an important national security issue is really testament to the commitment of that partnership between Fordham University and the national security establishment.
I also want to point out, as I am CIA Director—this is my first time back to Fordham as CIA Director—I thought I would share a little bit of the secret with you. I know you were expecting it so I thought I would get it out the way early. [Laughter] I am a graduate from Fordham Rose Hill in 1977. In fact I am wearing my ram cufflink, and my Fordham tie. And you may or may not know that [NSA Director] Keith Alexander went to West Point and [FBI Director] Bob Mueller went to Princeton. What you don’t know—the only reason why they went to West Point and Princeton is because they couldn’t get into Fordham. [Laughter] But we won’t tease. [Laughter]
But it is a privilege to be here. And I am five months into the job as CIA Director. As Father McShane said, up until March of this year I spent the past four years at the White House, working on national security issues as assistant to the President for homeland security and counterterrorism.
And one of the issues that was in my portfolio was cyber security. And it was a very prominent one, and one that really did challenge me significantly because of the complexity of the issue, but also because President Obama feels so strongly about it.
And I can remember, fondly, the many times that we were in the White House Situation Room where we convened meetings on cyber security. And I must tell you that it was the meeting that was most overflowing. You had to have another room because of all the representatives from throughout government. More than any other issue, representatives from all the different departments and agencies wanted to be part, needed to part of that discussion, because cyber security affected all of those departments and agencies. And they all had a role to play in it.
It just underscores, I think, the point that Keith was making earlier, about the importance of this being a team sport.
Now, I have been at CIA for the past five months, as I noted, and now I have to shift my responsibilities, because I am no longer part of the policymaking world. I am part of the Intelligence Community. So I have been looking at, with my experience down at the White House, as well as my intelligence background, how the CIA is going to play in this area and how it has played for many years, because it does play a critical role, along with NSA and FBI and the other departments and agencies.
So what I thought I’d do today is just make a few points, before we engage in some questions and answers. And so, four points that I’d like to be able to underscore to you today.
First of all, increasingly, human transactions of all kinds are taking place in the cyber environment. Unlike when I grew up, in the 70s and 80s, there was very little that happened in the cyber domain. But now, when you think about, from the social, financial, business, commercial, trade perspective, that’s the new environment. That’s the neighborhood. That’s the marketplace. That’s the business arena that we are increasingly operating within. Vastly different than what we had done years ago.
So more and more of those human transactions that used to take place in the physical domain are now migrating to the cyber domain. It has significant implications for everything we do. And that’s one of the things that we have to make sure that we’re mindful of. That migration from the physical domain to the cyber domain.
And it’s not just Mrs. Alexander who is purchasing on a daily basis. [Laughter]
Now, that explosive growth has taken place over the last decade. And as has been, I think, our experience, technological advances have far outpaced the ability of the legal structures, of the government structures, of the rules, and how you are going to operate there in a way that is agreeable to all. That has not kept pace, by any means, with the technological advances.
The ability to interact on that worldwide web, to engage with others, while our laws, our government structures, from the standpoint of a government, the United States government—we have had those laws and those government structures formed by the physical environment. We have not been able to adapt to that cyber environment in a way that allows our laws and our government’s frameworks to keep pace.
Also, the global web as we know does not respect sovereign boundaries. And so therefore, the laws of cities, states, and nations—although they do apply to the physical arena, and they are trying to be applied in the cyber arena—really struggle because of the interconnectedness of the world. And so it’s not just an American issue. It’s a global issue in terms of how we are going to adapt our laws—domestic and international—and how we are going to adapt our standards, and how we are going to adapt our interactions into that cyber domain because more and more things are going to be going into the cyber domain in the years ahead.
The second point is, because of that tremendous change that has gone on—the migration to the cyber domain—all businesses have had to change their way of doing business, because they have had to adapt to the new realities of how people interact. And the intelligence business is no different.
Unlike when I joined the Agency in 1980, when we had to have that physical interaction with people—had to go to all parts of the world to be able to have access to that information, those people, those secrets. Now there is this cyber environment that is very, very busy and very active from the standpoint of all of these different activities, but also in terms of intelligence activities.
It’s a new domain that those intelligence services, security services and others, are operating within. CIA and others have had to change, then, their tradecraft, their operating activity, because so much is happening there.
But remember, that legal framework, that governing structure, still has not kept pace with the cyber environment. So the intelligence arena, which is becoming much more evident in that cyber domain, is struggling now to keep pace with the legal structures that I think are adapting, but slowly.
But in times past, as I said, there would have to be transcontinental travel, in order to, what we refer to as “bump” somebody that you are interested in.
Now, there is so much interaction that is taking place in the cyber environment, of all different stripes, and not just intelligence and security services, but those businesses, those scam artists, those other individuals who can now interact with people in many respects in an anonymous way, in ways that you don’t know exactly whether or not they are who they say they are.
So across the board, these interactions are having to take into account the new environment of cyber, and intelligence is doing that.
And so that’s why, working with partners, we’re trying to develop and adapt because there are so many national security issues and threats that are taking place in the cyber environment.
You can now surveil potential targets of a terrorist attack by just logging on to the Web. You can find out how to construct an improvised explosive device by logging on to the Web.
