The Trump administration is already developing a pattern of being long on oratory but short on tangible action, and, sad to say, the President’s cybersecurity Executive Order is following the script.
No matter, it seems, that massive and increasing cyberattacks domestically and internationally are shredding confidence in the ability of major institutions to protect sensitive, typically consumer-centric data.
The latest addition to the list of gargantuan cyber casualties is Equifax, the giant credit reporting agency, which failed miserably in coping with the theft of personal data on more than 145 million Americans. Shortly before were the WannaCry and NotPetya global ransomware attacks. And this month we heard that the massive data breach at Yahoo four years ago actually impacted not 1 billion Yahoo accounts but 3 billion – all consumer accounts, period, at Yahoo.
“There is a narrow and fleeting window of opportunity before a watershed, 9/11 level cyber attack to organize effectively and take bold action,” the National Infrastructure Advisory Council wrote in a report less than two months ago. “We call on the administration to use this moment of foresight to take bold, decisive actions.”
And yet the Trump team continues to falter. Government civilian and military agencies had a 90-day deadline to review and assess their cybersecurity status and propose improvements.
Eight deadlines related to this have come and gone, and more are approaching. Why the sluggish performance?
Senator John McCain put it succinctly. “Unfortunately, leadership from the executive branch on cybersecurity has been weak,” he recently said.
The White House and agency officials have said the required reports are coming along. But they don’t say when they will be submitted, nor do they say which of many subordinate deadlines, if any, have been met.
It probably doesn’t help that numerous members of the National Infrastructure Advisory Council, which advises the Department of Homeland Security on infrastructure and cybersecurity issues, recently resigned, citing concerns about the Trump administration regarding cybersecurity policy and other matters.
The Trump cybersecurity Executive Order was built largely on existing policies and initiatives, but it nonetheless was the first formal cybersecurity policy — or at least the skeleton of a policy — issued by a U.S. president. It was a call to action in May, more than past administrations had done, and it was just a start — all the more reason why ongoing delay in these perilous times is extremely risky.
The administration needs to get moving because there is much important work to be done. Take, for example, the goal of improved protection of U.S. infrastructure. The administration must respond decisively to the fact that our electric grid and other key components of national infrastructure were designed to be functional, not secure.
I don’t know what the administration will ultimately do to fix this, but I recommend a three-pronged strategy.
- The government should define a level of expected cyber resiliency and produce a methodology to protect it.
- We should create a clearing center for the implementation of best practices in grid security.
- We should form an industrial bank to provide long-term financing to utilities that need it in order to help implement this.
Here is my take on other key measures that must be taken — sooner, rather than later — to improve government cybersecurity. The first is addressed in Trump’s EO; the others remain insufficiently addressed or not at all.
* The EO’s call for federal government agencies – especially civilian agencies – to seek opportunities to share cyber technology is a good move.
In my opinion, it’s unwise to reinvent the wheel, one government silo at a time. Cloud-based computing and security frameworks available today make a holistic approach realistic. Data security frameworks would then be layered atop the cloud framework so that data can be shared while also encrypted. Individual agencies could then build on this framework for their unique needs.
True, government silos have varying degrees of expertise, resources and sophistication. But security is only as strong as the weakest link in the network. If addressed, adversaries will find and exploit that link.
* Cybersecurity experts in U.S. intelligence agencies must share some of their knowledge with American companies.
Their expertise could also be tapped to help develop a “cybersecurity infrastructure bank” – a bank that would loan government funds to small utilities, water plants and the like to help them quickly upgrade their cyber defenses.
* Steps must be taken to persuade the government to purchase cybersecurity technology and services from innovative startups.
The government today relies mostly on large, established cyber vendors, many of which do not sell state-of-the-art wares. Startups, by definition, must be innovative or die.
* The government should cease buying cyber technology and related gear from foreign sources. It’s too risky.
The government already follows this policy to some extent, but must do more. On the plus side, China-based Huawei Technologies, the world’s largest telecommunications equipment manufacturer, is banned from selling its gear in America. The company is reputedly controlled, in part, by China’s People Liberation Army.
Hopefully, before much longer we will hear from each agency in the executive branch regarding what their security measures are and what are deemed to be significant risks. From there – again, hopefully — work will mitigate the risks. Steps taken don’t necessarily have to follow my suggestions, but must be worthwhile.
Let’s try to be optimistic. As I said, at least we have a call to action. As Abraham Lincoln once said, “Determine the thing that can and shall be done, and then we shall find the way.”