Amid a whirlwind of executive orders and activity that characterised Donald Trump's first month in the White House are the nascent rumblings of cyber-security policy, but no definitive strategy or path to bolster the nation's cyber posture.
A recent NetSkope survey of 100 IT security professionals attending RSA found flagging confidence in how cyber-security will fare under Trump with 32 percent believing that cyber-security will be worse than in past administrations. Only 12 percent see a brighter future for cyber. More than a fifth of respondents, 21 percent, said that the administration's proposed cyber-policies put their data at greater risk and 68 percent believe the US will see an uptick in nation-state actors as a result of the administration's nationalistic rhetoric – only 11 percent don't believe there will be an increase in attacks.
SC Media asked cyber-security pros to give us a quick assessment of Trump's first month and office and what some of the rumblings coming from the administration might portend for cybersecurity. Here's what they had to say.
Paul Innella, CEO, TDI Security
One of the biggest fears that comes to mind is this: the government can be infinitely wide at times. Very anecdotally, cyber-analysts have an incredibly difficult time understanding operational intelligence, field agent intelligence. On the other hand, we have found that operational intelligence analysts can quite easily understand attack vectors and understand the cyber-analyst's job. The government, DOD, and intelligence community - the last couple of years - have been working on the functional position of a cyber-operational intelligence person, and I think this has brought an incredible amount of advocacy into cyber-space of how to treat intelligence from what has become a well-defined process. We already see that bringing the intelligence community into cyber-space is starting to really pay off. Yet, we have a president in the White House who seems to be diminishing the value of intelligence services and this could absolutely corrode advances in cyber-space with respect to working hand in hand with the intelligence community.
With respect to Obama's plan to protect the privacy of individuals, OMB Memorandum M-17-12 was moving forward quite well and was supported by both sides of the aisle. The whole intent was to figure out how to encourage consumers to be more aware and proactive about privacy protection. Now, all references to it on whitehouse.gov are gone. I cannot speak to the actual intent of the administration but I can say that in terms of immediate advocacy, it certainly doesn't seem like it's being bolstered. It seems like they've made it disappear.
Katherine Gronberg, vice president, government affairs, ForeScout
"The latest draft of the executive order (EO) stresses accountability and holds department heads responsible for managing risks to their enterprises. However, to be fair, departments must be provided the right security tools that allow them to know what's on their networks and to mitigate vulnerabilities.
The good news is that agencies are on track to have these tools soon through two major programmes: the Continuous Diagnostics and Mitigation in the civilian agencies and Comply to Connect for the Department of Defence. The new administration must prioritise and expedite these programmes and ensure they are adequately funded.
Above all, security teams should not get bogged down checking boxes and filling out reports. Their attention should be focused on implementing these programs that allow them to become compliant.
Phil Dunkelberger, CEO, Nok Nok Labs
The President's biggest strength is his force of will, using the bully pulpit of his office to accelerate the changes needed in both government and private companies. What is needed is a “Big Idea” on cyber-security - like the Manhattan Project was a Big Idea - a manifesto that pulls together the whole country in the effort to improve cyber-security. The recommendations that came out of the prior administration are a good place to start. They referenced multi-factor authentication and the need for a stronger approach. But, of course, they don't go far enough and some big holes remain.
There is a worrisome lack of public-private partnership in cyber-security but it is not due to a lack of options. There are multiple opportunities to build a better partnership - everything from DoD Labs to projects with venture-funded start-ups with innovative technologies. Additionally, it is vital that this administration learns from the mistakes of the past. It is well-documented that securing login credentials is a vital security concern. This administration needs to take the lessons learned from the breach at the Office of Personnel Management to heart and institute policies where sensitive identity information is as distributed as possible, avoiding centralised server-databases filled with identity credentials.
The US frequently takes a leadership role in technology initiatives, but there needs to be more substantive movement to address data breaches. Through nothing more than administrative policy, this administration has the ability to greatly advance good cyber-security practices and develop emerging technology.
