SC Media put a set of questions to cybersecurity and privacy experts to assess Donald Trump's first month in the White House and to glean advice for the new president.
How is President Trump doing with his administration's policies on cybersecurity and privacy?
Bill Anderson, CEO, OptioLabs: The only thing clear with the policy so far is that he's announced that they will review security issues. There is nothing specific about what will change. Computers are distinctly literal creatures: they will only do what you tell them to do if you speak very clearly in a language (code) they understand. Vague human political speech has no effect on the way computers are actually secured.
Adam Levin, chairman and founder, CyberScout, and the author of Swiped: While President Trump has made a number of cringe-worthy statements, in particular regarding his son's computer skills and 400-pound hackers, there has been leaked language on draft cybersecurity executive orders that was in line with a number of recommendations from respected bipartisan experts. It's hard to know where this is going until we see the final copy, but if the education and training mentioned in the first leaked draft makes it into the final order that would be good news, along with a unified approach to cybersecurity.
The appointment of Tom Bossert as Homeland Security Advisor may bode well here, too. He is experienced and solid on government security issues. It is hard to know how he will navigate the agenda of corporations versus consumer privacy.
Hitesh Sheth, president and CEO, Vectra Networks: In response to an executive order that leaked in February, this should still be a step in the right direction. We're long overdue for a revamp of the government's existing policies, such as the archaic Continuous Diagnostics and Mitigation program, and it appears that the executive order should help to do this. One of the order's remaining goals is placing more accountability on agency heads to keep their respective systems secure. This is a good step, and it's consistent with trends happening in the private sector.
We hope this will finally break the grip of various large consulting firms whose job it is to sell obsolete solutions that only encourage more spending on consulting services. Many government agencies we work with are dealing with ten-year-old technology that is incredibly out of date. What they're looking for now is to automate more of their critical security controls so they can react much more quickly to mitigate attacks as they're happening.
John Dickson (right), principal, Denim Group: It's too early to tell, but the Giuliani appointment was a positive step because it could elevate cybersecurity within a Trump administration given Giuliani's profile and political stature. Also, it appears he is moving quickly to study cybersecurity protections for federal government agencies, which needs a re-haul and continued executive focus.
Carson Sweet, co-founder/CTO, CloudPassage: President Trump isn't the guy to watch -- it's Tom Bossert. He's pretty balanced, which based on other Trump administration appointments seems almost uncharacteristic of the administration. The president has been pretty mum and the administration delayed issuing their cybersecurity executive order -- I read both of these as a "cooler heads prevailing" situation, which is actually encouraging. The real test, though, will be when the orders come down to force data stewards to give up their charge to law enforcement.
Aaron Tantleff, partner, privacy, security & information management practice, Foley & Lardner LLP: Trump came into office making clear that cybersecurity was going to be dealt with upfront, with an “immediate review of all U.S. cyberdefenses and vulnerabilities, including critical infrastructure.” However, a recently leaked executive order appears to be an attempt at slowing that down. The leaked draft of the executive order states that the U.S. is only “committed” to “employing the full spectrum of capabilities to defend U.S. interests in cyberspace; and identifying, disrupting and defeating malicious cyber actors.” It's unclear what that means or whether teams have already been assembled and looking at this issue. But on the surface, it sounds like someone is applying a little pressure to the breaks.
On the other hand, Trump's pick of Tom Bossert, for homeland security advisor is a positive sign. He is well regarded and level-headed, and in combination with the draft executive order, may be far less troubling to the private sector, which had been somewhat on guard as to potential implications and new regulations.
What would you recommend to the administration?
Tantleff: The Trump administration should consider whether cybercrimes, fraud and other related activities should be addressed in a more aggressive manner. This would give notice to the criminals and public alike of the renewed, more aggressive focus and possibly act as better deterrent.
One area of critical importance is funding. Funding of cybersecurity initiatives under the past administration had been somewhat lacking, resulting in an inability to pursue several initiatives.
Creating a better public-private partnership to enable the sharing of information between the public sector and the private sector with respect to cybersecurity would lead to better defenses overall. Additional legislation may be required to shield such companies from liability in order to share such information.
Anderson: I'd recommend they not listen too much to the incumbent technical security apparatus in the government when told what can't be done. There is a tendency toward moving very slowly, restricting functionality, and dampening innovation in the government security space in favor of following predefined certification standards that are many years old. The bureaucracy tends to drive by looking in the rear-view mirror, ensuring they don't make the mistakes that were made in the past, but not considering what is coming. To protect against the unknown, they want to block out all new technology. “No smartphones, no webcams, and absolutely no Twitter!” would be the incumbent technocrats' automatic response.
Instead, the administration should pressure the government to face the challenge of modern computing capabilities and still make it secure. Everyone else in the world uses technology for communications and efficiency. If our government keeps trying to avoid the present, the result will be poor productivity and a lack of current awareness in all aspects of government operations. They will fall further behind, and further out of touch.
