Remarks of David J. Redl
Assistant Secretary of Commerce for Communications and Information
State of the Net 2018
January 29, 2018
--As Prepared for Delivery--
Thank you. It’s great be here at State of the Net once again. I want to thank Tim Lordan for inviting me, and also offer him congratulations for the exciting program he’s put together for today. Two items on the agenda stand out for me, personally – the excellent cybersecurity panel featuring NTIA’s own Evelyn Remaley, and the discussion between Robert McDowell and my old boss, Chairman Walden.
For my time today, I’d like to lay out some of NTIA’s early international policy priorities in the new Administration. We plan to be aggressive in advocating for U.S. interests and values in our engagement across the globe, at ICANN, the International Telecommunication Union and other fora. I’ll also discuss the Department of Commerce’s cybersecurity work, including our efforts to improve the security of the Internet of Things and 5G networks, and the Administration’s plan to counter the threat of botnets.
The Internet has become what it is today in part because of a longstanding, bipartisan consensus around the principle of multi-stakeholder policymaking and standards development – the idea that all stakeholders should participate in open and transparent decision-making processes. We must continue to fight for this principle – for an Internet that is open, interoperable, and governed through collaboration between all stakeholders.
Right now, NTIA has two main priorities internationally. The first is the preservation of the WHOIS service, which has become one of NTIA’s most pressing issues related to ICANN over the last several months.
If you don’t know much about the WHOIS service, it is an incredibly valuable tool for governments, businesses, intellectual property rights holders, and individual Internet users around the world. Put simply, WHOIS is a service that provides easily accessible information about the entities that purchase and manage domain names.
This information is often the starting point for law enforcement agencies when investigating malicious online activity, and for private-sector and government actors seeking to protect critical systems from dangerous cyberattacks, which are growing more frequent all the time. I mentioned our work on botnets –we know that those on the front lines of botnet mitigation rely on WHOIS information to do their work effectively.
WHOIS information is also valuable for combatting infringement and misuse of intellectual property, and for savvy consumers looking to ensure that the website they’re visiting is legitimate. This is a simple service, but it’s a cornerstone of trust and accountability for the Internet.
Those of you who participate in ICANN know that WHOIS has been under constant review and the subject of debate for years. However, its essential character has not changed much since its inception in the early ’80s. This is for a good reason – its utility remains critically important to those who rely upon it.
Over the last few months, however, this service’s essential character has been threatened. In response to the European Union’s General Data Protection Regulation – or GDPR – ICANN initiated a process to assess how this rule could affect WHOIS, given that it includes limited personal information about individuals with registered domains.
Here are the facts: the text of the GDPR balances the interests of cybersecurity, law enforcement, and consumer protection, and many European officials have noted that limited changes to the WHOIS would be necessary to achieve GDPR compliance. Still, there are some who are trying to take advantage of the situation by arguing that we should erect barriers to the quickly and easily accessible WHOIS information. Some have even argued that the service must go dark, and become a relic of the Internet’s history.
Today, I would like be clear -- the WHOIS service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all Internet stakeholders that it does. And for anyone here in the U.S. who may be persuaded by arguments calling for drastic change, please know that the U.S. government expects this information to continue to be made easily available through the WHOIS service.
Our second priority area is making preparations for the International Telecommunication Union’s treaty-making conference – the ITU Plenipotentiary – scheduled for October.
I believe the United States needs to press for changes to the ITU, including establishing effective membership oversight of the ITU’s finances. This is particularly important given that the United States is currently one of the two largest donors to the institution. We will also need to fight against the continued efforts to aggressively move the ITU beyond its limited mandate and into Internet-related and cybersecurity matters.
We need an ITU that can effectively and efficiently perform its vital functions in the area of radio communications, and one that fosters, rather than hinders, pro-competitive policies for telecommunications, particularly in developing countries.
As many if you know, the ITU has five elected positions: Director General, Deputy Director General, and the Directors of the three Bureaus of the ITU. I am pleased to reiterate NTIA’s strong support for the candidacy of Doreen Bogdan-Martin as Director of the ITU Telecommunication Development Bureau. The D-Sector as it is generally known is the part of the ITU that brings connectivity to parts of the world that have yet to realize the economic and societal benefits of the connectivity that many of us take for granted. Ms. Bogdan-Martin is a former NTIA official, a veteran of the ITU’s processes, and I am certain that Doreen would make an outstanding director of the D-sector.
Going forward, NTIA remains committed to working with the Internet community. In particular, there are four areas we think are especially important. The first is the free flow of information, second is the multi-stakeholder approach to Internet governance, third is privacy and security, and the fourth is emerging technology.
The free flow of information online is a bedrock American principle, and access to information and freedom of expression are basic human rights. Still, governments around the world are increasingly blocking access to websites and content, curtailing online freedoms, or even shutting down the Internet entirely.
In other cases, governments are imposing top-down, heavy-handed intergovernmental regulation of the Internet. In the past few years, we’ve seen court rulings that have forced American companies to remove information that would have been considered protected speech in the U.S. These sorts of restrictions threaten economic growth and the social and educational benefits of the Internet – and they must be opposed.
