President Trump enters office in a very unique situation with revelations of Russia cyber operations' potential influence on the outcome of his election.
As a retired Colonel who worked in cyber operations in government, I was shocked by some of the policy decisions, public disclosures and the politicization of nation-state level conflict in cyberspace by the outgoing administration.
Cyber policy and operations, normally only discussed within the Principles Committee of the National Security Council, were played out in the public forums of 24-hour news, newspapers and talk radio. The folks conducting cyber operations in support of our country have a hard-enough job; it is only made harder when our national leaders and media shine a spotlight on the conflict, driving up tension and creating panic.
Facing the Challenge
Going forward, I would breakdown the most important objectives of a cybersecurity strategy into the following categories:
1- Nation-state cyber operations Policy and Operations
Step one for the Trump administration should be to select and empower a national leader to shape cyberspace policy and operations in support of law enforcement, intelligence gathering and military operations. Past administrations have named a cyber czar, some more effective than others, who influenced cyber policies across government, but were never empowered to direct policy. One possible exception was the Obama Cyber Security Executive Order that narrowly defined a few initiatives for the cyber czar to lead.
I think it is time to elevate cyber czar to a cabinet level position with small staff to direct cybersecurity and operational objectives across the interagency community, as well as with our international partners. The Trump administration should make every effort to take national-level cyber offensive operations discussions off the front page and back into the shadows where they belong.
2- Defense of national interests and commerce
President Obama made a good first step with his Cybersecurity Executive Order (EO) in providing government leadership in getting the nation on the same page on cybersecurity. Out of that EO came the NIST Cybersecurity Framework that many large and small companies have leveraged to provide an apples-to-apples comparison of their cybersecurity posture. This EO also put more definition behind how the government and civilian communities could share cybersecurity intelligence and drove the passage of the Cybersecurity Information Act that setup a framework for government and civilian companies to share threat intelligence without fears of litigation and disclosure.
The next steps should be to put more focus on what information is shared through these collaborative environments. Government agencies in law enforcement, intelligence and military gather their threat information through highly classified methods and capabilities. If they shared some of the technical data with the civilian community, our adversaries would quickly figure out they have been compromised, and we would lose access. So, the point here is that we should not expect great technical data from the government. In fact, the best threat intelligence research for corporate use is conducted by cybersecurity companies. What we need from the government is more of the motives of attackers and what they are targeting. We can't protect everything, and the government can give us good context as to the actors, motives and targets without giving up their classified collection of methods and tactics.
3- Training and education initiatives
The last area I would like to see President Trump focus is investment in education at all levels on cybersecurity. Globally, we have a shortage of more than one million cybersecurity professionals. So, the small- to medium-size companies don't have a shot at filling these highly skilled positions with the right people. We need to push cybersecurity principles and emphasis all the way down to when our children first touch a computer.
Computer science and engineering degrees should have cybersecurity as part of their core curriculum, as opposed to an add-on or elective, so that every programmer, system administer or engineer understands how to conduct IT operations securely. Further, I would love to see more of our community colleges include technical, two-year degrees with some of the critical hands on cybersecurity skills taught to help close the gap on that million-person shortage. This could be done in partnership with some of the large security vendors to keep the government's involvement in more of a leadership role.
The role of the POTUS
Ultimately, it will take a combination of policies and execution spanning the public and private sector to face the myriad of challenges presented across the cybersecurity spectrum. Leadership from the top down can help dictate a direction that can at least serve as a guidepost to approach and achieve a unified effort. From the perspective of the bully pulpit, our new commander-in-chief is in ideal position to serve this important role and assume the position of the first “Cyber President.”