Rumors about a planned Trump Administration cybersecurity executive order offer signs of hope that many of the cyber policy lessons learned, often the hard way, during the past decade will not be forgotten. Unfortunately, its main thrust appears to be to call for more reviews of and reports on many of the problems we have been reviewing and reporting on for years.
Through the George W. Bush and Barack Obama Administrations, I was fortunate enough to have ringside seats for watching U.S. cybersecurity policy initiatives play out from Congress, inside the White House, and out in the private sector. From those experiences, I can safely say we have studied this problem to death. Now, with light staffing across the National Security Council and federal agencies, more internal government reviews and reports will not improve our cyber defenses.
While it is a long Washington tradition for every new president to put his own stamp on policy before moving forward, in the words of Sean Henry, the FBI’s former cyber-crimes director and now President of CrowdStrike, “Most of the order has been completed previously, so the reporting already exists.”
Instead, this NSC should tee up many of the quick wins from the CSIS Cyber Policy Task Force (of which I was a director) and the Obama Administration Commission on Enhancing National Cybersecurity, and focus their reviews on continuing longer term strategic homeland security, diplomatic, and military initiatives, where shifting technology will always require policy imagination.
Cherry picking from these efforts, there are three areas with policies ready to be pulled off the shelf: cooperation with the private sector, adjusting the policy problems in securing federal networks, and developing world-class cyber talent.
During the past eight years, there has been significant focus on how to “protect” the private sector. However, the market for security is already moving in the right direction by focusing on what works, instead of vs FUD (fear, uncertainty, doubt) marketing. Improving visibility among security companies through the Cyber Threat Alliance—a group of cybersecurity practitioners that pool information in order to improve cyber defenses, the Cybersecurity Framework’s—a government-created policy framework for the private sector on how to prevent, detect, and respond to cyberattacks—influence on risk management in the insurance market, and the growing adoption of BugBounty programs—designed to reward hacking that exposes cyber vulnerabilities before they are exploited— are examples of this maturity. We need to stop thinking of the private sector as a charge to be cared for and more as a partner.
This Administration should work on making its own incidents more transparent to improve understanding of vulnerabilities facing everyone. An inability to declassify relevant data faster has always been an impediment to cyber information sharing. The Obama Administration put its finger on the scale of declassifying new vulnerabilities for public safety. We must double down here to better protect our digital infrastructure and ensure the private sector continues to move toward what works, not who holds the most information.
As for funding the “big fix” for federal networks, after the Office of Personnel Management breach in June 2015 resulted in the loss of millions of employee records, the Obama Administration laid out a way forward for energizing cybersecurity under the Cybersecurity National Action Plan. Specifically, the plan involves appropriating $3.1 billion for an Information Technology Modernization Fund, allowing agencies to invest money right away while retiring outdated and unsecure systems that the federal government spends $90 billion to maintain – a massive cost savings. This concept is supported by both parties in Congress and reflects how cyber has remained a bipartisan initiative, even over many years and policy fights. These efforts to revitalize Federal IT infrastructure are an amazing investment and should be near the top of the priority list.
One of the most supported recommendations to come out of the CSIS taskforce was to accelerate the next generation of cyber talent by funding national and state efforts to increase technical skills and even ethical hacking in schools. On top of this, many efforts are already underway to better understand job roles in cyber, and build pipelines for expanding our federal cyber workforce. Rather than freezing hiring of federal employees involved in cybersecurity, this Administration should implement an ambitious education and workforce plan for cybersecurity professionals.
NSC work on cybersecurity policy reached a crescendo at the end of the Obama Administration and has produced some of the most comprehensive policy roadmaps and expert advice ever collected around one issue. The NSC’s role is to help coordinate expert guidance and tailor execution of presidential policy. This Administration has the opportunity to pick up where we left off and move boldly against rapidly evolving cyber threats facing our nation. Studying a problem once again to arrive at the same conclusion but under different program names would be a terrible waste of valuable time, time that frankly we don’t have.
