Hello everyone. It’s a great pleasure to join you for this unique summit. Thank you very much for the invitation. I appreciate this great opportunity to speak with such a distinguished group of cybersecurity professionals.
The Cyberthreat Landscape is Dynamic
New technologies are a double-edged sword: as they are introduced, so too are corresponding cyber threats. These new cyber threats add to a long and growing list of threats confronting the United States and indeed the world. This past year, we’ve seen ransomware attacks escalating across public and private sectors. These attacks often present debilitating impacts for an organization, even bringing its core work to a standstill for a period.
We have also seen increased activity by threat actors disrupting global supply chains, in bold attempts to compromise products before they even make it to market. The U.S. Department of State is, of course, not immune from these attacks. From crude attempts by amateurs, to sophisticated attacks by advanced adversaries, we face challenges similar to our colleagues across the federal government and within the private sector. Yet the nature of our mission and our global footprint increase our risk exposure.
There are entities and adversaries at home and abroad that view the U.S. as a target and they treat us as such. Their goals are to destabilize our networks and communication capabilities in order to frustrate our foreign policy goals and to undermine U.S. interests. They will target us however they can, including directly, but also through our non-Governmental Organizations and private sector counterparts.
Recognizing the seriousness of these cyber threats, the Biden Administration issued the Executive Order on Improving the Nation’s Cybersecurity, elevating it to a top national security priority. The President has pointed out that for any organization to be successful in these modern times, it must embrace cybersecurity risk management—head on, in a coordinated way.
Whether through formal or informal alliances, it is critical for any organization to be proactive in their threat intelligence and risk management strategies. In today’s modern world, no organization can conduct its business without modern technology or partnerships. We must manage our technology carefully and we must choose our partners even more carefully.
Fortunately, we enjoy friendly, reciprocal partnerships with many other nations around the world that host our embassies and consulates.
Our Cybersecurity Strategy: Enable and Protect
At the Department of State, cybersecurity and diplomacy go hand in hand, through well-coordinated, diplomatic technology efforts. Our goal is to both enable and protect. We strive to equip our diplomats with the tech tools they need to excel, along with the digital confidence that secure systems provide. In order to do this, we aim to integrate cybersecurity into all aspects of our operations. Cybersecurity is paramount in selecting the products and projects we choose to implement at the State Department. It’s woven into every stage of our product and project lifecycles.
My bureau, the Bureau of Information Resource Management, continuously implements security controls to support an “Ongoing Authorization” approach to risk management of our assets. Contingency and recovery plans are mandatory for all of our diplomatic missions abroad. They are required for any information system and its components here in the United States. Our policies direct that these plans must be tested to ensure their efficacy. Our plans are then, in turn, regularly updated to reflect any changes made to the given system.
To further enhance our security posture, we have embraced the move towards a zero-trust architecture, to reduce the risks of access and identity becoming compromised. It is prudent amongst all of you as well – to understand who’s on your network, what’s on your network, and where they are on your network. We have implemented a vulnerability disclosure program to help us to identify any vulnerabilities and to help us close the gap between risk and mitigation.
To further help secure our networks, we continue to enhance the security of our platforms and applications resident within the cloud as well as those applications remaining on-premise. While leveraging cloud-based solutions has helped decrease our operating costs, the true benefit has come in the form of reducing our risk exposure. With our data stored in the cloud, we have increased our ability to access this data from a multitude of devices—a necessity for the State Department going forward. At the same time, we continue to reduce data storage at locations worldwide thereby reducing our exposure in high threat locations.
Perhaps most importantly, we are routinely collaborating with our partners, first and foremost, across U.S. government agencies, and also the private sector. We formally and informally exchange key knowledge and information on the ever-evolving cyber threat landscape.
We Pursue Emerging Technologies
I am proud to report that, the Department of State is now taking a very proactive approach to cybersecurity, including by constantly assessing emerging technologies. We are looking for potential tools that can help strengthen our cybersecurity posture and enable us to respond more effectively to cyber incidents.
We have to remain competitive in a rapidly changing digital environment. That is why we have been deeply engaged in exploring advanced predictive analytics, Artificial Intelligence and Machine Learning capabilities in service to diplomatic activities. We view A.I. as an opportunity that can create intelligent protection by giving us the ability to immediately identify and respond to threats, even tracing them back to their source.
It may interest you to know, we are exploring Context-Aware Behavioral Analytics, Next Generation Breach Detection, Virtual Dispersive Networking, and Active Defense Measures. We look forward to a time when A.I. can significantly mitigate risks for our department.
Our work on emerging technologies also goes beyond A.I. We continually assess new network capabilities such a 5G and low earth orbit satellites. We just released our new data strategy, focused on using our data more effectively to carry out our mission goals, as well as to identify cyber trends and threats more quickly.
As we work toward our IT modernization goals, we are actively looking for new cloud-based solutions and services. We want to enable our diplomats to perform their duties more effectively, but also more securely.
We Develop Talent
No matter how advanced our technologies, we must continue to develop our cyber hygiene and the cybersecurity practices of our workforce. Cybersecurity strategy and the tools and controls we use to implement that strategy are only as strong as the habits of our workforce—the talented diplomats who use the IT we manage.
We view user training and awareness as a key opportunity to help secure our networks. We recognize that no matter how many preventative measures are in place, all it takes is: one end user to let their guard down, one misconfigured device or implementation, or one missed software patch or update—and we put our entire network at risk.
The State Department actively promotes cybersecurity awareness and cyber tips, each and every day. We have an enhanced insider threat program that is based on user behavior heuristics. We have clear channels of communication for our end users to contact information security practitioners. We recognize that end users are paramount to network protection.
Cybersecurity is clearly not possible without talented individuals to perform our duties. We therefore place a major emphasis on hiring talented professionals in the United States for our direct hire positions, as well as abroad for our foreign national positions.
We continuously assess our training offerings in order to keep our workforce ahead of the curve. In fact, this year we hosted a worldwide “Cyber Symposium” throughout the month of October to coincide with National Cybersecurity Awareness month. At this virtual symposium, our worldwide participants were given the opportunity to learn from cybersecurity subject matter experts on a wide range of topics.
We also recognize that we must recruit and retain talent through a competitive benefit package, including leveraging cybersecurity recruitment, incentive, and retention pay for cyber professionals.
Technology Diplomacy underwrites Cybersecurity
Technology diplomacy in cybersecurity—aimed specifically at building relationships—can help counter the spread of cybercriminals and malicious actors. In July of this year, Secretary of State Antony Blinken spoke at the National Security Commission on Artificial Intelligence’s “Global Emerging Technology Summit.” In his speech, the Secretary outlined six pillars that form a framework for ensuring that democracy and our way of life prevail in cyberspace.
One of the Secretary’s pillars is focused on promoting cooperation among our allies. It clarifies that we cannot go it alone on cybersecurity—we need partners. I echo that statement today. We need partners at home and abroad. We need to foster cooperation between the public and private sectors, if we hope to stay ahead in deterring and defeating cybersecurity threats.
As Secretary Blinken as made clear, technology should be used to benefit people, not to harm or suppress them. To that end, the Department of State has issued guidance on due diligence for voluntary surveillance. American companies can use this guidance to determine if the products they sell to foreign governments could be inadvertently used to violate human rights.
Let me end on an optimistic note. We know that technology can be abused for nefarious purposes, but we also know that its promise is truly unlimited. So long as we actively work together, I am confident we can harness technology to build a better world—one where freedom and democracy prevail.