There are two overriding points regarding President Trump’s executive order (EO) outlining plans to improve data security for federal agencies and to better protect critical U.S. infrastructure.
Firstly, this development was truly important — a serious call to action to beef up government cybersecurity measures at a time when breaches dominate the headlines and mounting worries about a future cyber war among nation-states are legitimate. Secondly, while this executive branch step was absolutely necessary, it is insufficient. We need to go much further.
The EO’s call for federal government agencies — especially civilian agencies — to seek opportunities to share cyber technology makes a great deal of sense.
Why reinvent the wheel, one government silo at a time? Eventually, this would spell disaster. And cloud-based computing and security frameworks available today make a holistic approach eminently possible.
Data security frameworks would then be layered atop the cloud framework so that data can be shared while also encrypted. Individual agencies could then build on this framework for any number of unique needs.
I know that government silos have varying degrees of expertise, resources and sophistication and are likely to embrace the counter-argument that they should largely remain silos. But security is only as strong as the weakest link in the network. If addressed, adversaries will find and exploit that link. In a large corporation, information technology requirements are not left to each function or department. Why should the government be different?
We need a mechanism in which cybersecurity experts in U.S. intelligence agencies could share some of their knowledge with U.S. industries, without disclosing too much information.
Experts at the forefront of coping with highly sophisticated cyber attacks at NSA and elsewhere need to be leveraged in the remedial process. This expertise could also be an element of a “cybersecurity infrastructure bank” — a bank that would loan government funds to small utilities, water plants and the like to help them quickly upgrade their cyber defenses.
We must recognize where most of the innovation in cyber actually takes place — in small, private cybersecurity startups — and take steps to help the government purchase technology and services from these companies.
The government today relies mostly on large, established cyber vendors and integrators, many of which do not sell state-of-the-art wares. The government must restructure procurement policies to attract more innovative blood into the game. Buying yesterday’s solution to defend against tomorrow’s challenges and threats is a waste of time and money — and does not make us more secure.
The government should cease buying cyber technology and related gear from foreign sources. As Russian and Chinese cyber attacks against the U.S., among others, help illustrate, it is simply too risky.
The government already does this to some extent, but it must do more. On the plus side, China-based Huawei Technologies, the world’s largest telecommunications equipment manufacturer, is banned from selling its gear in America, and for good reason. The company is reportedly controlled, in part, by China’s People Liberation Army. Now there is talk in Congress to ban Russian cybersecurity company Kaspersky Lab from doing business in the U.S.
The concern is logical. Trust is an absolute in vendor selection. Maybe Kaspersky hasn’t done anything wrong. But why not switch to a competitor anyway? We know Russia is engaging in nefarious activities, and there is evidence that Russia collaborates with private Russian security firms.
Last week, an incident at a Senate Intelligence Committee hearing said it all. The heads of six intelligence agencies, asked by Sen. Marco Rubio (R-Florida) whether they would be comfortable using Kaspersky software, all flatly said no. These agencies included the CIA, NSA and FBI.
U.S. infrastructure, including the electric grid, is much too vulnerable to cyber attack. The systems were designed to be functional, not necessarily secure, and that is clearly unacceptable.
A three-pronged strategy can begin fixing things. 1) The government should define a level of expected cyber resiliency and produce a methodology to protect it. 2) We should create a clearing center for the implementation of best practices in grid security. 3) We should form an industrial bank to provide long-term financing to utilities that need it in order to help implement this.
We must deal with the reality that many smaller utilities today have neither the financial nor technical resources to become secure.
President Trump’s EO sets a 90-day deadline for each agency in the executive branch to submit a risk management report. It would describe their security measures and what are deemed to be significant risks. It also requests a study to determine whether at least some agencies can realistically adopt consolidated network architectures.
Ninety days brings us to late summer. Let’s hope meaningful progress is made by then — and that the disseminated reports are secured, not a visible roadmap to our vulnerabilities. A major overall fix is still years away. But you have to start somewhere. As Mark Twain once wrote, “The secret to getting ahead is getting started.