Government Communications Headquarters Communications-Electronics Security Group's Information Assurance 2014 Event: Combating the Cyber Threat Requires Partnerships

Thank you for having me here today, and thank you to GCHQ for sponsoring this very important conference.

Every one of us at this conference knows that cybersecurity is not just about networks. True cybersecurity requires relentless monitoring and defense of networks, data, hardware, software and most importantly, people. This is becoming more urgent as attacker capabilities are growing in sophistication and are expanding with the explosion of data that is digitally shared. According to a new study released last week by the Center for Strategic Studies, the costs of cybercrime to the global economy range between 220 and 330 billion pounds per year. These costs are likely to continue to increase as more business is done online.

Technology and the explosion of data are driving the future of big data and secure mobility challenges. Here is one example: By 2030, the memory chip on a digital camera will likely hold the storage capacity of 20,000 human brains. Connect that projection with the proliferation of mobile communication devices, with social media connections, and the transmitting of terabytes of data into shared networks. Imagine what attackers could do in that environment to hide in plain sight, and the challenges defenders have against that level of capability.

In addition to the expansion of attacker capabilities, the intermingling of our cyber infrastructures – across industries, and also across sovereign borders – necessitates robust partnerships to provide a collective defense against the increasing volume and expanding severity of attacks.

While much change is needed to secure cyberspace, no one government or company can effect change alone – it is the product of a diverse set of people and organizations, ideas and solutions coming together.

So today I am going to discuss the importance of developing partnerships, across academia, industry and governments, to provide collective defense. Then I will discuss the importance of cybersecurity education and training to develop the diverse talent needed for our mission. I will close with some specific thoughts on how uniquely positioned the UK is to play a leadership role in securing the global commons of cyberspace.

The importance of establishing diverse partnerships, ones that access innovation from all quarters, cannot be overstated. Effective partnerships across academia, industry and government are necessary to stay at the forefront of today’s technology, to stay at the forefront of the latest methods of defending ourselves and to stay at the forefront of ensuring the freedoms that we all enjoy in the digital domain.

Academic partnerships provide the opportunity to access and co-develop education, research and make investments in support of tomorrow’s cyber defenders. Cybersecurity isn’t just about computer science; it is about mathematics, engineering, law, policy, and many other disciplines that are inextricably linked to operating and defending cyberspace.

The public sector must continue to invest in strategic research in the world’s academic institutions, to incentivize and create the innovations that market-driven forces might overlook. Too often market-driven investments, while geared toward innovation, can be shortsighted and just solve near- term problems as opposed to the benefits that more strategic research can provide. This is an essential role for public investments and must be maintained, even in today’s fiscal austerity.

The private sector must also partner with academia to accelerate the pace at which its innovations enter operational environments and the commercial marketplace. One way we at Northrop Grumman are doing this is through our company-funded Cybersecurity Research Consortium. It is an industry and academia partnership involving multiple academic institutions and organizations across our company. It was established to advance research and accelerate transition of next-generation solutions to counter the complex and growing cyber threats facing our economic and global security. This collaboration has created some exciting breakthroughs in machine learning, predictive analytics, secure mobility and advanced threat detection, among many others.

We are looking to expand these academic research relationships – and are in talks to do so with universities here in the UK, bearing in mind the Government has established 11 centers of excellence in cyber security research across UK universities. Through these efforts between academia and the public and private sectors, we can continue to achieve the rapid pace of innovation necessary to combat cyber threats today and in the future.

Partnerships among corporations are also necessary. Partnerships within industry open the door to establishing collective defenses and facilitating information sharing, as well as to creating a venue to appreciate and understand the liabilities that industries are faced with in today’s regulatory environments.

For that reason, large companies must partner with small- and medium-sized enterprises to integrate and combine the latest innovations, approaches, techniques and people necessary to defeat the latest threats. Forming partnerships with SMEs increases the diversity of the technologies and approaches in our solutions. We can combine the depth and breadth of experience of large providers, with niche technologies and capabilities, often in different areas, to create a sum-is-greater-than-its-parts solution.

We have had notable success partnering with SMEs. Just one such example here in the UK is with Phoenix IT Group, as was noted last evening in Minister Maude’s comments. Through investment and collaboration, we continue to work with Phoenix today, supporting the national automated fingerprint identification system (NAFIS) to policing agencies across England, Wales, Scotland and Northern Ireland.

Large companies must also partner with each other to create solutions and to fight cyber threats. This is an opportunity as well as a fundamental responsibility of the leaders of industry. While corporations have an obligation to maximize value to their shareholders by outperforming their competitors, we also have a corporate responsibility to work with our competitors to defeat cyber threats: because the attackers are coming at all of us.

We need to share information on incoming and ongoing attacks so we all can boost our collective defenses. We have been doing this for the last several years in a pilot program in the U.S. for the defense industrial base with good success. At first, from a corporate level, it seems daunting to share information about potential network attacks with competitors. The benefit of industry working together, however, is greater than the risks.

This is also an area where large companies, with considerable experience in cybersecurity, can help other companies – often SMEs – to shore up their defenses and tune their approaches to better prevent attacks. Working together raises the bar for attackers and improves our collective posture to defend and prevent attacks.

Government partnerships also play a crucial role through information exchange and creating strategic alliances to preserve our freedoms in cyberspace. Even as industry works together to marshal its collective defenses, governments must ultimately bring attackers to justice. This is often very difficult to do as the attackers have many places to hide in the shadows of cyber space. However, governments can provide industry with information to more proactively defend themselves. And industry can provide government with better information on the attackers and attack vectors.