A second focus area is: How can NTIA continue to support and promote the multi-stakeholder approach to Internet governance? We’ll be asking stakeholders about ICANN. What, in addition to GDPR, should be NTIA’s priorities within the Governmental Advisory Committee? Are there any other Domain Name System-related activities NTIA should pursue?
We plan to continue our longstanding engagement in the Internet Governance Forum at the United Nations – the premier global forum of multi-stakeholder dialogue on cross-cutting Internet policy issues. But there is always room for improvement. We’re seeking input on the opportunities and challenges that the IGF faces, and how we can we raise national awareness about the IGF and its contributions to the Internet governance discussion globally. We want to know what we can do to help lower barriers to participation.
Third, we’ll ask for thoughts on how to leverage NTIA’s resources to better shore up cybersecurity and online privacy. I’ll speak more about the Commerce Department’s current cybersecurity work in a moment, but I hope this meeting is an opportunity for the community to weigh in on what we’re doing and to help us identify areas where the Department of Commerce could be even more impactful.
Finally, NTIA, as part of the Department of Commerce, always seeks input on the Department’s work on emerging technologies. Commerce has led the U.S. government when it comes to new and emerging technologies. But that leadership requires continued engagement from American industry, and from all of you. In order to ensure that American entrepreneurs are able to take risks and to find global markets for their digital products and services, we need to make sure that we’re charting the right path. On such issues as artificial intelligence, blockchain, and 5G, we’re looking for industry to help us make the right choices as a government.
As I noted, cybersecurity is a key priority for the Department of Commerce and this Administration. As many of you know, last May, the President issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Among other items, the Order sought to promote action against botnets and other automated, distributed threats. Botnet attacks can be extremely damaging, and they put the broader Internet and its users at risk.
The Departments of Commerce and Homeland Security were asked to identify actions that can be taken by stakeholders – recognizing that we cannot solve this through government regulation. Earlier this month, the Departments issued a draft report on enhancing resilience against botnets. We relied on an open and transparent process to generate the ideas in the report, and I want to thank those of you here who participated. The report outlines a positive vision for the future, as well as five complementary goals that would improve the resilience of the Internet. It also suggests supporting activities to be undertaken by both government and private sector actors.
Botnet attacks are a global problem – no single government or sector can solve it in isolation. Any solution will require the entire ecosystem acting in concert. But we aren’t starting from scratch. There are effective tools available today can mitigate these threats, but they are not widely used. Changing this will require more education and awareness, as well as an alignment of market incentives that will find a sweet spot between security and convenience.
Behind the scenes, there was a lot of collaboration between various government agencies as this report was being drafted. Combined with essential input from the private sector, we now know that there is a common understanding about what we need to do, and where we need to go to make this positive future a reality. If you haven’t already, I encourage you to read the report and provide us feedback – you can find the request for comments on our website. There will also be a workshop hosted by Department of Commerce next month at NIST’s National Cybersecurity Center of Excellence. Commerce will incorporate the comments we receive into the report before delivering the final version to the President in May.
In a parallel effort, Commerce has been working to foster a more secure Internet of Things environment. Late last year, stakeholders in one of NTIA’s open multi-stakeholder processes developed a series of documents on IoT security and patching. Some great products came out of that process, including a high-level specification of the components of an IoT security update, and suggestions for how manufacturers can communicate “patchability” to consumers. We will continue to engage with the IoT and security communities to promote the principles and ideas within those documents.
This year, Commerce will be working on software component transparency, with a particular eye toward the third-party components used in IoT devices. Most modern software is not written completely from scratch, but includes existing components, modules, and libraries from the open-source and commercial software world. Products are being developed quickly, and in a dynamic IT marketplace, it can be a challenge to track the use and security of these software components.
The growth of the Internet of Things makes this challenge all the more difficult. In addition to the increased number of devices, more traditional vendors are assuming the role of software developers to add “smart” features or connectivity to their existing products.
While the majority of libraries and components do not have known vulnerabilities, some do, and the sheer quantity of software means that products will ship with vulnerable or out-of-date components.
Transparency can be an important tool here. It can reward vendors that can demonstrate a secure development process, and help defenders understand how to respond and prioritize during an incident. After all, you can’t protect what you don’t know about.
Finally, with respect to 5G, last year the President made it clear that 5G network security is a critical element of our national security. With the proliferation of devices that the Internet of Things is bringing, security both in the device and in the network itself will be important to ensuring not only our national leadership in wireless, but also to ensuring access to a vital part of our national economy.
NTIA will continue to work with our colleagues across the Federal government to coordinate a national strategy on spectrum access and will work the private sector to ensure that the standards process for 5G wireless services continue to promote our national interest in security.
Today’s conference is a good opportunity to reflect on what issues matter to you most. Everyone here today has perspectives which can enrich NTIA’s policy agenda. So, throughout the day, I encourage you to consider what you want to share with us. We want to hear from you – we want to know what you think is important, and what we can do to help. Thank you for your time.