Remarks of Diane Rinaldo
Acting Assistant Secretary of Commerce for Communications and Information
GCTC Smart and Secure Cities and Communities Challenge Expo
July 11, 2019
--As Prepared for Delivery--
Hello and thank you for being here.
NTIA is thrilled to serve as co-host of this event and support the Global City Teams Challenge, alongside NIST and the DHS Science and Technology Directorate. For those of you who aren’t familiar with our agency, we are the principle adviser to the White House on technology and telecommunications issues.
Over the past few decades, innovative technologies have brought enormous benefits to the American people. At NTIA, we see examples every day of how Americans use technology to expand their businesses, find jobs, further their education, and create safer, more prosperous communities.
Our mission at NTIA is simple: We seek to expand the use of tech around the country so that all Americans can realize these benefits. We develop policies that allow innovation to flourish. And we bring stakeholders together to work on solving the challenges that come with these advancements.
That’s why we’re so eager to support the GCTC, which brings together diverse communities and industries to ensure that the leading edge of smart technologies can reach every corner of our country.
Smart tech can deliver drastic improvements for our communities. In rural areas, it means economic growth, attracting businesses and people, and improvements in health care, agriculture, and manufacturing. In urban areas, McKinsey Global Institute found that smart city projects lead to reductions in traffic and crime, better emergency response times, and more efficient usage of energy and water.
Our terrific interagency collaboration with NIST on the GCTC began with the development of a blueprint for Public Wi-Fi projects, which can be a powerful digital inclusion tool. The blueprint is now used by a number of cities, the Department of Housing and Urban Development, and NTIA’s broadband technical assistance team.
This work has helped create broader best practices for wireless deployments, with a current focus on the Internet of Things.
We’ve also facilitated an Agriculture and Rural SuperCluster, focused on increasing productivity and quality of life for farmers, ranchers and other residents of rural communities, as well as a Smart Buildings SuperCluster, in partnership with the Telecommunications Industry Association.
On the horizon is a smart states initiative that NTIA, NIST and the National Governors Association is developing. You will hear more about this later in this conference.
Much of the power of our GCTC efforts comes from public-private partnerships. This is a model that NTIA strongly supports. Facilitating public-private partnerships is a big part of what we do in our BroadbandUSA program. It’s a great way to work with communities around the country as they pursue broadband expansion.
Our team has found that the best public-private partnerships expand broadband by combining private-sector expertise, and capital, with public financing, community assets, and local leadership. Universities also contribute expertise to these partnerships, which are especially effective in rural areas.
The GCTC also follows another path that is core to NTIA’s work, which is learning from those who have been successful on the ground, and turning those lessons into a blueprint that others can follow. I like to talk about NTIA as a convening organization, because we understand the power that bottom-up processes can have in creating sustainable, adaptable solutions.
Our agency is most effective when we provide a platform for bringing people together. By sharing your best ideas, your pain points, your success and your failures, we can find areas of overlapping interest, we find potential partners, and we find strength in numbers. As we look to unlock the promise of smart communities, it’s clear that the two keys will be collaboration and innovation.
Launching Smart Regions Collaborative
This is the idea behind the new GCTC Smart Regions Collaborative. By elevating conversations about smart cities and communities to the regional level, we can accomplish several goals at once:
- First, we gain the benefits of scale. Projects that may not make sense for a county or a small town can suddenly gain significant momentum when an entire region signs on. Scaling up not only means reduced costs and better access to capital, but it also means more expertise – more governments, more companies, more nonprofits, and more academic institutions can become invested in your projects.
- Second, by casting a wider net, we will better ensure no one is left behind. Inclusivity and increasing the quality of life for all residents will be cornerstones of this collaborative.
- Third, thinking regionally means more holistic and sustainable projects. After all, a smart traffic plan won’t get very far if it doesn’t mesh with surrounding communities. By increasing the number of people, places and organizations involved, we have a much better chance of creating projects that will stand the test of time.
We’re very excited to be partnering with the National Association of Regional Councils on this new collaborative. Their involvement is critical – they know why regional cooperation works, they’ve already built regional teams and networks, and they can help bring together government, community and business leaders to accomplish our shared goals.
Today, you’ll hear about some of the 10 inaugural regions working with us to set up the new Smart Regions Collaborative. These regions span the country, from East to West, North to South and in between.
In the Upper Northwest, the Cascadia Innovation Corridor is a region that encompasses Portland, Seattle and Vancouver. The Cascadia team is integrating several smart city and economic development initiatives.
Three universities in the area are using data to address issues like assisting the visually impaired and wheelchair users, and monitoring near collisions between bicyclists and vehicles.
In Indiana, 10 mostly rural counties have come together to form the Wabash Heartland Innovation Network. This network, along with Purdue University, will be developing and testing IoT solutions that will push the region’s high-tech agriculture and next-generation manufacturing sectors to new heights.
