24 January, 2017
Less than two weeks after election night, President-elect Donald J. Trump highlighted cybersecurity as one of his priorities in his first 100 days in office. In a video, he announced he would “ask the Department of Defense and the Chairman of the Joint Chiefs of Staff to develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks, and all other form of attacks.’” The President-elect’s focus on cybersecurity has continued to be a central theme as he has selected his political appointments.
As a seasoned group of cybersecurity leaders, many of whom spent many years in the public sector before joining Stroz Friedberg—including former Special Agents of the FBI, members of the CIA, Department of Homeland Security (DHS) leaders, and federal prosecutors—we have composed a set of recommendations that the new administration should be thinking about as they plan their cybersecurity agenda for the next year and beyond.
Facilitating Global Public and Private Sector Information Sharing Cybercrime, especially when it crosses international borders, is highly complex because the threat landscape is diffuse, sophisticated, and fast-moving. What is needed most in response efforts is a rapid and coordinated reaction in real time among private sector, international law enforcement, cybersecurity experts, and governments. The incoming U.S. administration should take the lead in making a strong case for increasing threat intelligence sharing between public and private sectors across international jurisdictions to improve defense and response capabilities.A more developed global system for sharing information could play a critical role in minimizing damage from a cross-jurisdictional incident like the SWIFT attacks that involved at least the Philippines, Bangladesh, Vietnam, and Ecuador. With more information shared across borders, governments and law enforcement could deploy more collective resources against cyber adversaries operating globally.
While the United States has recognized the importance of intelligence sharing and implemented a number of programs and partnerships to spur this kind of activity, many private sector organizations are still reluctant to report information on attacks for fear of legal recrimination, fines, and reputational damage. Companies also harbor concerns and misconceptions about sharing information, for example, that it could inadvertently reveal the secrets of their networks. The United States should facilitate an environment for private sector organizations to open channels of communication with a broad community of international stakeholders in cybersecurity without repercussion. Crucially, companies must feel free to speak openly without the fear of facing public or legal scrutiny, or regulatory sanctions. Governing this kind of information sharing mechanism by Chatham House Rule would help reduce concerns that currently prohibit organizations from coming forward.
If the United States does not take the lead in encouraging cooperation with international allies, particularly in the West, complexity will continue to mount and alliance-based information sharing will only be more difficult in the future, especially as non-aligned countries increase their offensive and espionage operations.
Six Recommended Cybersecurity Priorities for the Trump Administration
Defining, Assessing, and Prioritizing Critical Infrastructure and Data to Understand the Threat Landscape President-elect Trump cited “America’s vital infrastructure” as a focus of cyber attack protections. The attack by Iranian hackers on the Rye Brook dam in New York, despite being a small target and causing no physical damage, was a foreshadowing of the potential for larger scale attacks on more significant infrastructure which could have devastating consequences. The United States is right therefore to prioritize defending its Internet-connected infrastructure. However, as well as focusing on protections, the new administration should update the definition of what constitutes “vital infrastructure” to reflect the current cyber threat landscape.The Department of Homeland of Security (DHS) currently defines critical infrastructure as “providing essential services that underpin American society and serve as the backbone of our nation’s economy, security, and health.” The DHS defines 16 critical infrastructure sectors, including the electrical grid, the financial system, and the mechanics supporting transportation, whose “assets, systems, and networks, whether physical or virtual [are] so vital to the United States that their incapacity or destruction would have a debilitating effect on security, national economic security, national public health or safety”.
The expanding nature of current cyber threats beyond top tier targets means the definition of “vital infrastructure” urgently needs to be expanded to include corporate and government data, and systems beyond these 16 sectors, on which a hack would have far-reaching consequences. Any other approach threatens to exclude targets could pose harm to millions if they are compromised. The 2014 attack on Sony, for example, not only impacted the media company itself—it reached the highest levels of government and foreign policy, involving President Obama, the NSA, CIA, and FBI. From another perspective, the 2015 attack on the U.S. Office of Personnel and Management highlighted the vulnerability of government employees’ personally identifiable information.
Additionally, the government assessment and much of the public conversation around the risks facing critical infrastructure is aligned to ‘zero-day’-type vulnerabilities. Yet, targets are much more likely to be attacked through a well-known route. For example, the SCADA systems that remotely manage so much of the oil and gas industry operations are famously built on legacy technologies. Adversaries finding a ‘zero-day’ in a technology environment like this is unlikely; opening a known door that hasn’t been properly secured is more common. Just like focusing protections on the wrong targets, focusing on the wrong threats can distract from other security measures that should be in place.
Protecting Data Integrity and the Proliferation of Misinformation
We have already seen examples of widely circulated fake news stories inspiring violence. In the case of “PizzaGate”, an armed man walked into a pizza joint to investigate false reports of a child sex ring run by Hillary Clinton. Similarly, confusion and chaos swept through JFK airport when false reports spread of a shooter. Misinformation was also a key theme of the U.S. presidential election, with the FBI confirming Russia’s involvement in attacks on the election in the form of “influence operations” designed to impact public opinion and the outcome. We have also seen hackers editing headlines on news sites and false stories dominating social media feeds.With information available everywhere—smartphones are like megaphones with social media being the ultimate amplifier—misinformation can cause individuals or masses of people to act immediately in predictable ways. In this environment, a malicious attack on the private-sector “public” address systems, for instance, government-run emergency notification systems, or even Amber Alerts, could result in mass destruction, chaos, and physical casualties.
Today, the recent escalation of “information-as-weapon” sits largely with nation-state cyber espionage, similar to Russia demonstrating new ways of influencing public discourse and political decision making. But it forebodes a kind of intrusion into our sphere of trusted information networks that this country must critically defend against. Information integrity risks must be addressed urgently by the new administration.
