Washington, DC
Remarks
ADMINISTRATOR SAMANTHA POWER: Hello everybody, it's great to see you. I'm thrilled to be part of such an important gathering. Special thanks to Deputy National Security Advisor [Anne] Neuberger, who – we could not be in more capable, visionary hands here, as somebody who is hosting this event, and who has assembled the substance of what you all have engaged on for the last day and will for the rest of today.
Your leadership – and it's really a pleasure to study the list of the people who have gathered here and the diversity of backgrounds that are represented in this room. But your leadership in your respective countries, Anne and her team's leadership here, the folks at the State Department who have built this new bureau – this is, you know, clearly an incredibly important growth area. And the progress that has been made while feeling you know, more often than not insufficient, would not have been made, again, without the dedication of all of you. And I, as a citizen of this country and the citizen of the world, am really, really grateful for that dedication and that sacrifice that you will make to try to advance our collective security.
I'm especially pleased to be here in my current capacity as USAID Administrator, because this is the first time in the history of CRI that the U.S. Agency for International Development is participating. USAID, for those of you who haven't worked with our agency in your countries – either jointly collaborating on projects in other countries or perhaps if your country has been a place that has hosted a USAID mission at some point in what today – USAID was created by President John F. Kennedy back in 1961.
We have USAID missions today in more than 80 countries, programs in more than 100 countries. And you may know us best for swooping in when there is a conflict or a natural disaster and providing emergency humanitarian assistance, food, shelter, medicine, etc.
But the main focus of USAID work around the world is development. And that itself can be an amorphous concept. But basically what we are looking to advance is economic development, education, development of health infrastructure these days of course pandemic prevention and most recently pandemic response, food security at a time of gripping inflation and very significant economic headwinds and democracy, governance, and human rights. So again, those are just a few of the areas we work in. But again, all of those sectors need to be integrated.
This year, as you know, CRI welcomed new members, including countries in the Global South, like Colombia, Sierra Leone, and Jordan, where USAID has over the years developed really close partnerships and does what I hope is really important work with those partners on the ground.
So today, I want to talk about some of the cyber challenges that we see countries facing on their development journeys and how USAID is strengthening both our cyber protections for the work that we do, and our work to boost the cybersecurity of partner governments, so that we can take advantage of technology's incredible capacity to drive faster progress while mitigating the vulnerabilities in the data that present potential downsides.
We saw a particularly vivid example of the impact that cyber attacks can have back in 2017, and that is, again, the impact on development – on a country's development trajectory – when computer screens across Ukraine went black, cutting their users off from their files and your systems. That attack hit at least four hospitals in the capital alone, six power companies, two airports, more than 22 banks, and almost every federal agency. All were brought to essentially a standstill as the systems that allowed them to perform everyday tasks were taken offline.
In the streets of Kyiv, Ukrainians found themselves asking the most basic questions: How are they going to get prescriptions filled? When medical records were suddenly inaccessible? Was there enough food at home to last until they were able to use their credit cards again to buy more? And without digital ticketing at transportation hubs, could they even get home that day?
As many of you must remember, well, the disruptions of this nature quickly spread as well around the world. Allegedly introduced on Ukrainian computer servers by a state-level actor, the attack – called NotPetya – spread across continents to become the largest cyber security attack in history. That attack showed the world that cyber attacks could inflict real damage to real people, denying them necessities like food, electricity and health care, and halt or even reverse development progress.
All told, by the time systems were back up and running – some cases, as long as two months later – NotPetya had caused an estimated $10 billion in global economic damage. In Ukraine, where USAID has a very large mission and where we have been partnering closely with the Ukrainian people to strengthen their public institutions and to spur economic growth, progress was set back in an instance and cyber attacks don't only set back development progress, if development programs that rely on technology as most do these days.
If they have conducted without the proper precautions, they can themselves create vulnerabilities for cyber attacks. Last year, the International Red Cross discovered that a state-level actor had broken into the system behind the Red Cross's Restoring Family Links service, which helps connect family members separated by conflict, natural disasters and catastrophes of all kinds around the world. The attackers stole the personal information of more than 500,000 Red Cross beneficiaries. This Restoring Family Links reunification service was temporarily shuttered, and the attackers gained access to very sensitive personal data that included beneficiaries, names, locations, and contact information.
You can imagine similar risks across so many sectors of development and of emergency programming. Health programs, for example, often store digital medical records that, if inadequately protected, could reveal sensitive material life, whether a patient identifies as LGBTQI+, which in some countries is punishable by death. Or take energy, helping countries digitize their energy systems creates opportunities for cybercriminals and the foreign malign actors they are sometimes associated with, to shut off power altogether. And in the democracy and governance sector, digital tools can of course be invaluable to civil society to help them organize to help them hold powerful individuals and institutions accountable. But they can also open already vulnerable actors like journalists and activists to targeting and to surveillance, and they can help fuel damaging disinformation campaigns.
The truth is that when we don't prioritize cybersecurity at each stage, and in every sector of development, we not only put governments and communities at risk, but we also risk harming the people that we are trying to partner with and to support.
So, the key message here today is that we must make cybersecurity a fundamental part of the planning and implementation processes of our work built in from the beginning, as a design feature. USAID also works with partners around the world, in governments, nonprofit organizations, universities, and private companies. When we help them put the right protections in place in the digital systems that they create for their own communities, they – in some cases, you – will drive the sustainable locally-led digital transformation that is absolutely critical to lifting countries out of poverty, helping them escape death distress, or get through the post pandemic economic malaise that exists in so many places.
