CIA Director on Cybersecurity
International Conference on Cyber Security
Earlier this summer, Director of the Central Intelligence Agency John Brennan,
Director of the National Security Agency (NSA) and Commander of US Cyber
Command General Keith Alexander, and Director of the Federal Bureau of
Investigation (FBI) Robert Mueller participated in a panel discussion on
cyber issues at the fourth International Conference on Cyber Security (ICCS)
at Fordham University. Speaking to about 400 people from law enforcement
agencies, academic institutions, and private universities, the three leaders
discussed the growing need for greater federal government and private industry
interconnectedness to manage cyber threats.
Sponsored by the FBI and Fordham University, ICCS is a three-day conference
held every 18 months that brings together speakers from the government, private
sector, and academia to discuss their insights into cyber threat analysis,
operations, and law enforcement.
To view DCIA Brennan’s remarks please see the video below, a transcript
is also available.
Remarks as Delivered by Central Intelligence Agency Director John O. Brennan
at the International Conference on Cyber Security at Fordham University
8 August 2013
Thank you very much, Father McShane, and thank you all for being here today.
It really is an honor and a privilege to be back here at Fordham. I feel
as though I am at home. And I want to thank the people who put on this conference
this week. And having Fordham and FBI join together on such an important
national security issue is really testament to the commitment of that partnership
between Fordham University and the national security establishment.
I also want to point out, as I am CIA Director—this is my first time
back to Fordham as CIA Director—I thought I would share a little bit
of the secret with you. I know you were expecting it so I thought I would
get it out the way early. [Laughter] I am a graduate from Fordham Rose Hill
in 1977. In fact I am wearing my ram cufflink, and my Fordham tie. And you
may or may not know that [NSA Director] Keith Alexander went to West Point
and [FBI Director] Bob Mueller went to Princeton. What you don’t
know—the only reason why they went to West Point and Princeton is because
they couldn’t get into Fordham. [Laughter] But we won’t tease.
But it is a privilege to be here. And I am five months into the job as CIA
Director. As Father McShane said, up until March of this year I spent the
past four years at the White House, working on national security issues as
assistant to the President for homeland security and counterterrorism.
And one of the issues that was in my portfolio was cyber security. And it
was a very prominent one, and one that really did challenge me significantly
because of the complexity of the issue, but also because President Obama
feels so strongly about it.
And I can remember, fondly, the many times that we were in the White House
Situation Room where we convened meetings on cyber security. And I must tell
you that it was the meeting that was most overflowing. You had to have another
room because of all the representatives from throughout government. More
than any other issue, representatives from all the different departments
and agencies wanted to be part, needed to part of that discussion, because
cyber security affected all of those departments and agencies. And they all
had a role to play in it.
It just underscores, I think, the point that Keith was making earlier, about
the importance of this being a team sport.
Now, I have been at CIA for the past five months, as I noted, and now I have
to shift my responsibilities, because I am no longer part of the policymaking
world. I am part of the Intelligence Community. So I have been looking at,
with my experience down at the White House, as well as my intelligence
background, how the CIA is going to play in this area and how it has played
for many years, because it does play a critical role, along with NSA and
FBI and the other departments and agencies.
So what I thought I’d do today is just make a few points, before we
engage in some questions and answers. And so, four points that I’d like
to be able to underscore to you today.
First of all, increasingly, human transactions of all kinds are taking place
in the cyber environment. Unlike when I grew up, in the 70s and 80s, there
was very little that happened in the cyber domain. But now, when you think
about, from the social, financial, business, commercial, trade perspective,
that’s the new environment. That’s the neighborhood. That’s
the marketplace. That’s the business arena that we are increasingly
operating within. Vastly different than what we had done years ago.
So more and more of those human transactions that used to take place in the
physical domain are now migrating to the cyber domain. It has significant
implications for everything we do. And that’s one of the things that
we have to make sure that we’re mindful of. That migration from the
physical domain to the cyber domain.
And it’s not just Mrs. Alexander who is purchasing on a daily basis.
