Given the unforeseen results of the 2016 US Presidential election, it is hard to predict the future, particularly in sorting out campaign promises from policy intent.
In general, President-elect Donald Trump’s pro-jobs, pro-business resolve will likely loosen constraints on companies in terms of industry regulations and taxation while supporting employee expansion and capital investments. Trump will need to reconcile his image as a populist Washington outsider who will champion the common man with the business leader that will ease burdens and restrictions.
Changes are most certainly going to be made to cybersecurity. The election itself was tarnished with security issues that created at the very least tension, and at its pinnacle, a kind of hysteria. A string of email attacks that ensnared DNC leaders and even Hillary Clinton’s campaign manager revealed the impact that cyberwarfare can have on a national election.
However, cybersecurity concerns didn’t end with the high-profile DNC email hacks. There was talk of a “rigged” election which sent state elections agencies scrambling to ensure that the elections process was free from cyber threats and tampering.
Now with growing outrage over the Yahoo breach and the lengthy notification delays, cybersecurity is becoming a runaway public issue. It could easily cost Yahoo a billion dollars or more in its acquisition price—which I like to call “the data breach discount”—or derail the agreement altogether. This comes against a backdrop of other network attacks, including the National Security Agency (NSA) being hacked and its clandestine exploits offered up for auction to the highest bidder. Tesco Bank and Adult FriendFinder also learned recently how dangerous, and damaging, cyber-attacks can be.
Data breaches are not only becoming larger and more frequent, they are generating more devastating consequences. Manipulation of financial systems and resulting losses at international banks show that cyber-attacks can lead to fraudulent wire transfers, millions of dollars of losses, and even potentially financial instability. And what could be more frightening than the admission from the International Atomic Energy Agency director, Yukiya Amano, who last month admitted that an unnamed nuclear power plant had been “disrupted” but not shut dowcn by a cyberattack. Imagine what could have happened.
Clearly cybersecurity will be a big issue for the President-elect, and it must be addressed in multiple dimensions. First, there is the federal government itself. Then there is the issue of how to better protect consumers. Finally, there are the offensive and defensive capabilities of cyberwarfare.
Most government agencies and functions face housekeeping and a stern review by the Trump Cabinet. If the public has sagging confidence in the ability of federal agencies to protect information and resources, something must change. There is a long track record of failure after failure, ranging from the Office of Personnel Management (OPM) to the Internal Revenue Service (IRS) to FBI and even the White House. Like most enterprises, Federal agencies are simply not equipped to find network attackers early and stop them before theft or damage occurs. This has to change.
Trump may appoint political outsiders to assess federal cybersecurity or may demand an accounting from each department. Top down efforts have already improved security hygiene, but most agencies still lack true detection ability. Changes to authentication, access, encryption, network segmentation, patching and other forms of security improvements provide worthwhile tune-ups for preventative security and may make it more difficult for an attacker to get to assets but it does not solve the overall attack problem. Like enterprises, federal agencies need to take on the ability to find an active attacker—whether a malicious insider or a targeted external party—that is at work on the network, secretly working towards their goals. They need to add a new approach that will accurately detect such an attacker.
In terms of better protection for consumers dealing with commercial entities, Trump may well consider new potent legislation that could add formidable requirements and penalties for safeguarding personal information and facing significant punitive measures if they have a data breach.
Sweeping legislation such as the General Data Protection Regulation (GDPR) in the EU would be a true test of business versus consumers for Trump. Once enforceable in May 2018, the GDPR sets out penalties of up to 4% of worldwide revenue or €20 million, whichever is greater. Even to a Fortune 500 company this represents a significant cost. In addition, companies face clean-up costs and settlement pay outs for damages.
Trump should weigh consumer concerns and frustrations against industry regulations that impinge on business. It is certainly reasonable for US citizens to expect that they would have similar protections as Europeans in regards to timely breach notification and the application of best practices to safeguard personal data. The level and magnitude of breaches today is alarming, and organizations should be compelled to apply the latest measures and best efforts to turn the tide.
Finally, the election and some news cycles referenced the country’s overall cyberwarfare capabilities in terms of both offense and defense. Clearly threats may come from large or small countries.
- Is cyberwarfare a cat and mouse game that is played out between any countries, or does a country like the US have a considerable advantage both offensively and defensively?
- Does the US need to improve and grow its cyberwarfare abilities?
- If pushed, could the government deliver a striking cyber blow on an antagonist?
At the same time, could it step in and properly protect infrastructure to avoid a catastrophe or meltdown of commerce and daily life?
By answering these questions, we can begin to devise a plan that will address today’s most critical security risks.
About The Author: Kasey Cross is the Director of Product Management at LightCyber, a company pioneering the use of machine learning and network visibility as a new approach to detect network attackers. Cross has more than 15 years of experience in management networking at leading security companies including Imperva, A10 Networks and SonicWALL. Prior she was the CEO of Menlo Logic and led the company through its successful acquisition by Cavium Networks. Cross holds a degree in Economics and Physics from Duke University.