Amid a whirlwind of executive orders and activity that characterised Donald Trump's first month in the White House are the nascent rumblings of cyber-security policy, but no definitive strategy or path to bolster the nation's cyber posture.
A recent NetSkope survey of 100 IT security professionals attending RSA found flagging confidence in how cyber-security will fare under Trump with 32 percent believing that cyber-security will be worse than in past administrations. Only 12 percent see a brighter future for cyber. More than a fifth of respondents, 21 percent, said that the administration's proposed cyber-policies put their data at greater risk and 68 percent believe the US will see an uptick in nation-state actors as a result of the administration's nationalistic rhetoric – only 11 percent don't believe there will be an increase in attacks.
SC Media asked cyber-security pros to give us a quick assessment of Trump's first month and office and what some of the rumblings coming from the administration might portend for cybersecurity. Here's what they had to say.
Paul Innella, CEO, TDI Security
One of the biggest fears that comes to mind is this: the government can be infinitely wide at times. Very anecdotally, cyber-analysts have an incredibly difficult time understanding operational intelligence, field agent intelligence. On the other hand, we have found that operational intelligence analysts can quite easily understand attack vectors and understand the cyber-analyst's job. The government, DOD, and intelligence community - the last couple of years - have been working on the functional position of a cyber-operational intelligence person, and I think this has brought an incredible amount of advocacy into cyber-space of how to treat intelligence from what has become a well-defined process. We already see that bringing the intelligence community into cyber-space is starting to really pay off. Yet, we have a president in the White House who seems to be diminishing the value of intelligence services and this could absolutely corrode advances in cyber-space with respect to working hand in hand with the intelligence community.
With respect to Obama's plan to protect the privacy of individuals, OMB Memorandum M-17-12 was moving forward quite well and was supported by both sides of the aisle. The whole intent was to figure out how to encourage consumers to be more aware and proactive about privacy protection. Now, all references to it on whitehouse.gov are gone. I cannot speak to the actual intent of the administration but I can say that in terms of immediate advocacy, it certainly doesn't seem like it's being bolstered. It seems like they've made it disappear.
Katherine Gronberg, vice president, government affairs, ForeScout
"The latest draft of the executive order (EO) stresses accountability and holds department heads responsible for managing risks to their enterprises. However, to be fair, departments must be provided the right security tools that allow them to know what's on their networks and to mitigate vulnerabilities.
The good news is that agencies are on track to have these tools soon through two major programmes: the Continuous Diagnostics and Mitigation in the civilian agencies and Comply to Connect for the Department of Defence. The new administration must prioritise and expedite these programmes and ensure they are adequately funded.
Above all, security teams should not get bogged down checking boxes and filling out reports. Their attention should be focused on implementing these programs that allow them to become compliant.
Phil Dunkelberger, CEO, Nok Nok Labs
The President's biggest strength is his force of will, using the bully pulpit of his office to accelerate the changes needed in both government and private companies. What is needed is a “Big Idea” on cyber-security - like the Manhattan Project was a Big Idea - a manifesto that pulls together the whole country in the effort to improve cyber-security. The recommendations that came out of the prior administration are a good place to start. They referenced multi-factor authentication and the need for a stronger approach. But, of course, they don't go far enough and some big holes remain.
There is a worrisome lack of public-private partnership in cyber-security but it is not due to a lack of options. There are multiple opportunities to build a better partnership - everything from DoD Labs to projects with venture-funded start-ups with innovative technologies. Additionally, it is vital that this administration learns from the mistakes of the past. It is well-documented that securing login credentials is a vital security concern. This administration needs to take the lessons learned from the breach at the Office of Personnel Management to heart and institute policies where sensitive identity information is as distributed as possible, avoiding centralised server-databases filled with identity credentials.
The US frequently takes a leadership role in technology initiatives, but there needs to be more substantive movement to address data breaches. Through nothing more than administrative policy, this administration has the ability to greatly advance good cyber-security practices and develop emerging technology.
Jay Chitnis, chief marketing officer, Enterprise Business Unit, Synchronoss Technologies
By using an insecure device, President Trump is opening himself up to threats of malware, ransomware, spyware and data leakage - of personal data as well as critical national data that is of top priority to remain secure. Not only that, if the President's device is lost or stolen, all of the data there within is at risk of being compromised.
While consumer-grade security is acceptable for certain job titles, it is not appropriate for those that have national security implications. Clients in regulated industries require more secure tools and President Trump's issue is exactly what we see from other users who want to use their personal devices to access corporate - in this case, national, data.
From a compliance perspective, it's critical that someone step in and advise President Trump to take necessary security precautions. His best bet for securing his device, would be to implement a containerised approach to mobile use. Installing a secure on-device container, would allow the President to work safely from any location, keeping communication securely enclosed, fully encrypted, and out of harm's way in terms of cyber-attacks and threats. Additionally, if his device were to be lost or stolen – or even if an incorrect login were repeated too many times – the confidential information captured in the secure container can be remotely deleted.
Tom Kellermann, CEO, Strategic Cyber Ventures
Cyber-security is obviously not a priority. American cyber-space is being colonised and the administration is naval gazing. It must stop admiring the problem and enact true stratagems which will civilise American cyber-space. Here are some steps to take:
- Leave cyber in DHS - don't move it to OMB.
- Elevate all CISOs to report to Secretaries of Departments and allocate 20 percent of the department's IT budget to their security priorities.
- Take the gloves off Cyber Command as she must be empowered to defend American cyber from the Russian, Iranian and Chinese cyber campaigns.
- Expand regulations or alternative payment systems and forfeiture laws for all payments utilised in cyber-crime conspiracies. Channel the capital into a cyber-security superfund.
- Increase the cyber budgets for DHS, NSA and DOJ by a factor of 3.
- Modernise the FCC to tackle DDoS via authorisation to sinkhole C2.
- Define cloud infrastructure as critical infrastructure.
- Mandate that the USTR make “industrial espionage facilitated by cyber” an agenda item for the next WTO meeting.
- Appoint a cyber-security ambassador and correspondent cyber-attaches.