This is historical material “frozen in time”. The website is no longer updated and links to external websites and some internal pages may not work.

Washington D.C.

January 7, 2025

Remarks as Prepared for Delivery

Thank you, Mark for the introduction, for your leadership and partnership in making our country more cyber secure – and lest we forget, for your 32 years of service in the U.S. Navy where you made our country even more secure. Thanks, Shipmate.

Thanks to the Foundation for the Defense of Democracies for hosting this event, and for the counsel you’ve provided for decades.  

And thanks to everyone in this distinguished audience – in the room and online – for your contributions to the field. Delightful to see our good friends here. Happy New Year! And Happy Birthday, ONCD – we turned four last week.

To members of the Office of the National Cyber Director team present and past – THANK YOU. I’m so proud of what we’ve accomplished together. Today I get to talk about what our young office has created, thanks to your dedication, thoughtfulness and perseverance. Thank you.

Let me say at the outset that ONCD stands on the shoulders of giants…

The cyber leaders from the Clinton, Bush, Obama and first Trump administrations. They worked to bring stakeholders together, increase information sharing across all levels of government and the private sector, and build out cyber capabilities, both defensive and offensive.

Those on the Cyberspace Solarium Commission and our partners in Congress who identified gaps in Federal coordination, and laid out how to organize and pursue a whole-of-nation approach to cybersecurity. We are here today thanks to their wisdom, vision, and ongoing support.

And I, personally, am proud to continue the work of the inaugural cyber director, The Honorable Chris Inglis, who famously started ONCD as an “Army of one”—or as he might say “an Air Force of one.” His tremendous foresight continues to serve us and this nation well.

Kemba Walden, who was instrumental in drafting and implementing the National Cybersecurity Strategy.

And the other former acting NCD, my dear friend and colleague Drenan Dudley, who provided vital guidance to interagency partners, helping them think through the budgets they needed to deliver on their cyber missions.

After decades of rapid growth, it’s worth taking a moment to consider how important the cyber world has become to virtually every American – especially with all the digital advances in how we live and work just since the pandemic.

We’ve been saying so for a while, but now it’s clearly true: the online world is an absolute necessity of daily life.

Just as fire has been throughout human history.

Fire provides warmth, power, and light, which have enabled the rise of civilization. But uncontrolled fires have caused terrible harm. Likewise, the march of digital innovation, for all the good it has done, has created vulnerabilities and harms of its own.

When we consider how to tame fire, it’s tempting to focus only on building the greatest team of firefighters – brave people ready to react to the latest conflagration.

But that’s not enough. We also need to prevent fires. That requires building codes – rules for how buildings are designed and constructed, so that they protect their occupants and they’re resilient when fires do flare up. Prevention also requires implementation – building codes are only valuable when they’re adhered to.

So we set out to proactively establish and implement tough cyber “building codes.” But first, there were some fires to fight.

As this team came into office, the SolarWinds hack had given Russia broad access to a swath of American organizations, including Federal systems.

President Biden declared that the Federal Government needed to lead by example, and he issued Executive Order 14028.

As a result, we’ve been moving our systems toward more resilient zero-trust architectures, taken more steps to make our software supply chain more secure, and unified our approaches across civilian and national security systems, drawing best practices from both sides.

Then as we responded to SolarWinds, Colonial Pipeline was hit by a ransomware attack in May 2021. People trying to get gas in Virginia and North Carolina were most impacted, but it showed all Americans how a cyberattack could stop them from getting to work and school, and heating their homes.

Here we have a company that’s part of our Nation’s critical infrastructure. Privately owned, as much of our critical infrastructure is. And definitely not the only vulnerable operator out there.

We needed a new way to incentivize baseline cybersecurity strategy. Those standards that we needed to apply were stronger building codes, if you will. A voluntary-only approach was clearly not sufficient to meet the growing threat.

So TSA created a sensible regulatory mandate for stronger cybersecurity and incident reporting for pipelines. They worked with the industry to provide flexibility in achieving these goals, with a focus on performance, not paperwork.

And their interagency partners expanded that effort by creating cross-sector cybersecurity performance goals that apply to every industry.

These actions were critical and far-sighted, but still reactive, still incident-driven – the way cybersecurity had always been done. Reacting, however, will never get us where we need to be.

That’s why this Administration moved quickly to a proactive approach, one that takes the initiative from our adversaries by adopting a strategy – not based on any single threat, but on securing the very foundations of the digital world.  