Creating a Structure for Offensive Cyber Actions for the Private Sector
Private sector organizations that are under fire from cyber attackers trying to steal their valuable commercial information or take down their systems have been increasingly discussing the potential benefits of “hacking back”— conducting offensive cyber operations against those who have already attacked them. The potential to conduct offensive cyber operations has also been mentioned by Michael Flynn, Trump’s national security appointee.
The prospect of vigilante action raises complex questions that require government-directed answers, as any private offensive cybersecurity action against another party could result in significant legal liabilities for the actor, and could have implications beyond the corporate sector, for example, being considered an act of war. Therefore, the new administration should explore a deeper dialogue around this tactic and be thinking about both regulatory and operational implications, in case the public pressure to “hack back” becomes mainstream. Any regulations must address issues like: What is the level of certainty around the accuracy of attribution required before retaliating? How should the offensive actions be determined? Does the jurisdiction of the attacker determine the action taken? Who should perform these offensive actions? Operationally, the NSA has the strongest capability in this arena. The new administration should explore whether the power that is resident in the NSA and U.S. military can be deployed under certain circumstances so that private organizations can elect to sign up for offensive cyber protection.
Consolidating and Elevating Cybersecurity Regulation
Corporations face a multitude of fragmented cybersecurity frameworks and regulations, both nationally and globally. In the United States, some frameworks are government-run, but not bound by law, such as National Institute of Standards and Technology (NIST). Others like the Health Insurance Portability and Accountability Act (HIPAA) are laws or industry-led and necessary to conduct business operations, such as the Payment Card Industry Data Security Standard (PCI-DSS). New York State’s Department of Financial Services (DFS) recently released its revised proposed cybersecurity regulation for financial services companies. The FDA recently issued guidelines for managing cybersecurity in medical devices post-coming to market. International regulations include the General Data Privacy Regulations (GDPR) set to be introduced in May 2018, as well as established best practices like those published by the International Organization for Standardization (ISO). These frameworks and regulations are all regularly updated, keeping Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), compliance officers, and audit committees infinitely busy.What is more, compliance with these competing frameworks and regulations does not guarantee security. They are geared towards changing the mindset and culture of organizations and the industry overall to push organizations into realize the importance of being proactive in order to become cyber resilient.
These complexities around laws, regulations, and guidelines generate questions about which cybersecurity responsibilities fall on the government versus the need for industries to self-regulate. For example, should there be legally-binding security standards for connected medical devices and automotive devices, or should the industry drive the standard? Is the industry doing enough to ensure security is fundamentally built into design? Should companies in regulated and ‘critical’ sectors be legally bound to conduct more proactive security measures, such as red teaming, or is a government recommendation sufficient?
The new administration should clarify, consolidate, and elevate cybersecurity regulation so that companies not only know how to prioritize their cybersecurity activities, but also know where their responsibility to ensure information security begins and ends. This can help to create fundamental cybersecurity standards akin to due care and negligence laws, which companies can be measured against when taking new products and services to market.
Whether or not the United States moves in this direction, it will feel the influence of foreign cybersecurity regulations as other countries continue to establish more clearly defined and widespread cybersecurity regulation. Multijurisdictional companies acting on these international regulations will inevitably cause these practices to trickle into the United States. The new administration should take the opportunity to be a leader in setting the regulatory agenda and aligning with international best practices.
Better Harmonizing of the National Cybersecurity Goals Across Departments
The new administration must prioritize unifying the objectives of the U.S. intelligence community, military, and law enforcement, supporting functionally connected programs in the science and technology policy portfolio to retain the country’s lead in these areas.The CIA is undergoing its most fundamental reorganization in years, with the addition of a cyber intelligence division as the centerpiece. The NSA remains the overwhelmingly dominant force in this area, but is facing an increase in employee resignations, a series of leaks or near-misses, and instability in its leadership. DHS is still struggling against its own institutional weight and relative immaturity as it aims to ensure that its vast, changing cybersecurity remit remains relevant, while also operating day-to-day to enact that remit. The State Department needs to find a new focal point for the cyber dimension of its foreign policy vision, as its recent attempt at promoting “responsible cyber norms” has been less than effective.
Given how quickly cybersecurity has emerged as a critical issue affecting global security, conflict, and governance, the incoming administration will find the associated policy and strategy challenges overwhelming without a solid set of cybersecurity objectives and programs to unify all of these moving parts. A refocusing of the organizational capabilities and authorities that protect the U.S. national interests is necessary to ensure that the country’s cybersecurity policy, strategy, and posture keeps pace with the global threat environment.
The outgoing administration emphasized cybersecurity as one of the current greatest challenges the United States is facing as a nation, in terms of its importance to national and economic security, and took a number of steps to increase the country’s defenses. The incoming administration must approach cybersecurity as a continuous process of improvement, building on the initiatives established by the prior administration and taking bold new steps to stay ahead of the global cyber risks.
From better international information sharing between the public and private sector, to updating the concept of “critical infrastructure”, defending the integrity of the nation’s information and data, to conducting offensive cyber activities, there are a number of areas where the new administration can make significant advancements. Unifying the objectives of the multiple departments and parties working on cybersecurity, and streamlining the plethora of regulations that have sprung up around cybersecurity, will also help public and private sector entities navigate the complex arena of fighting cybercrime.
Whatever direction the incoming president and his administration take to improve U.S. cyber defenses, it will be crucial to bring together major players across sectors—including business, the intelligence community, military, law enforcement, government and others—to provide a unified front against the country’s cyber adversaries.
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg
pjackson@strozfriedberg.com
