What the next president needs to do on cyber
- By John Davis
- Nov 04, 2016
With Election Day upon us, we are getting closer to ushering in a new administration in the White House. Significant progress on cybersecurity policy has been made in the past decade in both Republican- and Democrat-led administrations, and we look forward to the incoming administration making further strides in the next four years.
Work remains to be done on cybersecurity from a policy perspective, and there are several meaningful ways for the next administration to continue to strengthen U.S. cybersecurity, which are detailed below.
1. Focus on threat prevention by adopting the Cybersecurity Framework's tenets on identification and protection
Spearheaded by the National Institute of Standards and Technology, the Cybersecurity Framework was game-changing in that it established a common cybersecurity risk management lexicon and five core tenets for mitigating attacks: identify, protect, detect, respond and recover. We hope the collaborative and inclusive public/private dialogue that took place during the development of the framework is a model the next administration will use when crafting cybersecurity policy.
As the framework matures, we encourage the next administration to place a particular focus on identifying the systems, networks and information most important to the success of each organization, and then protecting those elements. That approach would underscore the importance of adopting a prevention-first mindset toward cybersecurity.
Detection and response alone can't keep pace with today's automated threats, which is why a prevention-oriented approach is the key to stopping attacks. Focusing on identification and protection ensures that preventive measures are baked into an organization's cybersecurity strategy from the start and limits the need to devote resources to incident response.
2. Encourage cyber education initiatives to prepare the next generation of cyber-savvy citizens
The best technology in the world can't stop a person from clicking on a phishing email message. People play a critical role in an organization's overall security posture, and the simple practice of following good cyber principles of safety, through basic standards of discipline, can help prevent a significant portion of attacks.
To prepare the next generation of cyber-savvy citizens, we recommend that the new administration support educational efforts and initiatives to teach children across the U.S. about cybersecurity and cyber safety best practices, as well as spark their interest in pursuing careers in cybersecurity. In addition, cybersecurity competitions, such as CyberPatriot and the U.S. Cyber Challenge, are important initiatives that can reinforce cybersecurity best practices and help address the concerning workforce gap that the U.S. currently faces.
To continue to lead the world in cyber innovation and capabilities, it's imperative that the U.S. make cyber education a priority and view it as every bit as necessary as teaching chemistry or algebra.
3. Reinforce existing statutory authorities on cybersecurity
Cybersecurity is a distributed issue that requires a shared sense of responsibility across the public and private sectors. Therefore, we believe it would be misguided for the next administration to overly centralize the government's cybersecurity efforts. Preventing successful attacks can only be addressed through a partnership across the federal government and in collaboration with international allies and the private sector.
The George W. Bush and Obama administrations implemented policies that helped carve out the distinct roles and responsibilities of government entities when it comes to preventing and responding to cyberattacks. In July, for example, the White House issued a presidential directive that offered an important clarification of the roles and responsibilities that the U.S. government and private sector bring to bear in responding to a significant cyber incident. In turn, this has given the private sector a clearer idea of the appropriate government stakeholders to coordinate with on cybersecurity issues.
There's more work to do in this area, but we recommend that the next administration reinforce those statutory authorities and refrain from creating new agencies, reassigning established agency roles and responsibilities, or otherwise disrupting the progress made in cybersecurity governance.
4. Continue supporting efforts to modernize federal IT and update aging legacy systems
From White House budget proposals to legislation moving through Congress, there has been growing bipartisan consensus across the executive and legislative branches on the need to modernize federal IT systems. The urgency is underscored by some pretty staggering facts.
According to U.S. CIO Tony Scott, $3 billion worth of federal IT equipment will reach end-of-life status in the next three years -- meaning no more security patches, upgrades or vendor support will be available. In fiscal 2015, more than 75 percent of the federal government's $80 billion IT budget went to operating and maintaining obsolete legacy systems, according to a recent Government Accountability Office report.
To enhance security, the U.S. government must invest heavily in next-generation and prevention-oriented technologies.
And that does not only apply to IT. With the advent and continuing explosion of the internet of things phenomenon, the recommendation also applies to operational technology associated with critical infrastructure.
5. Expand and mature the cyberthreat information-sharing environment to generate preventive countermeasures
In successive administrations, the U.S. government has devoted significant resources to fostering an expanded cybersecurity information-sharing environment between the public and private sectors. Palo Alto Networks has been heavily engaged in those efforts, from the development of standards and best practices for Information Sharing and Analysis Organizations to its co-founding of the cybersecurity industry's first information-sharing entity, the Cyber Threat Alliance.
As the next administration continues work on this issue, the focus must be on standardizing and automating the sharing of cyberthreat indicators in as close to real time as possible in order to increase the scale and speed required to outmaneuver cyberthreats. But the next administration must also recognize that cyberthreat information sharing, while critical, is not a remedy. It is, instead, a means to an end.
To be effectively used, threat information must be combined with the right type of interoperable security technologies that are capable of automatically harnessing new threat knowledge into preventive countermeasures and sharing them broadly across the ecosystem. If we can achieve that level of automation and ecosystem integration, we can begin to drive up the costs of a successful cyberattack for our adversaries and tangibly reverse the current, unsustainable dynamic.
6. Make the U.S. CISO role permanent
In September, the White House named the country’s first chief information security officer, retired Brig. Gen. Gregory Touhill. (Full disclosure: I have firsthand experience working with Greg, both in government and at Palo Alto Networks, and I'm confident in his qualifications for this vital role.)
Because the position was created by executive action, there is no guarantee that it will continue beyond the administration transition. We believe it must. The U.S. CISO position will be crucial in driving the implementation of outstanding deliverables from the Cybersecurity Strategy Implementation Plan and ensuring accountability at the senior-most levels of federal departments and agencies. That could be accomplished by continuing the operation of the new federal CISO Council, which will also help build strategy and ensure that IT modernization efforts prioritize prevention-first security.
Further, the U.S. CISO can play a vital role in standardizing cybersecurity training and education programs across the federal government to ensure a consistently high standard for how key government and citizen data is protected.
The above recommendations are just a short list of steps the incoming administration can take to help prevent successful attacks and maintain trust in the digital foundation on which we've built our daily lives. We look forward to working with the next administration on efforts to strengthen the nation's cybersecurity and hope it continues to be a top priority over the next four years.