By Robert Ackerman Jr.
President Trump in early July signed a cybersecurity executive order (EO) outlining plans to improve data security for federal agencies and to better protect critical U.S. infrastructure. I view it as a call to action, more than past administrations have done. This alone makes it worthwhile.
But it’s just a start. Much more needs to be done, and whether this materializes is anybody’s guess. Take, for example, the goal of improved protection of U.S. infrastructure. The administration must respond decisively to the fact that our electric grid and other key components of national infrastructure were designed to be functional, not secure.
Related article: Obama uses bully pulpit to encourage public-private intel sharing
I don’t know what the administration will do to fix this, but I recommend a three-pronged strategy. First, the government should define a level of expected cyber resiliency and produce a methodology to protect it. Second, we should create a clearing center for the implementation of best practices in grid security. And third, we should form an industrial bank to provide long-term financing to utilities that need it in order to help implement this.
Here is my take on other key measures that must be taken to improve government cybersecurity. The first is addressed in Trump’s EO; the others are insufficiently addressed or not at all.
–Intel sharing. The EO’s call for federal government agencies – especially civilian agencies – to seek opportunities to share cyber technology is a good move.It is unwise to reinvent the wheel, one government silo at a time. And cloud-based computing and security frameworks available today make a holistic approach realistic. Data security frameworks would then be layered atop the cloud framework so that data can be shared while also encrypted. Individual agencies could then build on this framework for their unique needs. True, government silos have varying degrees of expertise, resources and sophistication. But security is only as strong as the weakest link in the network. If addressed, adversaries will find and exploit that link.
–Government to private pathways. There is a need for a way for cybersecurity experts in U.S. intelligence agencies to share some of their knowledge with American companies. Their expertise could also be an element of a “cybersecurity infrastructure bank” – a bank that would loan government funds to small utilities, water plants and the like to help them quickly upgrade their cyber defenses.
–Support for innovation. Steps must be taken to persuade the government to purchase cybersecurity technology and services from innovative startups.The government today relies mostly on large, established cyber vendors, many of which do not sell state-of-the-art wares. Startups, by definition, must be innovative or die.
–Limit outsourcing to foreign entities. The government should cease buying cyber technology and related gear from foreign sources. It’s too risky.The government already does some of this, but must do more. On the plus side, China-based Huawei Technologies, the world’s largest telecommunications equipment manufacturer, is banned from selling its gear in America. The company is reputedly controlled, in part, by China’s People Liberation Army.
We are about to hear from each agency in the executive branch what their security measures are and what are deemed to be significant risks. From here, hopefully, work will mitigate the risks. They don’t necessarily have to be the steps I recommend, but must be worthwhile.
As I said at the beginning, at least we have a call to action. As Abraham Lincoln once said, “Determine the thing that can and shall be done, and then we shall find the way.”
About the essayist: Robert Ackerman Jr. is founder of Allegis Capital, an early-stage Silicon Valley-based cybersecurity venture capital firm, and co-founder of DataTribe, a cybersecurity startup incubator.