The laws and regulations governing this type of cyber information exchange need to reduce the barriers for companies to share with the government, and among themselves, while also limiting the liability in doing so. Corporations must work with international governments to collectively craft these regulations and policies to facilitate information exchange.

In addition, particularly for global corporations, we need to be able to normalize business practices across the many countries where we do business, and this can only be done by working together.

Ultimately, while cyberspace is largely owned by private entities, the cooperation and partnerships across these private entities and governments is necessary to ensure our freedoms in cyberspace now and in the future.

Now I would like to talk a little about the importance of cyber education and workforce training. To put the workforce challenge into perspective, in 2013 alone there was a need for nearly 330,000 additional security professionals worldwide. The demand for cybersecurity professionals has grown 12 times faster than all other jobs since 2009. There are simply not enough qualified cyber professionals to fill these positions worldwide.

The foundation of innovation is human capital. Innovators – scientists, engineers, mathematicians and technicians of every type and discipline are needed. Our high technology industrial base is, and always has been, much more about people and innovation than about facilities and production rates. The industrial base relies on the constant influx of technical and management talent to drive the innovation that creates our technological superiority.

The so-called "STEM" disciplines – science, technology, engineering and mathematics – are the primary, although not sole, drivers of the needed human capital. There must be a strong supply of this talent aligned with the demand for the specific capabilities to support our research programs in industry, government and academia. The supply of that talent is at considerable risk. Business needs to be an active partner with the educational system to turn the tide.

We have been engaged with academia, government, not-for-profit organizations, public-private partnerships and industry to address the talent challenge. Emphasis has been on secondary school and university levels, although we do have cyber education and outreach activities at the elementary and middle school levels as well.

Since 2009 we have been the presenting sponsor of a National Youth Cyber Education Program created to inspire students toward careers in cybersecurity or other STEM disciplines critical to our nations’ futures. This high school cyber competition has reached over 250,000 young people over these past five years. We are particularly pleased to announce just this week that we have come to an agreement with Cyber Security Challenge UK to bring this innovative secondary school STEM approach to students here in the UK.

For university and graduate research studies, we founded the Northrop Grumman Cyber Research Consortium, as I mentioned earlier. And we also provide direct investments to top engineering and technology schools to establish cyber-focused curricula and scholarships encouraging study in that area.

For professional education we operate the Northrop Grumman Cyber Academy, which offers education and training to increase the level of both foundational and specialized knowledge in cybersecurity and cyber warfare for our employees and customers. Through our cyber academy, we have provided training and SANS courses to government organizations here and in Europe. We have recently expanded this training here in the UK.

Innovation and talent across academic organizations can then be incubated into very small companies. For example, in partnership with a U.S. University, we have the "Cync Program," a cyber incubator. This partnership builds on University of Maryland Baltimore County’s successful business-incubation framework by offering a "scholarship program" for companies with the most promising cybersecurity ideas. I understand that GCHQ will later today highlight a similar cyber hive in Bristol, as a prime example of what governments and industries can do to encourage growth in support of improving cybersecurity.

These examples I’ve listed are indicative of the diverse efforts we are sponsoring across all areas of education, training and attracting new innovators into cybersecurity to ensure we have the right people available to defend the cyber space of tomorrow.

I encourage all industry representatives to contribute to this very important cause.

Through our global interactions we have seen that the UK especially has great demand, and great promise, for figuring out how many nations can work together to provide collective defenses against cyber attacks. And the UK is in a unique position to lead the way.

Specifically, the UK is in a unique position of leadership in establishing intergovernmental and public-private partnerships. Europe is an especially diverse area of the world with so many cultures, experiences and unique perspectives. In addition, it is one of the largest users of the Internet and relies heavily on secure networks.

To defeat attackers requires cooperation across the many sovereign borders. Most attacks today cross these boundaries. These can occur directly or through “proxy attacks.” The lack of attribution in many cyber attacks yields ambiguity as to what body of law would govern a response to thwart an attack, but as you heard last night the UK is leading the way with governing laws. Governments and industries must work together to shine light on the shadows of the Internet where attackers hide and bring them to justice in the appropriate sovereign jurisdictions.

But this is hard. Balancing privacy concerns, civil liberties, military priorities and other issues requires significant coordination and cooperation across government and industry. The UK government, with its prominent role and reputation in the European community, is positioned to continue its leadership of these discussions. The citizens of cyberspace are looking for your continued engagement and perseverance in ensuring that all of our allies and partner nations can and will cooperate in the face of significant cyber threats to our industries and critical infrastructure.

The UK and its industries are also poised to serve as leaders in establishing meaningful partnerships to help provide collective security in cyberspace. In this cyber fight we need to ensure that meaningful and effective partnerships are established across academia, industry and government entities. We ALL have a role to play and those roles must all play together.

We need to invest in the education and training necessary to create the innovators of tomorrow. All of this technology comes ultimately from people. And if we aren’t adequately educating the next generations of innovators, we will all lose in the end.

To close out the points made here today; those in this room understand the challenges to securing our information commons. Despite the daunting nature of the task before us, we have every reason to believe that we will be successful defending against the cyber threat through resilient networks, improved malware detection and, frankly, through global collaboration.

The UK is in a strong position to maintain its leadership role in creating the partnerships across sovereign borders, in the halls of government and within the board rooms of corporations, to create an environment of collective security in cyberspace for the future. With the right partners, large and small, together we can fulfill our responsibility to ensure a more connected and more secure world.

I leave you with this: Our greatest opportunity and challenge is not in man or machine. It is when the will of man – good or evil – is enabled by increasing computing power.