Jay Chitnis, chief marketing officer, Enterprise Business Unit, Synchronoss Technologies
By using an insecure device, President Trump is opening himself up to threats of malware, ransomware, spyware and data leakage - of personal data as well as critical national data that is of top priority to remain secure. Not only that, if the President's device is lost or stolen, all of the data there within is at risk of being compromised.
While consumer-grade security is acceptable for certain job titles, it is not appropriate for those that have national security implications. Clients in regulated industries require more secure tools and President Trump's issue is exactly what we see from other users who want to use their personal devices to access corporate - in this case, national, data.
From a compliance perspective, it's critical that someone step in and advise President Trump to take necessary security precautions. His best bet for securing his device, would be to implement a containerised approach to mobile use. Installing a secure on-device container, would allow the President to work safely from any location, keeping communication securely enclosed, fully encrypted, and out of harm's way in terms of cyber-attacks and threats. Additionally, if his device were to be lost or stolen – or even if an incorrect login were repeated too many times – the confidential information captured in the secure container can be remotely deleted.
Tom Kellermann, CEO, Strategic Cyber Ventures
Cyber-security is obviously not a priority. American cyber-space is being colonised and the administration is naval gazing. It must stop admiring the problem and enact true stratagems which will civilise American cyber-space. Here are some steps to take:
- Leave cyber in DHS - don't move it to OMB.
- Elevate all CISOs to report to Secretaries of Departments and allocate 20 percent of the department's IT budget to their security priorities.
- Take the gloves off Cyber Command as she must be empowered to defend American cyber from the Russian, Iranian and Chinese cyber campaigns.
- Expand regulations or alternative payment systems and forfeiture laws for all payments utilised in cyber-crime conspiracies. Channel the capital into a cyber-security superfund.
- Increase the cyber budgets for DHS, NSA and DOJ by a factor of 3.
- Modernise the FCC to tackle DDoS via authorisation to sinkhole C2.
- Define cloud infrastructure as critical infrastructure.
- Mandate that the USTR make “industrial espionage facilitated by cyber” an agenda item for the next WTO meeting.
- Appoint a cyber-security ambassador and correspondent cyber-attaches.
Bob Hammer, CEO, Commvault
I am pleased that the new administration recognises the importance of improving federal agencies' cyber-security. Recent events have highlighted that the US Government needs to be well prepared to defend against cyber-attacks and should take strong action to combat the growing cyber-security threat.
Federal, state and local governments are often relying on out of date or incomplete intrusion detection and mitigation technologies. In addition, they often deploy legacy infrastructures that are pieced together over time which makes them more vulnerable to cyber-attacks. Overhauling fragmented legacy infrastructures will prove challenging, but the move to a secure cloud combined with a holistic data management strategy that includes enhanced data securitisation will enable a more robust and agile system that will help achieve broader security goals in the long term.
Having worked with many top federal agencies, including the Department of Commerce, Department of Justice and Department of the Interior, Commvault possesses a deep understanding of federal agencies data management needs. Our powerful data platform allows agencies to ensure that only authorised and authenticated users can access specific data, and also enables agencies to move rapidly to more secure and modern cloud environments.
This approach will help prevent attackers from accessing government data, allow quick detection of potential threats, minimise unauthorised access to data through strong authentication and authorisation tools, and allow them to quickly implement disaster recovery steps to restore systems, all while offsetting the high costs of managing and owning their own hardware and data centres.
Hank Thomas, partner and COO, Strategic Cyber Ventures
If true, the rumours that Office of Management and Budget taking on the role of evaluating the cyber-security status of federal agencies is a step in the right direction. They are highly respected in Washington for having quality people, but they don't necessarily have a reputation for being an organisation with much cyber expertise. They better start looking for the right talent for this critical task now. The war on talent is real, and OMB will need to develop strategies to find people that can truly help our government's cyber-security teams hit the reset button.
