A new administration’s priorities are often set within its first 100 days. What should the new administration do to help the country achieve greater levels of cyber maturity and risk mitigation?
In a radio address to America in 1933, U.S. President Franklin D. Roosevelt coined the term “the first 100 days” as he planned for the impending 73rd Congress. The term now refers to the first 100 days of a new president’s term, which often set the tone and tenor of their administration. For Roosevelt, his big concern was passing New Deal legislation; for president-elect Trump, one of the most pressing issues is tackling the state of the nation’s cybersecurity.
Motivating business and government to adopt a more aggressive stance toward mitigating cyber risk will not be easy. Even with the constant headlines about new breaches (e.g. Yahoo’s recently disclosed email hack), many leaders say the right words to reassure stakeholders that they’re addressing the problem, while in fact remaining reluctant to allocate sufficient resources to make significant improvements.
Change is mandatory. Nation states steal massive amounts of intellectual property, impeding our economic growth. Ransomware incidents impact the profits of many businesses. Personally identifiable information lost during the OPM breach may be used to blackmail individuals to spy on the U.S. government. And boards of directors and C suites face an increase in disruptive shareholder suits and regulatory actions.
What early leadership steps could the new president take to decrease the overall cyber risk faced by the country? We humbly suggest three early initiatives:
Fully implement a strong national cybersecurity policy.
Action requires vision, and establishing a national cybersecurity policy lays the foundation for addressing cyber risk in a comprehensive way. In February 2016, President Obama got the ball rolling by establishing the Commission on Enhancing National Cybersecurity. Its charter is to “make detailed short-term and long-term recommendations to strengthen cybersecurity in both the public and private sectors… and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.”
Strong bipartisan support exists in Congress for establishing nationwide initiatives to prepare for cyberattacks. President-elect Trump has an opportunity to speak on behalf of new legislation recommended by the Commission, and to encourage commercial enterprises as well as government agencies to take more determined actions to mitigate risk.
Adopt the NIST Cyber Security Framework as a national standard.
Executive order 13636 issued in early 2013 directed the National Institute of Standards and Technology (NIST) to “lead the development of a framework to reduce cyber risks to critical infrastructure… The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”
Developed by experts, the Cyber Security Framework (CSF) has rapidly gained support by many compliance bodies and is widely recognized as the “gold standard” for assessing cyber maturity. Encouraging its widespread use will generate significant standardized input to data analytics that could identify ways to reduce cyber risk.
- Encourage partnerships that enable businesses and agencies to share cyber risk data, leading to faster detection and early warnings of cyberattacks.
The Cybersecurity Information Sharing Act passed in 2015 has not been well received, mainly due to concerns about aggregating cyber information within government agencies that lack an adequate security track record. Better conceived initiatives must address the needs and concerns of business leaders and relevant government agencies. Direction from the top is needed to assemble the critical mass of influential players that can define effective methods and structures for cyber information sharing.
The handoff of executive responsibility for our national cybersecurity is already being addressed just a few days after the election. Inside Cybersecurity reports that “President Obama’s commission on cybersecurity is planning to hold its last public meeting later this month prior to issuing policy recommendations in December for President-elect Donald Trump, as part of the administration’s efforts for a smooth transition on policies to protect critical industry data and networks.”
Cyberattacks represent a critical challenge facing the nation. Addressing cyber risk must be a high priority, and championing a strong national policy, adopting a robust assessment standard, and encouraging private/public information sharing are clear steps forward.