September 15, 2023
Below are USTelecom President & CEO Jonathan Spalter’s remarks delivered at the 1CyberWorld Conference on September 15, 2023:
A NEW MINDSET
Thank you, Glenn, for that intro and for the opportunity to join these conversations. It’s an important moment to talk about cybersecurity in the context of the work underway to connect communities across the country.
I’m here to talk about why and how against this backdrop we as a nation need to graduate to a fundamentally new mindset with regard to how our government partners with and approaches technology … leaving behind a mindset rooted in fear and articulated through regulatory fiat … and re-rooting in the modern-day reality of an interconnected planet driven by the tools and technology of broadband. It is time to arrive at a global understanding … with America in the lead…of a new approach…based in collaboration and partnership around unlocking shared possibilities and yes, managing, collective risk.
It’s the right moment to have these conversations and pivot to this new paradigm.
Last week, my organization…USTelecom…announced that U.S. broadband providers last year alone, invested $102.4 billion dollars in the nation’s digital infrastructure. This pushes the cumulative tally of our own skin in the game over $2 trillion dollar over the past 26 years.
…Add to that a $40 billion-plus federal commitment to help finish the job of connecting remote, rural areas that are otherwise too costly to serve.
…Add to that, federal assistance to help low-income families connect at home…alongside inflation-defying broadband pricing trends for all consumers. Over the last eight years, rent’s up 36%…grocery bills are up 30%…yet broadband prices for providers’ most popular tier of service are down 37%.
All of this puts us tantalizingly within reach of the long-sought-after U.S. goal of a truly connected nation.
It’s no exaggeration to say: this changes everything. Health care. Education. Jobs and other economic opportunities. And, we’re connecting not only to the internet as we know it today – which is pretty darn impressive – but the internet as it continues to rapidly evolve and grow – presenting whole new horizons of possibilities and significant new risks to manage.
…Which is why we’re all here together. This conference has a bounty of CIOs and CISOs and technology leaders from across the corporate sector – nationally, internationally. We have here technical experts who live and breathe – and believe me I know, SWEAT – the details of cybersecurity every day. My job in Washington is to help ensure these smart, experienced network engineers and other technical people and business leaders have the policy environment that allows them to do their jobs to the very best of their ability. The challenges before us demand nothing less.
A MORE COMPLEX CYBER THREAT LANDSCAPE
It’s been twelve years since the Department of Defense officially declared cyberspace a domain of warfare—joining air, land, sea and space. For much of that time, cybersecurity has been the dominion of a fairly elite circle of senior executives at technology and other Fortune 500 companies – top government officials working at the intersection of innovation and homeland security.
Today, with the connectivity of not only most every home and business – but also almost every device or tool with a plug or battery – cybersecurity is a main street, kitchen table issue. Just as we have Neighborhood Watch to fight physical crime. Just as we have ‘See Something, Say Something’ at our airports and subways to be vigilant against terrorism, so must cybersecurity be a part of our everyday, modern, connected lives.
We need look no further than the headlines for regular reminders of this ‘new normal’:
- Ransomware attacks continue to become more prevalent – holding companies’ technology and sensitive information hostage for a price. We saw the largest ransomware attack in history in July … emanating out of Russia and impacting 1,500 companies.
- We had the 2020 SolarWinds attack where malicious code piggybacked on a software update for a system relied on by thousands of companies and government entities.
- The latest story? Volt Typhoon, which is a sustained, state-sponsored effort by the Chinese government to infiltrate and destabilize our essential infrastructure. They do this through a practice called “living off the land,” which essentially hijacks a system’s own network administration tools to do its malicious work.
So, these are not merely pirates and profiteers. They are quite often highly sophisticated and well-financed entities – even governments – that seek the ability to do our nation harm.
The bad guys don’t face rules. They don’t need permission to change and evolve their tactics. And, the pace and complexity of the challenge before us make it incumbent on the good guys – all of us – to, as Steve Jobs so elegantly put it, “think different.” Not to cede our core values. But to step up our game by finding ever more effective ways to work together – individuals and businesses, governments and the private sector, in the U.S. and around the world.
DRIVERS OF RISK ACCELERATION
Working effectively together is growing more important for several reasons:
Reason #1: The increasing sophistication of cyber threats. Cyber attackers are constantly switching up their techniques and tools, making it more difficult for individual organizations to protect themselves. By working together, we can share information about threats and vulnerabilities in a trusted environment and develop more effective defenses.