John Bambenek, threat systems manager, Fidelis Cybersecurity
Creating an incentive system for manufacturers to cook security into products is long overdue. The entire risk profile of the Internet of Things is that manufacturers who never had a huge need to worry about product cyber-security have rushed to put devices online while engaging in little thought of cybersecurity. The much reviled Mirai botnets wouldn't exist if manufacturers followed best practices that were a consensus in the 90s -- practices that included not having default passwords or unencrypted open services listening on the internet. It's long overdue to make cyber-security part of the economic equation, and I look forward to what they come up with on that front."
A review of vulnerabilities and determinations of our adversaries will not result in new information. While it is early in the administration, some leeway should be given for them to define the problems for themselves. But such studies have been undertaken repeatedly and uncovered little new information. We don't need more government white papers; we need some action already. Some of that action will involve routine, but unsexy, activities like introducing real risk management into how computing infrastructure is used in government and thinking beyond merely what classification labels are on documents.
David Zahn, CMO and GM, cybersecurity business unit, PAS
There is some debate on whether a 60-day cyber-security review is worthwhile. Let's not miss the irony of a leaked executive order as a proof point that our federal government needs better security around information. Can officials perform such a review in time to provide solid recommendations? Many departments can as they've performed this exercise previously. Many will not meet the deadline or provide incomplete information. But, it is forward progress, and it is good that we want to accelerate our efforts as it seems like we are constantly playing from behind with today's cyber-threats.
Thankfully, the leaked order prominently features critical infrastructure throughout the document. Even in light of recent high profile data breaches, protecting critical infrastructure must remain at the forefront of national priorities due to the implications it has on our economic, environmental, and national security well-being. The lights in our houses, the gasoline in our cars, and the chemicals in our everyday household products are outputs of critical infrastructure. If the order is executed, by the way, it will fulfill a campaign promise where then presidential candidate, Donald Trump, promised a Cyber Task Force Review that includes critical infrastructure.”
Most of the leaked executive order is straight forward, but there is one section that stood out more than the others. In the Private Sector Infrastructure Incentives Report section, the group preparing the report has the usual suspects, but it also allows the Secretary of Commerce to invite the Chair of Security Exchange Commission (SEC) and the Chair of the Federal Trade Commission (FTC) to participate. Why is this significant? It opens up the possibility for greater oversight by these two organisations. The SEC already requires breach disclosure and cyber audits within the financial industry. The implication is that this same scrutiny may come to oil & gas, for example, which is largely unregulated for cyber-security.
Arvind Parthasarathi, CEO and founder, Cyence
Regarding the administration's recent decisions and executive orders on cyber-security, two issues for consideration have arisen: how do we define cyber risk and do we use a strictly technology-driven approach to protect ourselves?
While the executive order on "critical infrastructure" addresses two important components of cyber-risk -- data breaches and industrial control systems -- cyber-risk also spans intellectual property and trade secrets being stolen from US companies, resulting in lost revenue and jobs. It's about business interruption of US goods and services through DDoS and other attacks. It's about reputational damage of US companies affecting customer and business confidence in the US from all over the world. Furthermore, in the 21st century, cyber risk is an existential and endemic issue in every aspect of an individual's life and an organisation's – or in this case, a country's - operations.
Cyber-risk is often thought of as a technology problem, but it is actually just as much a people and process problem. For example, you can have the latest security systems and an employee will write down the password on a sticky note and leave it on the monitor. Or you can build a house with the best designs and materials, but you can't guarantee the house will withstand a major earthquake. Similarly, there is no amount of cyber-security technology an organisation can purchase to guarantee it will be 100 percent safe. We need to start treating cyber like any other business risk, and that means doing our best to manage it with the understanding it will never be dialed down to zero.
We need to change the discussion around cyber-risk from technical jargon to a business level discussion of probabilities and dollars - a topic that should resonate with the new administration. Managing cyber as a business risk requires a holistic discussion on how much cyber-security we are seeking and how much we are willing to pay for that security across people, process and technology.
