Last week, President-elect Donald Trump received a comprehensive briefing on Russian hacking related to the 2016 Presidential election. In response, Trump released a statement that included the following:
"Whether it is our government, organizations, associations or business we need to aggressively combat and stop cyberattacks. I will appoint a team to give me a plan within 90 days of taking office.”
These “teams” tend to be made up of a combination of Washington insiders with intelligence and/or military experience as well as an assortment of industry folks. For example, President Obama’s recent Commission on Enhancing National Cybersecurity included former NSA director Keith Alexander, former IBM CEO Sam Palmisano, etc.
With all due respect to President Obama’s commission, I strongly suggest that Mr. Trump recruit (or at least ask for input) from actual cybersecurity professionals who work in the trenches each day. This group is closer to the actual problems/solutions than some of the usual ivory tower folks who participate in this type of panel so it would be worthwhile to get their opinions.
Perhaps I can lend a hand in helping to articulate cybersecurity profession opinions. ESG recently published a research report titled “Through the Eyes of Cyber Security Professionals” in collaboration with the Information Systems Security Association (ISSA). As part of this project, we surveyed 437 cybersecurity professionals about many topics including a few around cybersecurity vulnerabilities and national cybersecurity policies.
For instance, cybersecurity professionals were asked the following question:
Knowing what you know about cybersecurity, how vulnerable do you believe your country is to some type of significant cyber-attack on its critical infrastructure (i.e., a cyber-attack that disrupts a critical service like electric power, telecommunications, access to clean water, etc.)?
Alarmingly, 62% of cybersecurity professionals believe their country is “very vulnerable” to this type of cyber-attack, while another 35% say that their country is “somewhat vulnerable” to a significant cyber-attack on critical infrastructure.
This data suggests a real problem widely recognized by those who are closest to it. Unfortunately, these same folks also believe that their governments should be far more involved in addressing this issue. In fact, 57% of cybersecurity professionals say that their government should be “significantly more active” with cybersecurity defenses and strategies while 32% claim that their government should be “somewhat more active” with cybersecurity defenses and strategies.
Washington has a way of going after problems by enlisting the help of mucky-mucks who’ve spent their lives in public service, supported parties and campaigns, or acted as lobbyists for major industries. My suggestion to Mr. Trump is that he “drain the swamp” and guide his cybersecurity strategy with help from the actual cybersecurity professional community. This group not only understands the problems at hand but have also dedicated their careers toward finding practical solutions. Given this, it seems to me that it could be worthwhile to get the cybersecurity professional community more involved.