This is also where ONCD comes into the picture.

As a brief aside, the path to creating this organization was winding, wasn’t it, Mark? The Solarium report launched on March 11, 2020, just as the world was shutting down for the pandemic. The authorizing legislation squeaked through as one of the last acts of the 116th Congress. But we’re all glad it worked out!

Chris Inglis came aboard in summer 2021, got funding by fall, and staffed up over the winter – building out a great team one professional at a time.

From day one, by law and by leadership, this organization set a course focused on collaboration—building relationships across the interagency; with state, local, Tribal, and territorial partners; with the private sector, civil society, and academia; and all of our allies abroad.

The perspectives of these partners were front of mind as the team collaboratively developed the National Cybersecurity Strategy, which was published in March 2023.

The drafters realized that without a clear, affirmative vision, the focus would be entirely on incident response—putting out fires as quickly as possible. That’s a losing proposition. We had to get to the foundation. To the code – the building code, and in some cases, actual lines of code!

So our approach started by laying out an affirmative vision for cyberspace, recognizing that cybersecurity enables literally everything in our increasingly digital world.

It laid out two foundational and fundamental shifts that were needed to make the vision real:

First, rebalancing the responsibility to defend cyberspace toward the most capable organizations.

And second, incentivizing long-term investments in cybersecurity and resilience.

With the full implementation of these shifts, we can get all the cities in our digital world “up to code” and keep them there.

While everyone has a role to play in this work, it’s on the Federal government and the key technology companies to lead­. And we’ve acted on that responsibility:

We’ve elevated ransomware as a national security issue, standing up a new cybersecurity section at the Department of Justice and the Counter Ransomware Initiative launched by the National Security Council, which dozens of countries have joined. International cooperation was key to operations like the takedown of the Hive ransomware group.

And under the Cybersecurity and Infrastructure Security Agency, or CISA’s pre-ransomware notification initiative started in 2023, we’ve provided over 3,300 specific warnings to organizations like school districts and hospitals, alerting them to potential ransomware activity impacting their networks – and helping them to prevent oncoming attacks.

Next, cybersecurity intelligence sharing has reached new heights over the last few years. You’ve seen this in the run up to Russia’s unprovoked invasion of Ukraine, and around the dangers posed by People’s Republic of China military units prepositioning themselves on our critical infrastructure. We are continuing to improve on getting actionable information out to cyber defenders on the front lines in the Federal government and outside it.

And we’re active on emerging threats – like the potential of a cryptographically-relevant quantum computer to disrupt how we securely move sensitive information on the Internet.

Here, the Federal government is leading the way on assessing risks and prioritizing the deployment of quantum-resistant cryptographic algorithms.

On the private sector side, we have also driven progress:

More than 260 tech companies, and counting, have joined the CISA’s Secure by Design pledge – a commitment to adopt elements of a “model building code,” if you will, to reduce software vulnerabilities before they reach the market.

Industry partnerships, like the National Security Agency’s Cybersecurity Collaboration Center and CISA’s Joint Cyber Defense Collaborative, empower cybersecurity companies to better protect their customers, and were key to the ransomware work I just mentioned.

These are some of the team’saccomplishments. And they are primarily a credit to our partners in government and in the private sector.

How does ONCD help? We coordinate cybersecurity strategy, policy and implementation.

We’ve covered the Strategy – now let’s look at policy and implementation.

It starts with collaboration and listening.

Consider the 100 key initiatives in the National Cybersecurity Strategy Implementation Plan, designed collaboratively with the two dozen agency partners that lead them—including agencies that manage risks for each part of the economy, from agriculture to energy to telecommunications.

It means transparency: we listen to partners and the public, and we publish detailed reports for stakeholders to review.

It means accountability: our Report on the Cybersecurity Posture of the United States gives a clear accounting of how we perform against the goals and deadlines that are listed in the National Cybersecurity implementation plan.

And it means advocating for resources: They say “strategy without funding is just rhetoric.” So from its first days, ONCD has partnered with the Office of Management and Budget to set cyber funding priorities for each agency.

All of our collaborative work coordinating strategy, policy, and implementation reflects our commitment to coherence – to ensuring that agencies’ cyber actions are unified.

ONCD advances government-wide coherence by driving a virtuous cycle where strategy informs policy, informs the implementation plan and resourcing—and measured outcomes inform the next version of the plan.