Richard Steinnon, chief strategy officer, Blancco Technology Group
[Former New York City Mayor] Giuliani is right in thinking there are a lot of solutions to cyber-security issues already. There is an entire industry dedicated to countering the types of threats that plague both the US government and critical infrastructure. But the answer is not better sharing - the answer is to use the technology available. Perhaps Mr Giuliani can work to expedite the federal approval processes for new security technology. In the meantime, Mr Giuliani can embark on a program of discovery to unearth what works and what doesn't within the hundreds of federal agencies. He will find that there are pockets of good security. It is those organisations that should be encouraged to share the processes and techniques they have used to shore up their defences.
While there are some quick fixes, the urgent need is to rapidly re-build the way critical infrastructure approaches security. Spear-phishing is rampant, as the world saw demonstrated in the attacks on the DNC and John Podesta's email account. While not trivial to fix, there are dozens of ways to prevent successful spear-phishing attacks. These can be quick fixes, while a more comprehensive government wide program can be implemented.
That program should include an exhaustive discovery of data, systems, and users. Only by knowing what you have can you embark on the journey to protect it. Vulnerability assessments, backed up by rigorous patch management will curtail the number of breaches and the cyber-espionage being carried out right now. Data discovery to find critical information stores will unearth OPM-style data bases of confidential information. A rigorous data protection plan, once put in place, will ensure that that critical data is encrypted, keys are managed, and as the data reaches end of life, securely erase it forever.
Nathan Wenzler, chief security strategist, AsTech
The cyber-security issues facing the nation are no different than they were before the recent elections: nation-state actors looking to steal intelligence or other national secrets, attackers looking for ways to disrupt our technical infrastructure that supports every aspect of our country from power and utility services to retailers and restaurants, and of course, cyber-criminals with aims to make financial gains by stealing data, leveraging ransomware or obtaining intellectual property that can be sold or repurposed. These issues are non-partisan and, in our Internet-connected world, affect every aspect of our lives. It is critical that the nation's leadership take these issues seriously and continue to guide the country in a direction that will safeguard our infrastructure and protect the interests of its citizens.
However, what we have seen from the current administration so far suggests a somewhat troubling possibility that cyber-security is not being taken seriously. We have seen allegations of Russia hacking government and political organisation systems met with near-indifference from the Senate committees involved. There have been reports that President Trump continues to use an unsecured phone on a day-to-day basis to read emails, documents and other sensitive materials. Recently, it was also reported that classified intelligence was reviewed publicly with many non-authorized people nearby. And in a break from tradition, no representative from the administration came to this year's RSA Security Conference, nor was the often mentioned Executive Order regarding cyber-security made available for review.
As a security professional, these are fairly troubling signs to me that the current leadership at many levels of the federal government may not be taking cyber-security as seriously as it should. Without question, this definitely erodes my confidence in making meaningful gains toward improving the nation's security posture. Even before attempting to address the existing technical challenges, which are already daunting, the administration not demonstrating a serious commitment to cyber-security, even in performing their common activities, will only make getting buy in from the security community for any cyber-security efforts much harder.
Chris Roberts, chief security architect, Acalvio
Obviously, there are concerns over the overall security practices that seem to have filtered into the White House, the inability to hold things in confidence and the lack of trust that seems to be both within the White House itself and those coming to/from it.
The challenge is the lack of experience of most of the staff members have with security cleared material. This is in addition to the “holding in confidence”. However, simply put, there are lives at stake in many cases and we're fairly certain that the current administration doesn't fully understand what it takes to actually gain some intelligence.
We are now dealing with a POTUS whose attention span is that of a Super Bowl commercial on fast forward and seems to require less intelligence data and less overall strategic awareness than his predecessors. Being able to get the message across that the world of electronic/cyber-warfare is serious, and needs immediate attention, is going to be tough.
Given the fact that many in the new administration are new to the fields that they have been thrust in, I see part of the issue is that of educating them of the current and future threats in a manner that they can comprehend. This is an extremely daunting task when faced with someone who's lived inside the Intelligence field at times, let alone someone who's business up to this point has been running an industrial giant or one of father's off-shoots.
To be honest, we were behind. Of that there are no doubts. This is going to put us even further back.