It could take months to know what the Trump administration’s cybersecurity policy will be. Cyber-defense experts weigh in with advice and best practices for securing your company today.
The divisive US presidential election was heavily influenced by an explosion of social media and the rise of hacking. If any one fact is certain it is that technology is the new normal. During his first 100 days in office President-elect Trump will be tasked with solving a number of policy challenges that require a technological solution, like modernizing the economy, encouraging business innovation, determining immigration and visa policy, and protecting the United States government and companies from attack.
Cybersecurity is an imminent challenge that requires attention from the new government. Realistically it could take months—or years—to deploy a feasible federal cyber-defense policy. In the meantime, said Carbonite’s chief evangelist Norman Guadagno, enterprise companies and SMBs should encourage internal best practices, promote employee training, and have a cyber-defense plan in place. “Almost one in five small business owners say their company has had a loss of data in the past year,” he explained, “yet only 54 percent say if they were hacked from the outside, they would not know what to do.”
Because of the interwoven nature of government and corporate cyberattacks, cybersecurity policy necessitates delicate diplomacy and a nuanced understanding of the hacking ecosystem. “The next president should support widespread investments in cybersecurity and advocate for a layered approach,” Guadagno said. He and a number of cybersecurity experts offered advice for both the next president and for private companies.
Leo Taddeo – CSO, Cryptzone (former FBI, Special Agent in Charge – Cyber/Special Ops)
The President should make good on his promise to cut regulatory red tape by starting with the myriad cyber regulations that companies have to deal with. Financial institutions are especially hard hit by these requirements. If the government could create a unified and consistent cyber regulatory framework, private enterprises would be able to shift resources from compliance to real security. This would certainly be an improvement in the resilience of critical networks.
Chris Pogue – CISO, Nuix
The cyber-threats will be the same in the first 100 days of President Trump’s administration as they were in the last 100 of President Obama’s administration. They are ever present, unrelenting, and pose a clear and present danger to the security of the United States of America. With everything from SIGINT (Signals Intelligence) and HUMINT (Human Intelligence) to combat operations; from policy decisions to taxpayer personally identifiable information; from the President’s travel plans to the White House dining menu – everything is digital.
SEE: Security awareness and training policy (Tech Pro Research report)
[A] compromise of our government’s data, regardless of the source of the attack; malicious insider, whistle blower, organized criminal groups, or nation state actors all have the same impact – our data is in the hands of people who do not have the best interests of our country in mind. There is no good outcome from this; there is no silver lining. There is no circumstance where such a compromise should not be considered a significant breach of security.
Keith Lowry – SVP, Nuix
Foreign nation states, shadowy hackers, and cyber-terrorists aren’t the only ones trying to steal or destroy our data. They all have something in common; namely, they all sit outside an organization’s perimeter defenses. However, insider threats are just as likely to be guilty of wrongdoing as these external malefactors. A thorough defense-in-depth program needs to account for all potential bad actors, and insider threats require a different type of approach to detect and counter.
Chris Sullivan – CISO and CTO, Core Security
The President-elect has pledged a couple of things. First, he has promised to begin striking back. This sounds great but is more complicated than most people realize. For example, did the Russians really tamper with the US election or was it people wanting to look like the Russians? In the digital world, accurate attribution can be elusive because tangible things like fingerprints are just zeros and ones that can be changed by anyone. The President-elect also promised to perform a “top down” review of government systems with a “cyber review” team. This team will be led by top people from the public and private sector.
SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research report)
These measures may help, but I think he is underestimating the response required. Like clean air or effective transportation infrastructure, a stable and protected digital infrastructure is a common good that requires treatment across all sectors.
Our government is structurally unprepared to deal with this. We have standards, regulations and procurement cycles that operate in multi-year timescales but the threat is evolving daily. Forgetting about the technical challenges and skill shortages, our $4.1 trillion bureaucracy needs to get agile fast.
From Katie Lewin – Federal Director, Cloud Security Alliance
Historically when the executive and legislative branches of the federal government are controlled by the same party, government spending increases. Both branches of government are led by members of the same party and therefore often have the same spending priorities. With that being said, cybersecurity will be a priority of this administration. There is already early evidence of this, as security, including cybersecurity, was one of the three top issues in the Trump campaign and now the first cabinet-level appointees were in the security arena further supporting this.
Trump also campaigned on improvements to infrastructure. This includes technical and network infrastructure. A key element of technical infrastructure improvements will be enhanced security. [The] Trump administration is committed to establishing a Cyber Review Committee composed of military, defense and commercial experts to provide recommendations for safeguarding our cyber profile with technologies tailored to likely threats.
By Dan Patterson | November 28, 2016, 10:15 AM PST