Cybersecurity needs to be a top priority for the administration of Donald Trump. The first task should be shoring up government IT systems. As recent attacks have shown, adversaries aren’t afraid to go after political organizations. There’s no reason to suspect they won’t continue to target political entities such as the Democratic National Committee or step up attacks on government agencies.
Emphasize that information security applies to all agencies
Ideally, a cabinet meeting for all new secretaries should be held within three months of the inauguration to underscore that information security is essential for all agencies to complete their missions. Even secretaries whose agencies are not typically associated with either information security or IT need to be included.
All government agencies use computers, mobile devices, cloud services and other technology, giving the bad guys many avenues for carrying out an attack. President Trump must emphasize that cybersecurity has major national security implications and impacts all government organizations and all Americans.
Hardening the government’s information security defenses is a huge undertaking that will take time to accomplish, a point that President Trump must emphasize. Metrics must be established that allow cabinets to measure how successful they have been at improving their defenses. Rolling out two-factor authentication for accessing sensitive systems and staying up to date on applying software patches are two examples of goals that can measured in quantifiable terms.
Start by appointing CISOs
The new president should fill government positions as quickly as possible. This is no small task given there are thousands of roles to fill, many of which require Congress’ approval.
Given the current political climate, getting Congress to agree on nominations for even the most common cabinet secretary positions could prove challenging to impossible. Instead of waiting for Congress to approve all high-level confirmations, the Trump administration should fill CISO positions for each government agency as soon as possible, since these are the people who are responsible for implementing and overseeing information security policies.
The government can take a lesson from the private sector here in emphasizing the importance of naming a CISO. Information security is no longer just an IT problem. All organizations, whether they’re a federal agency or a company, need someone who actively promotes and monitors security. Protecting the government or a business requires executive attention and is not something that can be treated like an afterthought.
Don’t forget about infrastructure
The Trump administration also needs to realize the importance of protecting the country’s infrastructure from attacks. Like I said in an earlier blog post, utility providers are the nation’s soft underbelly. Our power plants, electricity grid, dams and reservoirs often lack adequate information security measures and are extremely vulnerable to an attack.
Beyond malware, ransomware, phishing scams and other common attack vectors, utility providers use industrial control systems that aren’t actively monitored for intrusions, making them the ideal way for an attack to infiltrate an organization. Stuxnet used this attack vector to cripple Iran’s nuclear program. Harming any part of our infrastructure could have disastrous consequences. Protecting infrastructure is already on the agenda of the National Security Agency’s recently formed Cyber Mission Force. Hopefully, the new administration will continue and expand this policy.
I’d also like to address the need for the new President to broaden the definition of critical infrastructure to include ISPs (another point I’ve made in this space). The October DDoS attack that took down the domain name service provider Dyn caused people to panic. Imagine if future DDoS attacks were even more powerful, taking down the victim’s servers for even longer period of time and targeting companies that provide SaaS services. Businesses will suffer if their employees can't access their email or CRM applications.
The only way to protect our networks is for the public and private sector to work together. Hopefully, the Trump administration can help businesses realize the benefits of joining forces with the government on information security.
The time to act is now
Time is not on our side, unfortunately. There’s no indication adversaries, whether they are nation-states such as Russia and China or cyber criminals using nation-state tactics, are going to relent any time soon. They may even look for and try to exploit any gaps that emerge as the Obama administration hands over to the Trump administration.
This is all the more reason why information security needs to be a top priority for President Trump and must be handled within the first 100 days of his inauguration. A key part of continuing to keep America great is ensuring that its government agencies and national infrastructure are prepared as best as possible for future cyber attacks.
This column previously appeared in Network World.