Reason #2: The interconnectedness of critical infrastructure. Our financial systems, energy and transportation infrastructure, fiber and wireless networks are all connected. This is what’s driving so many of the opportunities and progress, but it’s also making us more vulnerable to cascading failures. As we’ve seen, cyberattacks on one system can and often do impact others, causing widespread disruption. Our response must be interconnected, as well.
Reason #3: Global scale. We all learned this lesson during the pandemic when circumstances halfway around the world impacted the supply chain here at home. Cybersecurity is not just a national security issue but a global security issue, which requires every stronger alliances to protect everyone.
And, Reason #4, likely the reason that will define this next chapter of technology’s progress – the intense compression of innovation cycles driven in large part by generative AI. The opening of this particular Pandora’s box introduces an entirely new level of urgency due to the dramatically accelerated pace of generational advancements in the network space. In the wireless arena, as a comparison, it has taken decades to advance through each generation of service – 1G to 2G, 3G to 4G to 5G and beyond. Across all areas of innovation, AI generative capabilities are now being measured in years, and offensive and defensive AI-based cybersecurity applications are now being measured in months and even weeks.
REGULATION V. COLLABORATION
The question that’s raced to the heart of many cybersecurity policy discussions is how do we adapt? It’s a pressing challenge – and one where the old way of doing things – the old methods of protecting our people and our economy – don’t naturally graft onto today’s more complex and rapidly evolving threat matrix.
Fortunately, a model has taken shape in recent years for thinking wisely, cogently and effectively in shaping rules of the road when it comes to cybersecurity. It is one built on the shared conviction that a strong partnership between industry and government – one rooted in continuous collaboration, the trusted exchange of information and best practices, and where all parties are working should to shoulder as committed allies – is a far more effective path forward than rigid regulatory mandates that move slowly and evolve rarely.
If our collective aim is to create a practical, appropriate environment for outcomes that serve public interests, then we can and must evolve to embrace different avenues and different paradigms as we adapt – just like Darwin’s early vertebrates – to a fundamentally changed environment.
Fortunately, this has been widely understood by all stakeholders for years. The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security – known as CISA – calls partnership and collaboration – quote – “the foundation and lifeblood of their work”…producing “a team environment where two-way information sharing of critical threat information, risk mitigation, and other vital information and resources is quick, seamless and actionable.” Their website goes on to note – again, their words not mine, although I heartily agree – “partnerships between the public and private sectors that foster trust and effective coordination are essential to maintaining critical infrastructure security and resilience.”
Yet amid mounting attacks from foreign enemies and criminal enterprises…and the dramatic acceleration of generative AI…we are now seeing new questions – from within government – reactivating what should be a closed debate: Do we continue to build on the partnership construct between industry and government or do rising risks require a more rigid regulatory regime?
In that answer, I believe, lies our collective victory or defeat.
And, to be clear, these are not individuals in government who have changed their point of view. These are competing camps within government itself. On the one side, we have the partners we have worked with, side by side, around the clock, for years – in the intelligence community…in commerce…in communications and technology. We have statements affirming the importance of partnership. Then we have the increasingly frequent ‘buzzing of the tower.’
For example, in the early days of the Ukraine conflict, the White House – with the very best of intentions – they were concerned about potential cyber attacks here at home in retaliation for U.S. leadership in opposing Russian aggression – wrote a letter to all 50 state governors. Among the many very reasonable and constructive suggestions included in that letter, was a suggestion that they consider imposing their own state cybersecurity standards on critical infrastructure.
Now, we agree in part that regulations may be necessary in establishing basic hygiene, but we have to be explicit that our bias needs toward cooperation before regulation.
It’s an old trope to say government doesn’t keep pace with technological change. This is changing in part because government is becoming populated with individuals who have experience in tech and in engineering. This is hugely positive for the nation’s cyber-defense, but it reinforces rather than alters the fundamental reality that over-regulation is not the logical response to what we’re seeing come online. Indeed, pressing undo on the partnership model and recovering the old command-and-control version of the government/industry dynamic could be the equivalent of unilateral disarmament in the cyber arena.
CASE STUDY: ROUTING
The current policy debate around internet routing security illustrates this tension. We have a known challenge that needs to be addressed in the global routing system known as Border Gateway Protocol. This is the system that helps move online traffic – from Barbie dance TikToks to emails containing sensitive information – around the world. In recent years, foreign actors have been able to exploit this vulnerability, in one example, rerouting traffic sent to and from Google, Facebook, Apple and Microsoft through a Russian ISP…and doing something similar with financial institutions, including MasterCard and Visa.