Now, that explosive growth has taken place over the last decade. And as has
been, I think, our experience, technological advances have far outpaced the
ability of the legal structures, of the government structures, of the rules,
and how you are going to operate there in a way that is agreeable to all.
That has not kept pace, by any means, with the technological advances.
The ability to interact on that worldwide web, to engage with others, while
our laws, our government structures, from the standpoint of a government,
the United States government—we have had those laws and those government
structures formed by the physical environment. We have not been able to adapt
to that cyber environment in a way that allows our laws and our
government’s frameworks to keep pace.
Also, the global web as we know does not respect sovereign boundaries. And
so therefore, the laws of cities, states, and nations—although they
do apply to the physical arena, and they are trying to be applied in the
cyber arena—really struggle because of the interconnectedness of the
world. And so it’s not just an American issue. It’s a global issue
in terms of how we are going to adapt our laws—domestic and
international—and how we are going to adapt our standards, and how we
are going to adapt our interactions into that cyber domain because more and
more things are going to be going into the cyber domain in the years ahead.
The second point is, because of that tremendous change that has gone on—the
migration to the cyber domain—all businesses have had to change their
way of doing business, because they have had to adapt to the new realities
of how people interact. And the intelligence business is no different.
Unlike when I joined the Agency in 1980, when we had to have that physical
interaction with people—had to go to all parts of the world to be able
to have access to that information, those people, those secrets. Now there
is this cyber environment that is very, very busy and very active from the
standpoint of all of these different activities, but also in terms of
It’s a new domain that those intelligence services, security services
and others, are operating within. CIA and others have had to change, then,
their tradecraft, their operating activity, because so much is happening
But remember, that legal framework, that governing structure, still has not
kept pace with the cyber environment. So the intelligence arena, which is
becoming much more evident in that cyber domain, is struggling now to keep
pace with the legal structures that I think are adapting, but slowly.
But in times past, as I said, there would have to be transcontinental travel,
in order to, what we refer to as “bump” somebody that you are
Now, there is so much interaction that is taking place in the cyber environment,
of all different stripes, and not just intelligence and security services,
but those businesses, those scam artists, those other individuals who can
now interact with people in many respects in an anonymous way, in ways that
you don’t know exactly whether or not they are who they say they are.
So across the board, these interactions are having to take into account the
new environment of cyber, and intelligence is doing that.
And so that’s why, working with partners, we’re trying to develop
and adapt because there are so many national security issues and threats
that are taking place in the cyber environment.
You can now surveil potential targets of a terrorist attack by just logging
on to the Web. You can find out how to construct an improvised explosive
device by logging on to the Web.
So in addition to cyber security as we talk about it from a technical standpoint,
wanting to make sure that our information is held safe—and for me and
my business I have to make sure that it is—what is now available on
the Web really, just by dint of the content itself, poses a threat to our
security. So this is where intelligence agencies like CIA really need to
take into account so much that is happening out there in ways that never
existed 33 years ago when I started at CIA.
So third, in this increasingly busy environment, that environment really
is in desperate need of an appreciation as well as the ability to address
those security vulnerabilities that exist. And it’s not just in terms
of the government and the intelligence agencies that are trying to protect
its data, its databases, and its networks. Businesses. Trade associations.
Universities. Medical facilities.
Different types of organizations that now retain their information, retain
their knowledge, their expertise, in the cyber environment, are part of this
environment that has not yet been able to develop all of those capabilities
that are going to protect it the way you might protect a building. By putting
locks on the doors. By having a security perimeter that protects you from
some type of car bomb or truck bomb.
So how do you protect yourself in that cyber environment? And, of course,
for CIA and the other intelligence agencies, we really need to have confidence
in trusted systems, trusted data, and trusted people. You cannot just look
at one aspect of it. Because the people who are able to access this environment
and play in it have a capability then to do things for good, or to do things
And so I think we really need to be able to look at it holistically—not
just from the technical side, but also on the people and the insider-threat
side, as well as what can individuals do, even with a limited amount of technical
And the fourth point, and this is what Keith alluded to, is a fresh look
at the role of government on cyber security. And a fresh look at the
role—or the relationship—between the private sector and government.
