It’s finally over! A long, contentious, and tumultuous Presidential election is finally behind us. While both candidates have, at some point, touched upon the concept of cybersecurity—Mrs. Clinton and the widely publicized email server on one hand, Mr. Trump and his calls for Russian hackers on the other—neither candidate laid out a comprehensive plan for cybersecurity under their administration.
Now that Mr. Trump is set to take the oath of office in January, we’re asking the President-elect to seriously consider our data’s security at the federal level.
Expanded Cabinet Influence
It’s well-documented that the battleground of the future will be digital as much as physical. President Obama even went so far as to call it the fifth domain of warfare. We can’t begin to fight in that arena unless someone who has real-world, practical expertise is advising the President about federal policy and emergency defensive measures. The White House announced it had created the position a Federal Chief Information Security Officer (CISO) on September 8, 2016. This was an action item from the Cybersecurity National Action Plan (CNAP) earlier in the year.
This is a great step in the right direction, one we hope will see continued momentum in the new administration. A Federal CISO, however, only addresses one component of the entire cybersecurity picture. Appointing a new cabinet position—a Secretary of Cybersecurity—whom the Federal CISO and other experts are accountable to would be a powerful statement. It would be an effective way to ensure that national cybersecurity policy is well informed and has a reasonable chance to succeed.
Standardize Data Breach Notification Requirements
Organizations in the United States must understand and adhere to up to 47 different state breach disclosure notification laws. That’s right, forty-seven. A federal standard would go a long way toward simplifying the process for organizations that happen to be compromised, yet no federal legislation is anywhere in sight. This feels like a relatively easy win for the new administration to champion.
Engage Private-sector Expertise
Government leadership is great, but policy decisions have a far-reaching effect on the private sector as well. These organizations have their own concerns and needs that don’t always align with government perceptions about security. For the big decisions and policy discussions, the government should engage security experts and leaders from the private sector to ensure that legislation benefits all the industries it affects directly.
The Commission on Enhancing National Cybersecurity and the Cybersecurity Strategy and Implementation Plan are a start but we have a long way to go. As part of this effort, the federal government should move national cybersecurity programs out of the intelligence world. Security clearances and other barriers to cooperation and collaboration make it difficult for intelligence agencies to communicate with private-sector experts. These artificial barriers do nothing but harm what should be a mutual partnership.
Take Your Own Medicine
The federal government faces persistent threats that pose strategic, economic, and security challenges to our nation every day. To address these threats the government must boldly reassess the way it approaches security and significantly invest in critical testing, staff, and tools. These threats demand that we continue to enhance the security of the federal digital infrastructure and improve the ability to detect and respond to incidents as they occur.
For starters, all government systems should be tested with the realism of military training exercises. This means abandoning token penetration tests and conducting some down-and-dirty “I don’t care who gets offended” tests that will shine a spotlight on any vulnerabilities the testing happens to find.