Last year, the FCC opened a formal inquiry into the issue. This can often be an opening salvo to a rulemaking process, rules that would target one corner of the internet – and one alone – broadband service providers.
This year, the White House released its own plan – coordinated across the entire government. That plan emphasizes close partnership across government, the private sector, civil society, international partners and Congress. The collaborative effort is being led by the White House Office of the National Cybersecurity Director, with seven contributing federal entities across intelligence, justice and commerce, including the FCC. USTelecom and other technology leaders are working vigorously alongside them toward our strong and shared mutual interest in success.
The FCC was right to tag this as an important issue, and the “whole of government” response is an encouraging development to ensure we address as one country … one government … and do so shoulder to shoulder with the industry experts who are critical to this work.
DEEPENING THE PARTNERSHIP
Without question, we should continually be looking for ways to deepen our partnership.
We need to broaden the scope of informed parties in the critical infrastructure space. This means security clearances for more front-line network engineers and other operational practitioners who are best positioned to act rapidly against known threats.
This means more work together like what we see through the establishment in 2021 of the Joint Cyber Defense Collaborative – the JCDC – which includes government and industry partners, including USTelecom’s largest members, AT&T, Lumen and Verizon – working together with CISA.
It means the private sector needs to continue to step up as committed partners. My organization and our members do this in a number of ways:
- First and foremost, by being ‘all in’ on this partnership – This is a massive commitment of time and capital working with government, investing in secure infrastructure and working across business sectors and the interconnected multi-verse of companies that comprise the internet. It’s a commitment our industry abides by and invests in.
- Next, by thinking globally: Last year, we formed the International Communications CISO Council, to create a forum where chief information security officers representing global ISPs can come together to address threats to our borderless digital ecosystem.
- Also, by acting locally: We recently released our cyberculture report, sharing best practices and strategies for small- and medium-sized businesses. Encouragingly, the top determinant of success wasn’t how much money a company threw at the problem; it was how informed and empowered individuals felt throughout the company – whether or not they knew who to reach out to and what to do in the event of a cybersecurity red flag.
- For many years, we’ve chaired the Comms Sector Coordinating Council and the Information, Communications and Technology Supply Chain Risk Management Task Force – both vital partnerships managed through the Department of Homeland Security. We are deep in the acronym soup. There’s no place we’d rather be when it comes to cybersecurity.
- We need to have accountability across all major sectors of the economy and government when it comes to basic cybersecurity hygiene. For many organizations with critical missions, like communications and financial services, it is now table stakes to have real-time monitoring of networks, systems, and applications, and to deploy advanced firewalls, intrusion detection and prevention systems, network segmentation, and secure gateways. The adoption of a zero-trust approach, where every user, device, and network component is treated as potentially untrusted along with implementing multi-factor authentication, privileged access management, and granular access controls to limit unauthorized access is rapidly evolving as a standard of care. And these are just a subset of the emerging best practices.
So, there’s a lot of work to be done – and enemies that never sleep. HOW we do our work together in no small part will determine our success. As we step up our game, it’s important we remind ourselves why we fight. We do so to keep our nation and a connected world secure. And, we do so to ensure we can continue to make progress in unlocking the full potential of broadband to improve our lives and our world.
My take on AI? We can and should be wary and vigilant and develop appropriate guardrails. But, as a technology, we shouldn’t fear it any more than we fear “the internet.” We should focus our concern on the risks posed by what breakthrough technologies can do in the hands of bad actors.
And we do that by putting our collective heads together – from all our partner vantage points.
Sun Tzu said: “If you know the enemy and know yourself you need not fear the results of a hundred battles.” I believe there’s truth in that.
I also find wisdom in the words of a far more modern philosopher who once said: “Fearless is having fears but jumping anyway.” …Taylor Swift.
Fearless is not the absence of fear. It’s the ability to move forward – smartly, effectively, collaboratively and to the broadest possible benefit – despite risks. We need to be fearless in pursuit of all that innovation promises. We need to be relentless in our efforts to ensure the promise and power of broadband can reach every part of our nation efficiently, quickly and affordably. And, together, we need to be fierce in defense of the cybersecurity partnership that will make it possible. Thank you.