And right in our backyard, three groups representing business, industry and academia are partnering on the Greater Washington Smart Region Movement. These groups represent hundreds of organizations that are prepared to contribute to smart technology deployments that drive inclusive economic growth, narrow the digital divide, and attract financing and talent. We’ll be hearing more about this in a panel later this morning.
Smart and Secure Communities
As I’ve mentioned, in addition to expanding the use of technology, NTIA also has a significant role in tackling the complex challenges that arise from advancements in connectivity. We want these innovative technologies to succeed, but first we need to make sure we’re building on a solid foundation of trust.
The Internet of Things won’t reach its potential if users don’t trust that their devices will be secure. In the same way, smart communities depend upon quality data, so we need a data privacy model that ensures Americans are willing to share their information.
As we work on solutions, we also need to guard against creating obstacles to innovation that would harm our economy.
NTIA is working on these issues across the federal government, and with stakeholders here and around the world. We are promoting smart IoT policies that incorporate security and protect American consumers, and we are developing an American approach to handling data that ensures privacy and builds trust.
On privacy, we’ve been talking with stakeholders from across industry sectors, civil society, and academia to better understand what the problems are, what we can agree upon, and how we can move forward. As you can imagine, there is a lot of interest in this topic. We received more than 200 responses from a range of individuals, industries, companies and organizations in response to a proposed privacy approach we put forward last fall. We’re grateful for the time and energy that these groups put into our process.
In the comments, we heard a sense of urgency, and a desire for American leadership on this issue. Our policies must reflect the changes in the use of data that have transformed consumers’ relationships with technology over the past decade.
There is also broad industry consensus that we can’t have a patchwork regulatory landscape within the U.S., and where there are differences internationally, we should take care not to harm the data flows that power the global digital economy.
Finally, we received many thoughtful, constructive comments on our proposed risk-and-outcomes-based approach. NIST is leading that work and is gathering public input on a draft framework made public in April.
Work on the risk-based privacy framework follows the broad outlines of the NIST Cybersecurity Framework for managing cyber risks. The result will be a collection of tools that anyone can use to assess and address privacy risks in any regulatory environment.
A risks-and-outcomes focus has another benefit, which is it that it doesn’t entrench large, established businesses at the expense of startups and small firms. If the compliance costs associated with data use are prohibitive for small businesses, we may well lose out on the next generation of innovation, not to mention the jobs and economic benefits that small businesses provide.
On cybersecurity, it’s important to note that the resiliency of the Internet has been a priority since the beginning of the Trump Administration. One of the President Trump’s first Executive Orders was designed to better secure federal networks and critical infrastructure. As part of that order, the Departments of Commerce and Homeland Security last year submitted a report to the President that outlined a path toward dramatically reducing the threat of botnets and similar automated, distributed attacks.
Since then, we have turned that report into an actionable roadmap which will help us track our progress and prioritize these actions – some of which have already begun.
When it comes to a secure IoT environment, the challenge is different than securing smartphones or home computers. Many people do not think of their thermostats, lightbulbs, cars, or appliances as digital devices that may carry cybersecurity risks. At the same time, many manufacturers that haven’t previously had to deal with software vulnerabilities are suddenly finding themselves in the center of a complex ecosystem.
Take the issue of patching. Everyone here is used to the process of patching for their computers – after a vulnerability is discovered, organizations push out a patch and prompt the user to immediately install it. It means restarting your computer, or perhaps the office network is down for a few hours. It’s fairly rote now – but it’s a process that represents about 20 years of work.
Patching IoT devices is still in its infancy, and we can’t afford to take two decades to figure it out. Given the sense of urgency, NTIA recently convened security experts and IoT vendors to discuss patching with the goal of creating a shared set of expectations across the ecosystem.
One output of this multistakeholder process was a short technical summary of what constitutes a security update, establishing a common definition, and how to secure each step. Another outcome, aimed at a policy and business audience, offered advice about communicating “patchability” at time of purchase.
We think this kind of work can form the foundation of broader security baselines. Our efforts were focused on making sure that the ecosystem can continue working despite the presence of vulnerabilities.
The next step toward a more secure marketplace is better transparency. The more we know about what is in our systems, the better we will be able to make decisions about risk, and handle existing and emerging threats.
Last summer, we launched a new initiative on “Software Component Transparency,” gathering stakeholders together to develop a shared vision of what many call a “software bill of materials.” In the modern software supply chain, lack of systemic transparency prevents organizations from understanding what they are purchasing, or discovering whether they are at risk from newly discovered vulnerabilities.
In this ongoing work, stakeholders are drafting definitions, documenting use cases, and reviewing standards and formats across a range of sectors and perspectives. If we land on a common solution that spans technical communities and specific markets, we can enhance incident response and vulnerability management, and make informed decisions in a free market choice of goods.
These approaches to transparency can start to drive toward a more secure marketplace.
To close, I want to let everyone here know that our doors at NTIA are always open. If you have something to contribute to our work, or if you think we can help you reach your goals in any way, we want to hear from you.
Thank you and enjoy the expo.