The U.S. is also forging coherence globally. Think of “digital solidarity,” the vision outlined by Ambassador Nate Fick in the State Department’s international cyber strategy. It’s all about outlining a shared vision for cyberspace with allies and partners. a contemporary examples, I was just in the U.K. last week discussing issues like cyber-enabled fraud, a national challenge, and international challenge, and a challenge that the UK has taken a leadership role on.

There are a few areas, however, where ONCD is not only coordinating, but is leading the charge. We have taken on some of the hardest, long-term problems in cybersecurity and we are driving progress.

Whether they’re hard technically because the solution hasn’t been figured out, hard to deploy because of the sheer numbers of players involved, or hard because competing interests must be balanced, these are issues that many of us have talked about for years, sometimes decades.

These problems each needed a dedicated leader, and our office was eager to take them on. Let me share our progress.

In February, ONCD released a report focused on going “Back to the Building Blocks” of our technical systems. It shined a light on memory safety vulnerabilities that have plagued the digital ecosystem for more than three decades. These are tied to the use of unsafe coding languages, and they account for a staggering amount of intrusions.

The report called on technology manufacturers to prevent entire classes of vulnerabilities from entering the digital ecosystem by adopting memory safe programming languages.

It also called on the research community to focus on software metrology, or measurability, to enable the development of better diagnostics that measure cybersecurity quality.

Our focus on these “building blocks” of cyberspace has been influential in several ways:

It galvanized new ways of thinking about how to improve safety for commercial products and services produced around the world.

It spurred development of better diagnostics for cybersecurity quality.

It inspired other countries, which have sought our help to emulate this engineering-forward approach to policymaking.

And the team’s approach is leading to increased government investment. Recently the Defense Department, specifically DARPA, announced an investment of roughly a quarter-billion dollars to work on technical solutions aligned with Back to the Building Blocks. That report has been influential.

Next, let’s look at a deployment challenge: securing the routing of information across the internet to ensure that it goes exactly where it should, without bad actors intercepting it.

This requires adopting border gateway protocol solutions. The “model building code” for this has long existed—it starts with registering internet addresses under an agreement to enable more-secure Resource Public Key Infrastructure, or RPKI, services.

But this solution wasn’t being implemented because of the sheer number of network owners, and the lack of sufficient incentives to act.

Since the U.S. Government is the largest owner of address space, we worked with the Department of Commerce to ensure that we led the way.

A year ago, only a quarter of the Federal civilian Internet address space was able to use RPKI. Now, after spearheading an interagency campaign, roughly 90 percent is covered under an agreement that will enable RPKI services.

And we’ve built deep public-private collaboration to guide network operators in this work. Certainly more work to do, but we’re on a remarkable trajectory.

Next, we’ve developed options to address the hard legal problem of software liability. This is a tough challenge with enormous consequences for IT companies as well as American businesses and consumers. Liability is a key lever for aligning the incentives across these stakeholders, and that alignment takes real work to achieve.

So we pulled together legal researchers for a software liability forum at the White House. Then we developed a range of detailed potential policy approaches that are ready for the incoming administration and Congress to consider.

The next hard problem is: duplicative Federal regulations. This is an issue our partners in industry and critical infrastructure have long said gets in the way of their ability to do business and to focus on cybersecurity.

To learn more, we put out a request for information—and got detailed responses from companies in every critical infrastructure sector. One respondent told us that a staggering 30-to-50 percent of CISOs’ time is spent on compliance. Not cybersecurity, but compliance alone.

Armed with the industry’s call to streamline, we worked with Congress to write bipartisan legislation that would bring all stakeholders, including independent regulators, to the table to advance the regulatory harmonization and reciprocity that industries need.

Many of us were disappointed that this hasn’t become law yet, but we’ve laid the groundwork for the next administration and Congress to do the right thing for our partners in the private sector.

They understand that to undo “regulatory harm,” we need regulatory harmonization. Building codes shouldn’t be in conflict with each other!

Now, the final hard problem I want to cover today: fulfilling the need for cyber talent. Everywhere I go, whether I’m talking to state or local government leaders, small or large businesses, or anyone leading critical infrastructure – they all tell me that they need more cyber talent.

Today, there are approximately 500,000 open cyber jobs in the U.S.. So we need to reach more communities and invite them to see themselves in cyber.

In community colleges, technical colleges, Historically Black Colleges and Universities, and other four-year institutions; in Pennsylvania coal country and rural Mississippi, farming communities in Wisconsin, and on both coasts—in all the dozen states I’ve visited, I meet people eager to have good-paying, meaningful careers in cyber.  

