Today, the people of the United States will elect a new President - a President who will likely preside over an era with far more cyberwar, cyber-espionage, and other forms of technology-based mischief than ever before. What should he or she do to improve America's strength in this regard?
I believe that there are many important elements - here are four:
1. Incent people to learn about information security, and incent students to enter the field. Special focus must be made to attract young girls and members of minority groups presently under-represented among cybersecurity practitioners. We need a much larger and more diverse pipeline of skilled professionals.
2. Involve a more diverse range of businesses and experts in the government's decision making processes; a disproportionate amount of cybersecurity innovation emanates from smaller technology firms, so including disproportionate representation from large corporations in Congressional hearings and Executive-department advisory capacities leads to numerous problems, as well as to undue influence from lobbyists - we have already seen the adverse impact, and it is time for change.
3. Allow the government to spend what it needs to spend on cybersecurity in order to compete for skilled cybersecurity professionals - and to get the Federal government's "house in order." The Office of Personnel Management breach was inexcusable, and if a breach of similar magnitude were to occur in the future it could severely undermine confidence in our national cyber-defense.
4. Incent businesses to address emerging risks - the Internet of Things, social media, smart cars, and other newer technologies have created immense risks for business, but many still have not take appropriate action. This needs to change.
And here are some opinions from others:
Steve Morgan, Founder and CEO at Cybersecurity Ventures
The White House issued an Executive Order in April 2015, in which President Barack Obama stated: "The increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. I hereby declare a national emergency to deal with this threat." Our next President needs to take it a step further and declare that the U.S. is at cyberwar with China and other hostile nations who have continuously cyber-attacked U.S. government agencies and corporations. Our National Cyber Defense needs to evolve from what are largely defensive measures now -- to the research and development of offensive cyber warfare capabilities which are fundamental to protecting the U.S. from the global cyber threats we face.
Scott Clements, Executive Vice President and Chief Security Officer, VASCO Data Security:
Put more force behind the National Strategy for Trusted Identities in Cyberspace standard development including support and adoption by government agencies, followed by regulations that hold organizations accountable if they don't meet basic security standards of protecting consumer information.
Agencies with antitrust authority need to update their models to more fully recognize that as we are in an "information based" economy, hoarding or excessive control of user or consumer information is not only insecure, but may be just as anti-competitive as was Standard Oil's monopolistic behavior of the last century. I'm not suggesting the EU's mercantilist approach of using antitrust to compensate for a poor competitive position in Internet technology, but a reasonable focus on consumer protection that encourages innovation and recognizes zero marginal supply cost of information technology as opposed to the large and growing value of personally identifiable information that companies are failing to effectively protect. Loss of faith in the Internet economy will have massive and negative effects on the economic security of the Unites States.
Christian Lees, CISO at InfoArmor:
Protect the trans-Atlantic cables that carry most of the world's data.
Work closely with major service providers, financial, electronic, retail -- and their users -- to prevent, detect and respond to cyber-attacks.
Immediately harden critical infrastructure (e.g. power grids), and work with US citizens to prepare for a major outage related to critical infrastructure.
Julien Bellanger, Co-Founder & CEO, Prevoty:
Improve cybersecurity compliance controls. And treat cybersecurity the same way that financial controls and reporting are handled under Sarbanes-Oxley. Enterprises should not be allowed to "check the boxes" of cybersecurity compliance checklists without their controls being rigorously tested by an independent body.
Empower enterprises to better encrypt data. Stop trying to tap into every Internet company database or user data data feed for national security reasons - doing so actually increases risks.
Lead by example, and invest in modern cybersecurity to protect government properties and databases.
Brad Bussie, CISSP, Director of Product Management, STEALTHbits Technologies:
The alarming shortfall of cybersecurity trained individuals needs to be addressed. The President must mandate outreach to all levels of education focused on cybersecurity. Colleges around the United States need to ramp up and improve programs that offer varied specialties in cyber. Training is essential to our survival in the cyber arms race.
The incoming President should focus on promoting multi-factor authentication to websites and applications for businesses as well as consumers. Breaches continue to grow year over year because of the weaknesses that passwords inherently possess. The technology exists to easily make this concept a reality and most everyone already has a second factor of authentication readily available via their smartphones.
The new President also needs to mandate that enterprises enable the entire workforce with on the job training regarding cyber security. Think of this like running fire drills. Everyone knows what to do and where to go in the case of an emergency because they have drilled and practiced several times a year. The same thing needs to happen with cybersecurity. Companies need to develop programs to keep themselves safe and establish best practices that every employee can follow, regardless of job title. The real key to a successful cybersecurity program is to expose the entire organization to security on an ongoing basis.