As prepared for delivery
New York –Thank you, Tyler, for that introduction, and thank you all for having me here today.
Without a doubt, the Internet has revolutionized the way we conduct our lives and the way we do business—from making a bank deposit, buying a book, and providing a medical diagnosis to restocking the shelf of a grocery store, filing taxes, and trading stock. But this transformation—which has spawned incredible waves of innovation and entrepreneurship—has also given rise to new dangers. And the challenge for businesses and governments to fortify their defenses against these dangers will be a central test for all of us going forward.
Everyone in this room knows cyber intrusions are not some hypothetical event on the horizon. They are real, and they are happening every single day. These incidents represent a direct threat to our economic and national security, perpetrated by state and non-state actors around the world, with growing intensity and increasing sophistication.
And while many are just gearing up their defenses, some banks are already spending as much as $250 million a year to strengthen their cyber security.
The consequences of cyber incidents are serious. When credit card data is stolen, it disturbs lives and damages consumer confidence. When trade secrets are robbed, it undercuts America’s businesses and undermines U.S. competitiveness. And successful attacks on our financial system would compromise market confidence, jeopardize the integrity of data, and pose a threat to financial stability.
Cyber intrusion has far reaching economic consequences. Recently, cyber criminals stole credit card and personal information from retailers like Target, Neiman Marcus, and Michaels, affecting more than 100 million customer accounts. Hackers accessed AP’s Twitter account and issued a false news alert that there had been an attack on the White House, which drove the Dow Jones Industrial Average down by more than 100 points within three minutes, temporarily erasing roughly $130 billion of value from U.S. stock markets.
And since 2011, we have seen more than 250 distributed denial of service attacks against U.S. banks and credit unions, overwhelming systems and forcing some web sites to go offline. The United States government assesses that these denial of service attacks represent a sophisticated threat almost certainly intended to disrupt the U.S. financial system. It does not take much to imagine the impact of those attacks on U.S. banks if they had penetrated core operational functions rather than temporarily disrupting public web sites and customer log-in pages. Cyber attacks on our financial system represent a real threat to our economic and national security.
But a malicious cyber actor can cause catastrophic damage to our financial system without directly attacking a bank. Risks to the system can be found at the vendors, suppliers, and contractors that keep our financial system running. They can be found within industries that underpin the markets—like telecommunications and energy. And they can be found across the physical infrastructure that supports the U.S. economy, like our transportation system and water supply.
These related companies, industries, and utilities rely on a network of computer systems, and an incursion at a strategic point along the network could lead to market disruption and massive harm.
From our experience with accidental failures, we know the stakes are high. For instance, the largest power disruption in American history occurred in 2003 after a computer system malfunctioned in the control room of an Ohio-based electric utility company. Fifty million people were plunged into darkness as cascading power overloads caused the shutdown to spread from Toledo, Ohio to New York City. The outage contributed to the death of 11 people, it shut down trading and exchanges, and it cost workers and investors more than $4 billion in wages and income. While this blackout was not the result of a cyber attack, it demonstrates our exposure and the importance of strengthening computer defenses.
One back door is all a malicious actor needs to transmit large scale damage. Look at the Target incident. Criminals entered Target’s systems by first infiltrating the network of one vendor—a refrigeration services company in Pittsburgh. Once inside, these intruders reached in-store computer networks, stole credit card information from millions of Americans, and sold that information on the black market.
As many of you in this room know all too well, Superstorm Sandy damaged New York’s telecommunications infrastructure, and that damage rippled across Wall Street, again highlighting how critical third party service providers are to our financial institutions. And we know that when it comes to cyber-related risks, our financial institutions are only as strong as the protection put in place by third party service providers.
I visited a Verizon network operation center in Virginia yesterday, and saw firsthand how cyber intruders are trying to infiltrate these vital systems and what Verizon is doing to combat this threat. Telecommunications companies are taking important steps to protect vital infrastructure and improve cyber safeguards. It is essential that all critical third parties have protections for both physical infrastructure and cyber security.
From the outset, the President directed his Administration to improve our nation’s digital defenses as a matter of national and economic security. We forged strong partnerships across government agencies with very different missions. At Treasury, we are working hand in hand with the intelligence community, the Department of Homeland Security as well as law enforcement and financial regulators, to bolster our nation’s resilience to cyber attacks. Soon after I became Treasury Secretary last year, I convened more than 50 CEOs from a range of financial services companies to underscore the urgency of making cyber security a priority.