Lance Cottrell (left), chief scientist of Passages, Ntrepid: I would advise the administration to leverage our best and brightest and bring in experts familiar with all aspects of information security to work toward creating an effective set of cybersecurity policies. Cybersecurity is very complex and poor policy choices can easily do more harm than good, leading to solutions that could have massive unintended consequences. The focus should be around what industry and businesses need to effectively protect themselves and maintain business and operational continuity.
Dickson: Provide clear and consistent policy guidance to public and private sector organizations so they can “up their cybersecurity game.” Also, let the cybersecurity experts provide recommendations and act on them. This is another area where the devil is truly in the details. Take advantage of an all-Republican House and Senate to get meaningful legislation. Then, pick one or two areas to make progress and focus on getting them enacted either through Executive Orders or through new laws passed by Congress.
Andrew Howard, CTO, Kudelski Security: It is still early to fully assess the administration's policies on cybersecurity and privacy. However, they first should pay close attention to protecting U.S. critical infrastructure and key national defense systems. Given the administration's focus on national defense, avoiding incidents like the Office of Personnel Management (OPM) breach should be a key priority. Cyber is now the most commonly used weapon by adversaries and poor cybersecurity hygiene by the Government is no longer acceptable.
The incentive systems for U.S. corporations to build strong cybersecurity programs are not working. Too many companies are deciding the risks do not outweigh the costs necessary to properly protect consumer information. This is especially true in health care and manufacturing where information security is more difficult and often costly. When a health insurance company loses consumer data due to a breach, the consumer loses with higher premiums.
The administration should look at carrot and stick incentive schemes similar to the European Union (EU) to drive change. Strong defensive programs should be eligible for tax credits. Furthermore, breaches that lead to the loss of private data should be met with penalties that impact a company's bottom line, similar to EU General Data Protection Regulation (GPDR) which calls for the loss of 2-4 percent of revenue following a negligent breach. The Data Breach Insurance Act (H.R. 6032) is a good example of using the tax code as an incentive for good cyber hygiene.
Levin: I would recommend a consistent and unified public sector approach including education, derived from DoD cybersecurity policies. I don't know how involved the IG currently is across the entire federal government, but I would recommend a division of the IG or another oversight group that would audit agencies for compliance with those standards. That would get DoE, Homeland, the SEC, and all the other groups who currently march to the beat of their own drummers more closely aligned and more accessible for general oversight.
I would support and encourage the industry groups that have been effective over the years (like the Payment Card Industry) to keep doing what they do, and I would do what I could to encourage the formation of others. Health care needs a private sector group to encourage compliance, because the Office of Civil Rights can't keep up.
I would encourage legislators to do their jobs and build a financial services cybersecurity policy quickly, before each of the states builds their own and the cross-state compliance environment gets out of control. New York DFS created one, because the federal government hadn't. We may be descending into a regulatory Balkanization in financial services.
Sheth: Agencies are going to need budget authority to purchase new technology. The government has been running on continuing measures that are set to expire in April 2017, and agencies have only been able to spend money to update currently deployed solutions that don't address critical gaps. Security vendors can take an active role in furthering existing synergies between government and the private sector, by framing their capabilities around the Critical Security Controls (CSCs) laid out by the SANS institute and the Center for Internet Security, a nonprofit federal-private collaboration that promotes cybersecurity best practices. Together we can make it easier for all organizations to adopt those controls, practice better cyber hygiene and protect critical public and private assets.
Dana Simberkoff, chief compliance and risk officer, AvePoint: Cybersecurity, hacking, and the threat of data breaches are topics that have moved from the shadows to front page headlines. Appropriately, the 2017 federal budget allocates more than $19 billion for cybersecurity – an increase of more than 35 percent year over year. With all that President Trump is inheriting in terms of cybersecurity issues, it isn't a surprise that he is already drafting an executive order on the subject, but I would recommend continued consultation with cybersecurity experts before putting anything into action.
Operationally, government agencies should implement a strong mandate for security and privacy by design across all agency programs and assets. Traditionally there has been a perception that privacy is where “IT goes to die” and that security “leads with no.” Whether deserved or not, this is not an effective way to build a collaborative team. Instead, it's important for security and privacy officers as well as legal counsel to take the steps to “bake privacy in” as a fundamental ingredient and a foundational tenant of their development lifecycles. Data protection must be embedded in every step of the process – from the whiteboard stage of a new IT project, program, system, or campaign through the design, development, quality assurance and release of the very same system.
Systems need to be easy to use securely and difficult to use insecurely. This is a critical point and probably one of the single largest opportunities for security programs to be revamped. Make it easier for your end-users to do the right thing than the wrong thing. Specifically, create policies, rules and IT controls that make common sense and make it easier for your end-users to do their jobs effectively with the systems and controls that you want them to use. Don't set up policies that are so cumbersome and restrictive that your employees are pushed to public cloud options like Dropbox and Google Docs to be able to effectively do their job. At the end of the day, employees will do what they need to do to get their job done. Organizations need to join them in making it simple to use the systems you can control.