Helping our partners strengthen their own cybersecurity protections, not only helps prevent attacks that can halt or reverse development progress along the lines of what you know so well. But it also opens up a whole new world of possibility to use technology to supercharge development progress.
Recognizing this, USAID is expanding our cyber portfolio by boosting cybersecurity protections in our own programming. And again, just drawing that distinction. There's the programs that we do, and then by actually having programming more of it, that helps other countries boost their cyber capabilities writ large. In 2021, USAID established the Cybersecurity Team is a key component of our holistic digital development practice, which provides our missions – remember 80 missions out in the world, programs in 100 countries, our bureaus back here, which are the kind of hubs that drive our work – and our partners with resources and technical assistance to reduce cybersecurity risks in our global humanitarian and development operations.
USAID’s Digital APEX program, so-called, also provides both preventative support, like cybersecurity training and policy development, and responsive support – like triage and data recovery in the case of cyber attacks – so far to 350 organizations that USAID works with to implement our programming around the world.
Working together with our partner NetHope, USAID is helping to establish the first Humanitarian Information Sharing and Analytics Center, or ISAC, as the acronym goes, to improve information sharing about cybersecurity threats among humanitarian organizations and private sector partners to improve our collective security. So Digital Apex and ISAC – two burgeoning initiatives.
At the same time, as I mentioned, we don't just see an opportunity to make our own programming more secure. We see more importantly and more sustainably an opportunity to work with other countries to strengthen their overall digital ecosystems, reducing the likelihood of attacks that can set back their development progress, and opening them up to more avenues for tech fueled economic growth. In fact, an increasing number of USAID department countries have explicitly requested our assistance in boosting their own cybersecurity capabilities.
In 2021, USAID launched the Critical Infrastructure Digitalization and Resilience Activity – CIDR for short – to mitigate cyber threats from regional adversaries in Eastern Europe. Through CIDR we work with countries like Albania, which I know is represented here, which suffered a series of devastating state-sponsored cyber attacks attributed to Iran in 2022, and many digital government services became unavailable to Albanian citizens.
In the immediate aftermath, the U.S. government provided a coordinated emergency cybersecurity response team to the country. USAID then worked with the Government of Albania to build its longer term cyber capability, including providing training to cyber professionals for protection of critical infrastructure like the country's power grid.
Or take Ukraine. NotPetya’s attack on Ukraine in 2017 was unprecedented, as I mentioned, but Ukraine quickly learned from that experience and in the wake of the attack – USAID invested in helping the country build its overall cyber capacity and improve the resilience of its critical infrastructure. These early investments in boosting cybersecurity paved the way for the rush of extraordinary innovation in e-governance that Ukraine has made over the past few years. In 2019, Ukraine's leadership, including President [Volodymyr] Zelenskyy, and Minister for Digital Transformation [Mykhailo] Fedorov, who many of you know, laid out an ambitious vision to create a stake in a smartphone. That vision as many of you know is called Diia, and the platform and the app are really in some ways the talk of the world.
Fedorov, backed by President Zelenskyy, imagined a platform where citizens could interact with their government completely online. When Diia launched in February of 2020, offering basic services like digital identity cards, the ability to sign official documents, and a two click process to register a new car. It became the most downloaded app in Ukraine. And since Putin's brutal invasion, last year, Diia has become a critical part of meeting humanitarian needs, enabling Ukrainians across the country to report war crimes, track enemy troop movements, and get compensated for damaged property – all with a click on a smartphone. But this to be clear is only possible because strong cyber protections make it possible to transmit sensitive data online. USAID has supported Ukraine in building cybersecurity protections for this Diia platform through iterative security checks, like penetration testing, and bug bounties that are open to the public.
During the war, it has protected sensitive data from attacks by protections like moving operations to cloud storage so that data can't be destroyed or stolen through physical attacks. From February 2022 – the start of the full scale invasion – to today, Ukraine has withstood millions of cyber attacks and information security threats aimed at the government and its critical infrastructure.
Six years after NotPetya wrecked the havoc that I described and you know so well, Diia has remained stable and operational in the face of enormous cyber warfare capabilities of adversaries. All by putting cybersecurity first, Diia shows what is possible for development outcomes when we prioritize digital resilience and security.
Now other countries are following suit. Earlier this year, I announced that USAID will support Colombia, Kosovo, and Zambia to model similar e-government capabilities as these countries continue to drive their own development progress and use these tools to reduce corruption, increase transparency, and digitize their economies. But in so doing, again, as a design feature, cybersecurity protections have to be integrated right from the start.
Today, as professionals in this space, and as representatives of so many countries and international organizations around the world, you all have an absolutely vital role to play. As development organizations work to increase the use of safe and secure digital technologies to achieve our development goals. Your leadership will be absolutely vital as technologies like artificial intelligence continue to advance. Just this week, President Biden signed an executive order on AI that identified exciting opportunities to use AI for good, but also recognized the need to mitigate evolving cyber challenges and make these technologies as safe, secure and responsible as possible.
It is your knowledge and your input that will help us navigate these evolving challenges, challenges that are evolving at blitz speed. And you will allow us to take advantage of growing opportunities to use tech to empower people around the world to build stronger, healthier, and more prosperous communities that they still deserve.
Thank you so very much.