With Election Day upon us, we are getting closer to the ushering in of a new administration in the White House. Significant progress on cybersecurity policy has been made over the last decade in both Republican- and Democrat-led administrations and we look forward to the incoming administration making further strides over the next four years.
There’s still work that remains to be done on cybersecurity from a policy perspective. There are several meaningful ways for the next administration to move the needle and continue to strengthen U.S. cybersecurity, which are detailed below.
Focus on threat prevention by leveraging the NIST framework’s tenets on identification and protection
The Cybersecurity Framework spearheaded by the National Institute of Standards and Technology (commonly known as the “NIST framework”) was game-changing in that it established a common cybersecurity risk management lexicon and five core tenets for mitigating attacks: identify, protect, detect, respond and recover. We hope the collaborative and inclusive public-private dialogue that took place during the development of the Framework is a model that is used by the next administration when crafting cybersecurity policy.
As the Framework matures, we encourage the next administration to place a particular focus on “identification” of the systems, networks and information most important to the success of each organization, and then “protection” of those elements. This underscores the importance of adopting a prevention-first mindset toward cybersecurity. Detection and response alone can’t keep pace with today’s automated threats, which is why a prevention-oriented approach is key to stopping successful attacks. All five tenets are important and play a critical part in strengthening the nation’s cyber defenses, but focusing on identification and protection ensures preventive measures are baked into an organization’s cybersecurity strategy from the start and limits the need for resources devoted to incident response.
Encourage initiatives aimed at boosting cyber education to prepare the next-generation of cyber-savvy citizens
Even the best technology in the world can’t stop a person from physically clicking on a malware-laced phishing email. People play a critical role in an organization’s overall security posture, and the simple practice of following good cyber principles of safety, through basic standards of discipline, can help prevent a significant portion of attacks.
To prepare the next generation of cyber-savvy citizens, we recommend that the next administration support educational efforts and initiatives to teach children across the U.S. about cybersecurity and cyber safety best practices, as well as spark their interest in pursuing a career in cybersecurity. Cybersecurity competitions, such as CyberPatriot and the U.S. Cyber Challenge, are also important initiatives that can reinforce cybersecurity best practices and help address the concerning workforce gap that the U.S. currently faces. The White House’s Federal Cybersecurity Workforce Strategy, released in July 2016, noted that “recent industry reports project this shortfall will expand rapidly over the coming years unless companies and the federal government act to expand the cybersecurity workforce.”
To continue to lead the world in cyber innovation and capabilities, it’s imperative that the U.S. make cyber education a priority and view it as every bit as necessary as teaching students how to solve an algebraic equation or learn the periodic table.
Reinforce existing statutory authorities on cybersecurity
Cybersecurity is a distributed issue that requires a shared sense of responsibility across both the public and private sectors. For this reason, we believe it would be misguided for the next administration to overly centralize the government’s cybersecurity efforts. Preventing successful attacks can only be addressed through a partnership across federal government and in collaboration with international allies and the private sector.
Both the Bush and Obama administrations implemented policies that helped carve out the distinct roles and responsibilities of government entities when it comes to preventing and responding to cyberattacks. In July, for example, the White House issued a presidential directive that offered an important clarification of the roles and responsibilities that the U.S. government and private sector bring to bear in responding to a significant cyber incident. In turn, this has given the private sector a clearer idea of the appropriate government stakeholders to coordinate with on cybersecurity issues.
There’s more work to do in this area, but we recommend that the next administration reinforce these statutory authorities and refrain from creating new agencies, reassigning established agency roles and responsibilities, or otherwise disrupting the progress made in cybersecurity governance.
Continue supporting efforts to modernize federal IT and update aging legacy systems in the federal government
From White House budget proposals to legislation moving through Congress, there has been growing bipartisan consensus across the executive and legislative branches of the need to modernize federal information technology systems. The urgency of the issue is underscored by some pretty staggering facts.
According to U.S. Federal CIO Tony Scott, $3 billion worth of U.S. federal IT equipment will reach “end of life” status within the next three years, meaning no more security patches, upgrades or vendor support will be available. In fiscal year 2015, over 75 percent of the federal government’s $80 billion IT budget went to operations and maintenance costs for obsolete legacy systems, according to a recent U.S. Government Accountability Office (GAO) report. To enhance security, the U.S. government must invest heavily in next-generation and prevention-oriented technologies.
This does not only apply to IT. With the advent and continuing explosion of the internet of things (IoT) phenomenon, this recommendation also applies to operational technology (OT) associated with some of the nation’s most critical capabilities, such as transportation, energy, water management, and many other categories of critical infrastructure.
Expand and mature the cyberthreat information-sharing environment to harness threat indicators into preventive countermeasures in real time
Over successive administrations, the U.S. government has devoted significant resources to fostering an expanded cybersecurity information-sharing environment between the public and private sectors. Palo Alto Networks has been heavily engaged in these efforts, from the development of Information Sharing Analysis Organization (ISAO) standards and best practices to its co-founding of the cybersecurity industry’s first information sharing entity, the Cyber Threat Alliance.
As the next administration continues work on this issue, the focus must be on standardizing and automating the sharing of cyberthreat indicators in as close to real time as possible, in order to increase the scale and speed required to outmaneuver cyberthreats. But the next administration must also recognize that cyberthreat information sharing, while critical, is not a remedy. It is, instead, a means to an end.
To be effectively leveraged, threat information must be combined with the right type of interoperable security technologies that are capable of automatically harnessing new threat knowledge into preventive countermeasures and sharing them broadly across the ecosystem. If we can achieve this level of automation and ecosystem integration, we can begin to drive up the costs of a successful cyberattack for our adversaries and tangibly reverse the current, unsustainable dynamic.
Make the federal CISO role permanent
In September 2016, the White House named the United States’ first Chief Information Security Officer (CISO), General Greg Touhill. (In full disclosure, I have firsthand experience working with Greg, both while in government and at Palo Alto Networks, and I’m confident in his qualifications for this vital role.)
Because this position was created by executive action, there is no guarantee the role will continue beyond the administration transition. We believe it must. The federal CISO position will be crucial in driving the implementation of outstanding deliverables from the Cybersecurity Implementation Plan and ensuring accountability at the senior-most levels of federal departments and agencies. This could be accomplished by continuing the operation of the new federal CISO council, which will also help build strategy and ensure IT modernization efforts prioritize prevention-first security. Further, the federal CISO can play a vital role in standardizing cybersecurity training and education programs across the federal government to ensure a consistently high standard for how key government and citizen data is protected.
The above recommendations are just a short list of steps the incoming administration can take to help prevent successful attacks and maintain trust in the digital foundation on which we’ve built our daily lives. We look forward to working with the next administration on efforts to strengthen the nation’s cybersecurity and hope it continues to be a top priority over the next four years.