Sweet: Think slower, act faster, be pragmatic, borrow from commercial learnings, and modernize.
What should its next steps be to entail to improve cybersecurity and ensure privacy?
Anderson: There are many tools that can be embraced and integrated to serve government security needs. This is not an area that needs another 10 year DARPA study or a 5-year procurement contract. What is needed is for a tech-savvy integration team to take available commercial technology and adapt it quickly to government needs (and by quickly, I mean in 1 year, not 3, because technology is always moving on). The people who made the security rules in the past cannot be relied on to do this. What is needed is a mindset that can re-evaluate real threats, real needs, and current technical capabilities and meld together a practical solution now – then the rulebooks can be updated to reflect what really works.
Cottrell: There are two primary technology areas that, if focused on, could make a real difference. These include, encouraging the widespread adoption of strong encryption to protect our data, communications, and infrastructure, while arming our government employees with technology that will protect them and their host agencies from adversaries looking to take advantage of the OPM breach data. With the breakdown of the security perimeter and introduction of “bring your own device" organizations are at risk when their people are at risk, even at home.
Government has a roll to play in helping to establish security standards but it is important for that process to be open and transparent. Trust has been an issue and will continue to play an important role between government and security experts. This trust has suffered because of past weakening of security protocols during the standards drafting process.
Innovation is critical and often comes from smaller technology companies that are bringing new solutions to market. The government must find a way to take advantage of these capabilities by making it easier for small emerging technology companies to navigate and enter business and procurement cycles the same way larger, more entrenched, businesses have done.
Dickson: I would recommend his Administration move beyond information sharing as key policy plank and push to make concrete policy recommendations for private sector players, and allocate more resources to protect federal government agencies that protect our most sensitive information.
Howard: The government has a litany of levers available to impact cybersecurity and privacy change in the U.S. One key next step for the administration is to significantly increase innovation investments in this area. In cybersecurity, the country's technological advantage is not insurmountable and must continue to improve. Government efforts should include fortifying programs executed through organizations like DARPA, increasing funding to universities and incentives for innovation within the business community.
Tim Toohey (left), partner, Greenberg Glusker, head of cybersecurity practice: This is a recurring issue which is going to be increasingly important and cause issues for American based companies that are storing information/data overseas. European countries want data regulation and data under control. We have a real culture clash between the privacy oriented point of view particularily in the EU and the U.S. which has very broad scope of discovery rules for both civil and criminal issues.
These sorts of conflicts are going to increase as the U.S. goes its own direction on these matters. The EU has a very different approach to privacy than we have in the U.S. American companies – Google, Microsoft, and others, - are increasingly storing data in the EU. In some instances of civil discovery or criminal investigations, this could set up a collision course between commercial interests and the broad scope of U.S. discovery.
Levin: The administration should focus on a consistent, unified policy across each industry, and it should re-invent itself as an educator and communicator. DHS could become a repository of best-practice, in its own right.
It should avoid temptations to require adherence to specific standards (like 256-bit dynamic encryption or anything else in particular), not only because the federal government moves too slow to keep current with technology, but also in a continually evolving digital environment it is crucial to create a framework for best practices to be applied.
Simberkoff: The executive order provides an opportunity to ensure agencies assess the data they collect and hold internally to improve their internal cybersecurity programs. Organizations must have a better understanding of the data they hold to effectively prioritize and protect it. It also gives an opportunity to have organizations look at investments in cyber-education. Ideally, the order should empower the future generation to be privacy and security-aware and encourage agencies and businesses to ramp up their investments in technologies and training to fortify our national and corporate security posture.
This means that CISOs and CPOs must partner with their IT and program colleagues internally to gain key executive sponsorship and cooperation with their departments and agency programs. However, the reality is that security, privacy, and compliance offices are typically very small offices within large organizations. They are tasked with ensuring compliance to many different standards for management of sensitive information internally and externally. They simply cannot be in every meeting and a part of every discussion in which a new IT system, program, or campaign is being contemplated. Instead, what they can do is develop a framework that can be used by IT organizations to incorporate security and privacy best practices “by design and by default” within their line of programs, IT systems, and across the organization.
Sweet: I would hope that Bossert empowers an effort to have the commercial world meaningfully engage on cybersecurity issues. There's a lot of inertia in the federal government that stems from various sources, and until that inertia is meaningfully overcome we can't make progress.
Tantleff: Following through on the opportunity to engage with private business. There are a number of companies that have vast sums of data and infrastructure that they are experienced with protecting, as well as companies that are developing solutions to further security that would be insightful for the White House. This public-private partnership could lend a missing voice to the White House by letting the administration hear from those also facing the same problems and learn about how they are addressing them. In addition, the administration would also be able to hear about other risks and challenges being faced by those organizations, as well as new solutions that may be available.
Reassure the European community on the U.S.'s protection for data of European residents. Recent actions have resulted in concerns by organizations in the EU calling for a repeal of the Privacy Shield.