The Obama Administration strategy is to collaborate with the private sector to establish cyber security best practices and improve information sharing. While companies have the primary responsibility to protect themselves from cyber threats, government also has an important role in helping companies enhance their protections. It is a public responsibility to prosecute cyber criminals, hold state-sponsored attackers accountable, provide critical intelligence about specific threats and share best practices.
Last year, President Obama issued an executive order, establishing a new cyber security framework that provides a blueprint that firms of all sizes can use to evaluate, maintain, and improve the resiliency of their computer systems.
And let me be clear: every financial services firm should use this framework to reduce cyber security threats. But it is not enough for firms themselves to adhere to these basic practices. Outside vendors, including the businesses that provide the hardware and software for your technology systems and the service providers that handle your payment processing and other back-office functions, should also use this framework. Just as you consider your counterparties when you take on financial risk, you should also consider your counterparties in the area of cyber risk.
Our cyber defenses are not yet where they need to be. Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more. In particular, it is imperative that firms collaborate with government agencies and with other firms. Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside. There cannot be a code of either silence or secrecy about the steps necessary to protect our basic security. Sharing information is far too essential.
Even as we have been moving forward to create cyber security standards, we are making it easier for the government to share often classified threat information, and for companies to share similar information with government agencies. The goal of information sharing is to raise awareness about specific attacks and attackers. Sharing information about malicious cyber activity helps reduce vulnerabilities because with information, firms can better protect themselves against possible attacks.
To increase information sharing across the financial services industry, Treasury has created an information sharing and analysis unit, known as the Financial Sector Cyber Intelligence Group. This team is delivering timely and actionable information that financial institutions can use to protect themselves. This unit consists of cyber experts and security analysts who scour law enforcement and intelligence reports constantly to find relevant activity, analyze and connect the dots between events, and issue information bulletins for security professionals in the financial sector.
Given the global nature of the cyber threat, this Administration has made cyber security a global undertaking. We coordinate with international partners to share threat information, improve our responses, and locate malicious cyber actors. And in my bilateral meetings with foreign leaders, cyber security is often a major point of discussion.
I just returned from the Strategic and Economic Dialogue in Beijing, where, once again, we explained to our Chinese counterparts in no uncertain terms that government-sponsored, cyber-enabled theft of intellectual property for commercial gain is illegal and unacceptable. More broadly, our discussions also focused on the dangers of cyber crimes and the importance of strong cooperation on cyber issues so that we can combat this international epidemic. Digital attacks are not just a threat to U.S. companies and competitiveness, they are a threat to China’s growth and prosperity as well.
To safeguard the financial system and the broader economy from the cyber threat, improving communication has to be a greater priority for firms. That does not only mean sharing information with other companies and the government. It also means firms have to do a better job of sharing information inside their organizations. While CEOs, top company executives, and board members have been getting more involved in cyber risk management, cyber security cannot be the concern of only the information technology and security departments. It should be the responsibility of management at all levels.
If you are the leader of a business, you should know how strong your company’s defenses are, you should know if there are response plans in place in case a significant security breach occurs, and you should be getting regular reports on cyber security threats and what your company is doing to respond to those threats.
No one depends on a secure electronic infrastructure more than America’s businesses.
Now, given how interconnected our economy is, we can do more to coordinate cyber security across sectors. That is why the Administration is also going to bring together leaders of the Treasury, Energy, and Homeland Security departments so we can increase our effectiveness across sectors and make our economy more resilient to cyber threats. In addition, my Deputy Secretary, Sarah Bloom Raskin, will be working with federal and state financial regulatory agencies to reduce cyber risks to the financial system. She is also looking beyond traditional financial services to explore the regulatory, security, and consumer protection aspects of financial technology.
Finally, it is time for Congress to pass cyber legislation. As it stands, our laws do not do enough to foster information sharing and defend the public from digital threats. We need legislation with clear rules to encourage collaboration and provide important liability protection. It must be safe for companies to collaborate responsibly, without providing immunity for reckless, negligent or harmful behavior. And we need legislation that protects individual privacy and civil liberties, which are so essential to making the United States a free and open society. We appreciate the bipartisan interest in addressing this important issue, and the Administration will continue to work with key stakeholders on the various bills that are developing in Congress.
The perils of cyber space are not insurmountable. We know we need to remain focused on these challenges because these threats will continue to evolve. Cyber security must be ongoing, and by working together—all of us—we will meet this test. We will deploy the progress of today’s technology to fulfill tomorrow’s promise. Commerce will flow and markets will flourish. Communities will prosper, workers will thrive, and opportunities will abound. And by moving forward without fear or illusion, we will realize the hope and expectation of the Information Age.
Thank you very much.