In the Worldwide Web, as Keith was noting, this critical infrastructure—85
percent of it—is held by the private sector. This is a privately owned
and operated environment where we’re still not certain about what those
rules are. But then, what’s the role of government in that arena? We
know what it is in the physical environment—that within borders, whether
states or cities or countries.
But what is the role of individual governments? How should they exercise
what we believe is their responsibility to ensure the reliability, the integrity,
the resilience of these systems that we rely on on a daily basis?
What is the appropriate relationship between private-sector companies that
are really responsible for the development of that cyber environment, and
the government? How should that relationship evolve? What should be the role
of the American people in engaging in that debate and helping to define that
role for government and private-sector/public-sector interaction?
So, final thoughts. CIA has the responsibility, with others, to make sure
that we do everything possible to identify the threats to our national security,
to American men and women, and to our national interests worldwide.
And increasingly so, we’re having to dedicate resources to be able to
identify those threats that exist in the cyber environment, the
capabilities—the developing capabilities—of countries. Someone
who has, you know, DDoS [distributed denial-of-service] capabilities, whether
it’s a state, an organization, a person.
What does that DDoS capability today mean in terms of taking down that publically
facing website? What does it mean as far as their continued or increasing
sophistication of applying those DDoS capabilities against these websites,
and how then is this going to migrate to something that’s much more
difficult for us as a government to prevent, or protect against?
What are the developments in the malware area that really could be devastating
in terms of taking down critical infrastructure that would put many
people’s lives at great risk? What are those threats that are emerging
that we need to be able to work together—and this is where CIA’s
role is critically important.
I cannot emphasize enough Keith’s comment about a team sport, because
it’s not just a team of the US Government, its departments and agencies.
It really is the relationship and engagement with academic institutions like
Fordham. With private-sector companies that have a responsibility for the
security of that cyber environment. With those businesses that rely on that
security in that cyber domain.
And finally, although I was a political science major, and it was also the
great teaching of Professor John Entelis, who did—I give him both credit
and blame for what I’ve done over the past 33 years [laughter]—I
do think I’m a frustrated architect and engineer. Because I like to
understand how things fit together.
And I must tell you that after the tragic attacks here in New York after
9/11, this counterterrorism community—the national counterterrorism
community—did some tremendous things as far as putting together a national
architecture where we were going to interoperate with one another, we were
going to share information so that we’re able to gain those synergies
and those efficiencies, as well as the capabilities that only come as a result
of being able to operate as a team.
I must tell you that it hurts my head to think about doing the same thing
for the cyber environment because of so many different nodes that are involved,
because of so many different complex aspects of this, because of that amorphous
cyber domain that again transcends boundaries and that don’t have the
legal structures and the government structures to support it.
So systems engineering in the future—in terms of how we’re going
to bring together the technological know-how that this country is famous
for, or the expertise that we have developed over the years, in terms of
those national security threats in the cyber environment—how we’re
going to bring together this country as a nation, and work with other nations
to protect what clearly is going to be the major lifeline of this country,
which is the cyber domain—that’s why I think conferences like this
are so critically important.
And I again want to again thank Father McShane. And I also want to say it
is a tremendous honor to be working over a number of years with Bob Mueller
and Keith Alexander—two outstanding patriots who have saved lives in
this country as well as abroad, in terms of what they have done. And both
of them have served many years in their current jobs, and the next time you
have this conference, they may not be here in that capacity. Hopefully, I
will be invited back. [Laughter]
But, as people know, the Director of FBI and the Director of NSA jobs are
very difficult and challenging ones, and, unfortunately, the people who often
find things that they think aren’t perfect, they don’t spend enough
time recognizing the tremendous work and dedication and commitment to this
country’s national security. And I think these two individuals really
embody that, and I just want to say how pleased I am. So thank you very much.
Posted: Sep 05, 2013 01:44 PM
Last Updated: Sep 05, 2013 02:21 PM