These visits have helped implement the Nation’s first-ever comprehensive Cyber Workforce and Education Strategy. Under the strategy, we have employers, educational institutions, non-profits, and all levels of government singing from the same song sheet.

More than 180 of these organizations have made commitments following the course we’ve laid out.

Taken together, they’ve pledged to hire more than 35,000 workers.

$110 million pledged to expand training and education.

And again, the Federal government is leading by example—with our partners at the Office of Personnel Management and OMB, we’re moving Federal employee and contractor hiring from a focus on college degrees to a focus on what we’re really after: skills.

Those are some of the hard problems we’ve been working on. But many more remain, so it’s good to have the ONCD team at the ready.

To recap, in the last four years we have: fought fires; taken a proactive posture to defending cyberspace; brought greater coherence to Federal and global efforts; gotten key tech companies to step up on cybersecurity; and taken on some of the hardest problems that have long crippled our ability to stay secure.

That’s progress.

There’s still a long way to go. But we’ve made progress… And ONCD will continue to do so because of how we work and the unique capabilities we have developed:

Our policymaking capability means the team can look at the biggest challenges holistically, gather and analyze input from all stakeholders, and forge real, actionable consensus on the way forward.

Our implementation capability means this team can deliver against the strategies we create, with a nimble cadence of action, review, revision, and more action. The proof: the number of mission partners volunteering to lead implementation initiatives grew from year one to year two of our national strategy.

Our reporting capability makes us truly transparent and accountable. We encourage you all and the public to read about what’s getting done and where we’re falling short at whitehouse.gov/ONCD.

That brings me to the last capability I want to highlight: ONCD’s practiced ability to build partnerships that execute on mission. It’s based on the trust that we’ve built – I would say the trust we’ve earned – over these four years. And it is perhaps the most valuable capability of all.

Unlike more traditional domains of conflict – land, sea, air and space – cyber defense is a shared responsibility. Our Nation’s security and economic prosperity depend on close collaboration with partners, including the private sector, and our allies.

We need public-private partnerships to continue accelerating the sharing of cyber threat intelligence and best practices – and to move from simply sharing information to operating joint cyber defensive activities.

And partnerships are needed to solve even more of the hardest problems like the challenges posed by AI and quantum computing.

I’m particularly energized by the evolving partnerships with state, local, Tribal and territorial governments. We work closely with them, sharing information about Federal resources that can help them build resilience – like free cybersecurity tools for K-12 school districts and libraries.

I want to recognize Rhode Island for being the first state to commit to making every one of its public schools and 136,000 students more cyber-safe by using protective domain name service, PDNS. We strongly encourage every state to follow their lead in adopting this highly effective, no-maintenance tool fully funded by the Federal Government.

My time traveling across the country – including to host many roundtables with K-12 school leaders as well as with cyber employers and students – showcased the unique convening authority of the White House.

Because of these events, hundreds of education leaders know more about how to access the resources they need. They are now closely connected with our mission partners at CISA and the Federal Bureau of Investigation who provide day-to-day support in their communities.

So Federal unity-of-effort isn’t only real in Washington, it’s real to the people who educate our kids, and to more and more people on the cyber front lines across sectors Nationwide.

Because of the ONCD team and our great mission partners.

So four years in, while our office is small – we are close to our full allotment of 85 people – we are powerful, and we are making an impact.

We have come a long, long way since we were an “Army of one.” The team is ready – and able – to do more.

And it needs to do more, because cyberspace will keep growing.

By adopting and enforcing building codes, America’s cities and towns could continue to grow, ever-bigger and more beautiful, while conflagrations declined.

Working together, we – all of us – can create the same future for our cyber America. We can make it safe and functional, and more – a place where people work and play, connect and create. A place of innovation and opportunity for all.

Getting there is our mission, and that mission will endure. Looking ahead, there are two things that I am certain of:

  • One, our digital foundation is getting stronger and the proactive approach will continue to help protect our great Nation.
  • Two, the ONCD team will serve the American people in the Trump Administration and beyond with dedication and excellence. My ONCD colleagues don’t know any other way. Their professionalism knows no bounds. I’ve been proud, and will remain proud, to call them shipmates.

It’s been a tremendous honor to serve as National Cyber Director. And a greater privilege to have worked alongside all of our partners.

Thank you.

Scroll to Top Scroll to Top
Top