So in addition to cyber security as we talk about it from a technical standpoint, wanting to make sure that our information is held safe—and for me and my business I have to make sure that it is—what is now available on the Web really, just by dint of the content itself, poses a threat to our security. So this is where intelligence agencies like CIA really need to take into account so much that is happening out there in ways that never existed 33 years ago when I started at CIA.
So third, in this increasingly busy environment, that environment really is in desperate need of an appreciation as well as the ability to address those security vulnerabilities that exist. And it’s not just in terms of the government and the intelligence agencies that are trying to protect its data, its databases, and its networks. Businesses. Trade associations. Universities. Medical facilities.
Different types of organizations that now retain their information, retain their knowledge, their expertise, in the cyber environment, are part of this environment that has not yet been able to develop all of those capabilities that are going to protect it the way you might protect a building. By putting locks on the doors. By having a security perimeter that protects you from some type of car bomb or truck bomb.
So how do you protect yourself in that cyber environment? And, of course, for CIA and the other intelligence agencies, we really need to have confidence in trusted systems, trusted data, and trusted people. You cannot just look at one aspect of it. Because the people who are able to access this environment and play in it have a capability then to do things for good, or to do things for evil.
And so I think we really need to be able to look at it holistically—not just from the technical side, but also on the people and the insider-threat side, as well as what can individuals do, even with a limited amount of technical capability.
And the fourth point, and this is what Keith alluded to, is a fresh look at the role of government on cyber security. And a fresh look at the role—or the relationship—between the private sector and government.
In the Worldwide Web, as Keith was noting, this critical infrastructure—85 percent of it—is held by the private sector. This is a privately owned and operated environment where we’re still not certain about what those rules are. But then, what’s the role of government in that arena? We know what it is in the physical environment—that within borders, whether states or cities or countries.
But what is the role of individual governments? How should they exercise what we believe is their responsibility to ensure the reliability, the integrity, the resilience of these systems that we rely on on a daily basis?
What is the appropriate relationship between private-sector companies that are really responsible for the development of that cyber environment, and the government? How should that relationship evolve? What should be the role of the American people in engaging in that debate and helping to define that role for government and private-sector/public-sector interaction?
So, final thoughts. CIA has the responsibility, with others, to make sure that we do everything possible to identify the threats to our national security, to American men and women, and to our national interests worldwide.
And increasingly so, we’re having to dedicate resources to be able to identify those threats that exist in the cyber environment, the capabilities—the developing capabilities—of countries. Someone who has, you know, DDoS [distributed denial-of-service] capabilities, whether it’s a state, an organization, a person.
What does that DDoS capability today mean in terms of taking down that publically facing website? What does it mean as far as their continued or increasing sophistication of applying those DDoS capabilities against these websites, and how then is this going to migrate to something that’s much more difficult for us as a government to prevent, or protect against?
What are the developments in the malware area that really could be devastating in terms of taking down critical infrastructure that would put many people’s lives at great risk? What are those threats that are emerging that we need to be able to work together—and this is where CIA’s role is critically important.
I cannot emphasize enough Keith’s comment about a team sport, because it’s not just a team of the US Government, its departments and agencies. It really is the relationship and engagement with academic institutions like Fordham. With private-sector companies that have a responsibility for the security of that cyber environment. With those businesses that rely on that security in that cyber domain.
And finally, although I was a political science major, and it was also the great teaching of Professor John Entelis, who did—I give him both credit and blame for what I’ve done over the past 33 years [laughter]—I do think I’m a frustrated architect and engineer. Because I like to understand how things fit together.
And I must tell you that after the tragic attacks here in New York after 9/11, this counterterrorism community—the national counterterrorism community—did some tremendous things as far as putting together a national architecture where we were going to interoperate with one another, we were going to share information so that we’re able to gain those synergies and those efficiencies, as well as the capabilities that only come as a result of being able to operate as a team.
I must tell you that it hurts my head to think about doing the same thing for the cyber environment because of so many different nodes that are involved, because of so many different complex aspects of this, because of that amorphous cyber domain that again transcends boundaries and that don’t have the legal structures and the government structures to support it.
So systems engineering in the future—in terms of how we’re going to bring together the technological know-how that this country is famous for, or the expertise that we have developed over the years, in terms of those national security threats in the cyber environment—how we’re going to bring together this country as a nation, and work with other nations to protect what clearly is going to be the major lifeline of this country, which is the cyber domain—that’s why I think conferences like this are so critically important.
And I again want to again thank Father McShane. And I also want to say it is a tremendous honor to be working over a number of years with Bob Mueller and Keith Alexander—two outstanding patriots who have saved lives in this country as well as abroad, in terms of what they have done. And both of them have served many years in their current jobs, and the next time you have this conference, they may not be here in that capacity. Hopefully, I will be invited back. [Laughter]
But, as people know, the Director of FBI and the Director of NSA jobs are very difficult and challenging ones, and, unfortunately, the people who often find things that they think aren’t perfect, they don’t spend enough time recognizing the tremendous work and dedication and commitment to this country’s national security. And I think these two individuals really embody that, and I just want to say how pleased I am. So thank you very much. [Applause]