President-elect Donald Trump ran a campaign focused on national security and making America great again through economic reform. Clearly both goals should include policies and programs to bolster the nation’s cybersecurity capabilities. This shouldn’t be an abstract concept to Mr. Trump after an election cycle featuring Russian hacks and WikiLeaks posts.
To reinforce this priority, it is also worth noting that in a pre-election survey by ESG research, 49% of cybersecurity professionals said that cybersecurity is a critical issue and should be the top national security priority for the next President while 45% said cybersecurity is a very important issue and should be one of the top national security priorities for the next President. If those citizens on the front-line see cybersecurity as a major priority, this should speak volumes to the President-elect.
Now Mr. Trump is a Republican nominee and true to his party, he isn’t likely to propose cybersecurity regulations anytime soon. Given this position, how can the President-elect make progress in this critical but highly technical and geeky area while avoiding the abundant rat holes that come with the territory?
Allow me to offer some suggestions of cybersecurity dos and don’ts for the next President. Since the list is a bit lengthy, I’ll start with my list of suggestions.
- Do build upon momentum of the NIST Cybersecurity framework (CSF). While not perfect, the CSF was a good move by the Obama administration for developing a government cybersecurity initiative (with strong private sector input) aimed at encouraging a voluntary effort to quantify and manage IT and business risk. As a voluntary and cooperative program, the NIST CSF certainly aligns with Republican aversion to regulations. I suggest that the Trump administration give the NIST CSF another push, build upon its momentum, and focus on areas where it needs help like quantifying success metrics and pushing the CSF to smaller organizations.
- Do offer government incentives for private sector cybersecurity investment. The Obama administration never quite figured this one out. Trump proposed a multitude of incentives to keep jobs in the US and repatriate corporate financial assets that remain offshore. In a similar spirit, the Trump administration should offer cybersecurity carrots like tax breaks to companies that invest in cybersecurity investments like employee training programs or security technology implementation. These incentives should be modest at first, with a promise to increase them if and when the feds can establish some true success metrics.
- Do focus help on specific industries. I strongly agree with former White House cybersecurity advisor Melissa Hathaway’s position, that Mr. Trump should prioritize cybersecurity efforts to specific industries like finance, energy, and telecommunications. Furthermore, Mr. Trump should appoint a special liaison to the insurance industry with the goal of developing programs to advance, analyze, and act upon cybersecurity actuarial data. This could help the insurance industry become an industry cybersecurity partner rather than today’s role of policy writer.
- Do streamline cybersecurity activities in Washington. Between 80 and 100 House and Senate committees and subcommittees have some level of cybersecurity oversight today. This translates into too little knowledge and too much bureaucracy. Trump should work with Congress to simplify this morass to develop real expertise AND accountability on the Hill. And Mr. Trump should push a similar effort to figure out which civilian and defense agencies should quarterback federal cybersecurity efforts and which should take a subservient role. Finally, the President-elect should drain the swamp of wasteful federal cybersecurity programs. In this way, President Trump could fulfill his campaign positioning for making government programs and investment more efficient and effective.
- Do appoint cybersecurity leaders who truly act as change agents. I suggest that Mr. Trump appoint 2 cybersecurity leaders. One with vast government experience who can act as a watchdog/bulldog while working with Congress, as well as civilian, military, and intelligence agencies to oversee existing programs, cut waste, and improve federal cybersecurity. The other person should be publicly facing, working on public/private cybersecurity partnerships, public awareness, and cybersecurity education. Both individuals should be given the right level of authority, oversight, visibility, and accountability to help change cybersecurity actions in and out of Washington.
- Do invest real dollars in research and education. Yes, the feds have done this but investments in cybersecurity research and education have been tactical in the past – a grant here, a pork barrel program there, etc. This is one place that Mr. Trump can make a big impact by increasing funding for NSF grants on cybersecurity research as well as a homegrown DARPA cybersecurity research effort. On the education front, Mr. Trump should double down on the NIST national initiative for cybersecurity education (NICE) efforts, greatly increase funding for scholarships for service: CyberCorps, and grow investment in NSF and NSA information assurance scholarships. The feds should prioritize programs at Universities that achieve academic cybersecurity center of excellence status but also invest in community colleges with strong computer science programs. Finally, the Trump administration should provide special incentives to minorities and women seeking a cybersecurity education. This would help diversify the workforce and address some of the stigmas from the recent campaign.
- Do push for International cooperation on cybersecurity. This is an area where Mr. Trump can use his personal skills as a deal maker by leading an International effort for establishing cybersecurity norms. In this case, the President-elect’s collaboration efforts will start at home by alleviating US military and intelligence leaders’ fears that an International agreement will degrade US offensive capabilities. What’s needed here is an agreement that bans industrial espionage, governs attacks on the critical infrastructure of sovereign nations, and establishes methods for International law enforcement cooperation on cybersecurity. This would be a crowning achievement if deal-maker Trump could schmooze his way to International cooperation while creating rules of engagement for military and intelligence use cases.
In my humble opinion, these suggestions align well with Mr. Trump’s strengths, his campaign promises, and a Republican agenda. Look for my “don’ts” blog next week.