First steps Trump should take on cybersecurity

Despite all the hullabaloo about cybersecurity during the presidential campaign — from the WikiLeaks dumps of hacked emails to the Russia-linked breach of state electoral machinery — there was surprisingly little substantive talk by the candidates about how to stop cyberattacks.

Now it will be up to President-elect Trump and his administration to figure out ways to thwart the cyber crime that is occurring with greater frequency and severity against businesses, governments and critical infrastructure.

Shoring up cybersecurity is a massive and complex issue, but the new administration can take positive near-term steps in its own backyard by better protecting government data and creating accountability for departments and agencies.

{mosads}Not only could these steps start bearing results almost right away; their fiscal cost would be negligible. Washington doesn’t need a Manhattan Project-style investment in cybersecurity research right now as much as simply a stronger commitment to fundamental policies and processes that improve readiness.

How to start?

Quickly gain situational awareness. The old adage that “you can’t manage what you can’t measure” is particularly true in cybersecurity.

Trump is accustomed to measuring businesses’ performance and he should do the same for federal agency cybersecurity performance.

Trump and his national security team need to quickly understand how Cabinet-level departments and agencies are performing with respect to cybersecurity. The president-elect should request that departments and agencies immediately begin reporting cybersecurity metrics and measurements to senior leadership. Agencies should be asked to report information about overall security performance, events/incidents, third-party security findings and other material issues.

As an executive, the president-elect should expect that this information be presented in an understandable, graphic format. These types of reports are commonly produced in the private sector, where chief information security officers in large multinational businesses regularly report cybersecurity performance to senior executives and the board in a manner that can be understood and consumed by leadership.

Establishing cybersecurity reporting from departments and agencies is critical to tracking performance over time, creating accountability within the government, and will help the president-elect make key resourcing decisions in the future.

Prioritize protection of government “crown jewels.” During the campaign, Trump suggested that he would bring a focus to protecting the nation’s most critical assets.

He called for a team from the military, law enforcement and the private sector to review “all U.S. cyber defenses and vulnerabilities” and recommend methods “for safeguarding different entities with the best defense technologies tailored to the likely threats.”

Focusing on protecting the government’s “crown jewels” is an excellent way to approach the problem. After the catastrophic Office of Personnel Management (OPM) data breach, the Obama administration began a project to identify and protect government crown jewels inside government networks.

The private sector has been doing this for years — it’s a smart way to prioritize resources and focus on the things that matter.

But there’s a big gap in the current approach. One of the crucial lessons learned from the OPM hack is that some of the most sensitive government data resides on contractor or third-party networks. The president-elect will want to secure the government’s most sensitive data regardless of where it resides.

Fortunately, cybersecurity leaders in the financial sector, retail, insurance and other sectors can share some best practices with the government on this issue.

Emphasize accountability and responsibility. One of the most important things that the president-elect can do is emphasize accountability and responsibility for cybersecurity within departments and agencies.

This is important for federal employees and senior agency officials alike: Everyone plays a role in protecting federal agency data. Building a “culture of security” has been the focus of many Fortune 500 CEOs in recent years, and Trump can help set that tone at the top through simple messages to employees and leadership.

Furthermore, data-driven performance metrics and measurements can create accountability before a crisis occurs. Pointing fingers after a massive data breach doesn’t make our data more secure. Using metrics, President-elect Trump can shift the focus towards proactive management.

Begin an assessment of current cyber policies. Trump may consider assessing the Obama administration’s current cybersecurity policies and initiatives.

There is precedent for this. President Obama’s national security staff performed their own “60-day cyber review” during the early days of his administration in order to gain a better understanding of President George W. Bush’s decisions regarding personnel, policy and funding. This is useful to understand what’s working and what isn’t working.

In addition to his own review, the president-elect may also benefit from independent recommendations by thought leaders in cybersecurity. Obama appointed a national cybersecurity commission comprised of nonpartisan experts to provide recommendations to the next administration, while the Center for Strategic and International Studies think tank is also scheduled to release a report shortly. Both are certain to obtain thoughtful advice for the president-elect to consider.

By following these four steps, the new administration can pick off low-hanging fruit in addressing one of the nation’s most pressing issues and set the federal government up for long term success in cybersecurity. 

Jake Olcott is vice president of business development at BitSight, which provides companies with objective, evidence-based security ratings. He has previously worked as legal adviser to the Senate Commerce, Science and Transportation Committee on cybersecurity and staff director for the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, Science and Technology.

The views expressed by contributors are their own and not the views of The Hill.