The rise of cybersecurity threats poses a critical corporate and national security issue. From an increase in social engineering fraud and ransomware that cost businesses millions of dollars last year to the influence of social media and hacking on the U.S. presidential election, cyberthreats (and attacks) are now common and persistent.
Before taking office, Donald Trump announced that improving cybersecurity would be one of the top priorities during his first 100 days in office. Some cybersecurity experts are still uncertain of the Trump administration’s ability to tackle these important issues, however. In November, for example, Forrester Research predicted that the new president would face a cyber crisis in his first 100 days, further highlighting the urgent need for a strong cybersecurity policy, including enforcement procedures. President Trump has indicated that he will leave the brunt of the policymaking on this issue to the Department of Defense (DoD) and the chairman of the Joint Chiefs of Staff, though this proposed plan has raised some legal questions, as the Department of Homeland Security is the agency in charge of protecting infrastructure while the Pentagon is responsible for defending military networks.
In December, Trump held a summit with leaders from top technology companies, including Alphabet CEO Larry Page, Amazon CEO Jeff Bezos, Facebook COO Sheryl Sandberg, Apple CEO Tim Cook, and SpaceX and Tesla CEO Elon Musk, potentially signaling interest in working with Silicon Valley, tech leaders and private industry to develop innovative solutions to bolster cybersecurity.
It is still unclear what the Trump administration’s cybersecurity policy will include, but the following are some of the key objectives the Trump administration could address during his presidency:
1. Prevent future cyberattacks.
While the cyberattack on the Democratic National Committee has been viewed as ultimately benefiting Trump, the hack and other alleged cyberattacks during the campaign are considered the first attempt in history to digitally disrupt a U.S. presidential election. The gravity of this situation has led to a bipartisan effort to investigate the incidents and fortify against future attacks.
Cyber issues would seemingly require cooperation and collaboration with the international community, but the Budapest Convention on Cybercrime is the only binding international agreement related to cybercrime and some have criticized its effectiveness. Trump’s cybersecurity plan focuses mostly on domestic issues, and he will likely adopt a policy that addresses the role of the United States in deterring cyberattacks.
The president could begin by immediately sanctioning individuals and organizations tied to cybercrimes by imposing travel and commercial restrictions. He may also focus on identifying countries with areas of high cybercriminal activity and put public pressure on those governments. Domestically, the administration can borrow from counter-terrorism strategies by developing interdisciplinary task forces that combine intelligence, finance, law enforcement, and other fields to monitor adversarial cyber activity and undermine future attacks.
2. Implement policies to reduce the effects of DDoS attacks.
On Oct. 21, 2016, parts of the internet essentially shut down, with many popular websites rendered inaccessible in the United States after hackers launched distributed denial of service (DDoS) attacks against key web servers. DDoS attacks can be difficult to prevent and defend because they typically do not originate from one computer. Rather, the attacks can emanate from thousands of devices connected to the internet (the internet of things) that were infected with malicious code.
Due to the nature of these attacks, there is no simple means of prevention. However, if websites use a large number of independent servers rather than a few main servers that are easily targeted, the likelihood all servers will be affected is greatly reduced. The administration could consider developing standardized, government-wide policies for detecting vulnerabilities and promoting network management practices to fortify against future DDoS attacks. One way to accomplish this would be to work with tech leaders to create automated mitigation technology that is more accessible to smaller companies. This technology relies on computer programs that can detect and filter attacks at a volume that would normally overwhelm traditional IT security staff.
3. Secure transportation and delivery systems from hacking.
Self-driving technology and automated shipments are quickly becoming a reality. Otto, a startup that was acquired by Uber, has created self-driving trucks. Waymo, which began as Google’s self-driving car project, has partnered with Chrysler to manufacture 100 driverless Pacifica minivans that will be introduced in 2017. In early December 2016, Amazon made its first commercial drone delivery in England. As transportation and delivery services become more internet-based and reliant on remote access data points like phones, the chances of hackers gaining remote access could significantly increase.
Non-autonomous cars are now outfitted with computers and internet connectivity to provide automakers and, in some instances, insurers with data and feedback and consumers with better driving features. These access points create cybersecurity issues as hackers can access cars remotely to disable the brakes, tamper with the car alarm, and override the steering if those features are connected to an internal computer. Airplanes can be taken over remotely by hacking into their onboard computers if passengers visit websites with viruses or malware while using onboard Wi-Fi. Many of the necessary access hacking tools and technology already exist and can be purchased easily and relatively inexpensively.
The DoD is funding research programs to address these risks, such as the collaboration between Perrone Robotics Inc., a software developer for autonomous vehicles, and Mission Secure Inc., a cyberdefense solution provider, to develop a platform that protects autonomous vehicles from cyberattacks. Now that tech companies such as Uber and Google have also entered the driverless car market, Trump could create partnerships with them to spur additional cybersecurity research.
While serious cyberattacks on the transportation system have not yet occurred, the Trump administration should still take the threat seriously and seek out further partnerships with the private sector to develop stronger firewalls, security system requirements and manual overrides.
4. Develop legal frameworks to protect companies sharing information.
Information-sharing between the government and private sector is also critical in preventing cyberattacks. Currently, corporations are afforded some liability protections from the Cybersecurity Information Sharing Act, but these protections have not yet fostered the creation of public/private partnerships. The Trump administration could consider reviewing the cyber regulations that currently apply to companies and replacing them with a uniform regulatory framework. This would allow businesses to focus less on compliance and free up resources to allocate toward cybersecurity. They could also consider exempting shared information from Freedom of Information Act requests and regulatory use to promote effective information-sharing.
5. Protect consumer information from cyberattacks.
The Securities and Exchange Commission’s 2015 cybersecurity initiative focuses on protecting consumer information that is collected, held and used by investment firms. In 2013, President Obama signed an executive order that directed the National Institute for Standards and Technology (NIST) to develop a national framework for information security best practices for critical infrastructure organizations. The first version is widely available and a draft update is due in early 2017. Since compliance is voluntary, many companies have been slow or reluctant to adopt the guidelines and high-profile data breaches have continued to occur.
On Dec. 14, 2016, Yahoo disclosed a security breach of more than one billion accounts stemming from an attack that began in 2013. The largest cybersecurity breach to date, it came to light on the heels of another incident involving 500 million accounts that Yahoo reported on Sept. 22, 2016. President Trump can combat such breaches by emphasizing adoption of the NIST framework and working with companies to ensure compliance. On a micro level, some experts have also recommended launching a public campaign to promote best cybersecurity practices, such as using strong passwords and avoiding disclosure of personal data in public settings and on unsecured connections like public Wi-Fi.
6. Build a strong cyber workforce.
At President Trump’s tech summit, some attendees reportedly raised concerns about whether he would continue President Obama’s science, technology, engineering and math (STEM) education initiative. Participants also raised the issue of how the government could help bolster the tech industry workforce through beneficial immigration policies and streamlined provision of H-1B visas. While the president did not provide any concrete policy decisions or solutions, he agreed to look into these issues. However, in the wake of the president’s executive order banning travel for individuals from seven Muslim-majority nations and the possibility that the administration might consider more stringent requirements for H-1B visas, the prospects for tech companies looking to employ more skilled immigrants have become more uncertain.
Nevertheless, given the administration’s close ties to the private sector, some experts are still optimistic it will be open to creating partnerships and sharing best practices with tech industry leaders. The president could begin by focusing resources on implementing the DoD Cyber Strategy, which highlights a need to attract talent and develop bridges to the private sector and research institutions. The Trump administration could also improve the cyber workforce by promoting cybersecurity education in the military and in schools throughout the nation. n