In this Edition:
Change Edition

Cybersecurity Prospects for a New Administration: The Experts Weigh In

Photo: Flickr Creative Commons

Cybersecurity Prospects for a New Administration: The Experts Weigh In

Spanning healthcare, governance, commerce, and defense, cybersecurity touches so many disciplines that it can be hard to pinpoint priorities for the incoming administration. Unfortunately, America’s new leadership is walking into the middle of a complex, contested environment, and the new administration will not have much time to get their feet on the ground. To help identify key priorities, we turned to the experts of New America’s Cybersecurity Initiative, asking what policy moves they would like to see:

Emefa Addo Agawu

Program Associate, New America Cybersecurity Initiative

As information systems ubiquitously underlie key governing functions, states and localities are increasingly critical to the nation’s cybersecurity. Recognizing the essential role played by non-federal governmental actors on the ‘front lines’, the incoming administration should prioritize (and invest in) its relationships with these more local authorities. This includes efforts to clarify the respective roles of and responsibilities for federal and state entities, as well disseminating the many existing and helpful resources to state and local actors who are currently operating in relatively resource-starved environments. Investing in robust relations between the federal government and state and local actors is essential to (cyber)securing the nation.

Laura Bate

Program Associate, New America Cybersecurity Initiative

The scale and scope of the work required to improve national cybersecurity is monumental, with job openings in the industry vastly outpacing the number of trained workers. Nonetheless, current efforts are are not tapping into all possible sources of talent in the country; only 11% of the information security workforce is women, and African Americans and Hispanics combined make up less than 10% of the workforce. In order to expand the cybersecurity community to meet a threat to the whole population, the government must find ways to draw workers from all of the demographics that make that population up.

Nicole Becher

Director of Cyber Operations, Fractal Industries

Today, the internet is critical to the functioning of our democracy. Policies or recommendations that aspire to protect or defend it should therefore first be debated in a public forum. More public conversation from a variety of stakeholders will help the US balance a cyber strategy that improves national security while protecting the freedom of the internet. It will also help the American people understand exactly what these policies mean for them.

Adam Elkus

PhD student in Computational Social Science, George Mason University

The US government needs to clarify the mixed messages it sends to the information security community. Some government agencies say that we desperately need hacker expertise for security innovation. But the credibility of this message is diluted by other government agencies' negative attitudes towards cryptography and other important security and privacy tools valued by the information security community. It would be unrealistic to expect the US government to always speak with one voice, but as a businessman, President-elect Trump surely grasps that it’s important to ensure that different divisions of the 'company' not tripping each other up.

Jason Hong

Associate Professor, Carnegie Mellon University

The Internet of Things, which is arriving rapidly, offers many potential benefits to society, but only if we can address the many privacy and security issues. We have already seen massive denial of service attacks, but unless things change, there will also be new kinds of ransomware—people may even die. Government agencies like NIST and FTC have already put out guidelines, but we also need government funding and support to push for better education, better platforms, and automated tools to prevent basic security flaws from cropping up in products.

Alex Kreilein

Cofounder and Managing Partner, SecureSet

The development of a cybersecurity workforce that meets the needs of the nation will require thoughtful and diligent creativity without sacrificing quality for quantity. The incoming administration should work with the National Centers of Academic Excellence in Cyber Defense programs at NSA and DHS to include certifications of programs outside the traditional university circles. Much as code schools made computer programming more widely accessible, we must do the same with cybersecurity if we are to meet the growing need for qualified practitioners.

Robert Lee

Founder and CEO, Dragos, Inc

The new administration needs to clearly affirm its commitment to protecting the nation’s most critical infrastructure, such as the power grid, pharmaceutical companies, oil facilities, and other components of the industrial control system (ICS) community. To do this, it should encourage companies to invest in cybersecurity with incentives such as tax credits, but it should also place a strong focus on technical skills development and technical leadership. Job development incentives for cyber defense skill sets, trade and journeyman programs to scale expertise that the community already possesses, and clear communication to the sectors that ICS security is a vital interest the government is comfortable investing in will all go a long way to denying our adversaries leverage over us. Such an holistic approach will ultimately set the country on a path to holding on to strategic advantage in the areas of cyber defense and economic development.

Brian Nussbaum

Assistant Professor, University of Albany

From securing the electrical grid, to providing clean drinking water, to electing our national officials; many of our most critical national responsibilities are either carried out by state and local governments, or regulated by them. I would like to see the new administration set up a body representative of state and local governments nationwide to help shape federal cybersecurity developments, and to challenge federal agencies (not just the Department of Homeland Security, but also National Institute of Standards and Technology, the Federal Trade Commission, and others) to take the concerns and needs of state, local, tribal and territorial governments much more seriously.

Ross Schulman

Co-Director, New America Cybersecurity Initiative

The U.S. can lead by integrating security, privacy, and human rights as indivisible pillars of national and global security in the internet age, moving us toward a paradigm of people-centric security.
• Strong encryption: Work to build global consensus among countries committed to a free and open internet that companies should not be required to subvert encryption systems in ways that enable authorities to access protected information.
• Surveillance reform: Reform domestic surveillance laws to acknowledge the ways people use digital technology in the 21st century. Limit the scope of such laws and improve transparency and oversight around their implementation. Lead a global conversation about the appropriate relationship between surveillance, democracy, and accountable governance.
• Defend privacy on global internet platforms: In forging or revising international agreements, ensure that law enforcement access to data across borders does not substantially diminish the privacy protections currently afforded to international users of U.S. services.

Paulo Shakarian

Assistant Professor, Arizona State University

I think the new administration should continue excellent research initiatives such as DARPA’s Enhanced Attribution and IARPA’s CAUSE, both of which have focused on next-generation analytics on cyber threats.  Efforts like these are enabling researchers to better understand cyber threat actors and how to assemble the pieces of the cyber threat puzzle – which inherently addresses the “offense dominant” aspects of cyber security.  In short, programs like these are designed to lessen the advantage of the attacker, as they grant the defender clear insights into what his or her opponent is doing.

Peter W. Singer

Strategist and Senior Fellow, New America

One of the lesser noticed acts of the Obama administration after the OPM breach was to identify a series of best practices that private industry uses in cybersecurity that could be brought into government, as well as create a bipartisan commission of experts, which in December 2016 issued its own set of recommendations. These range from identifying high-value assets that need to be better protected and recruiting top human talent to accelerating the deployment of detection systems. Ensuring the implementation of these steps could be one of the most important things that the new Congress could do to limit our cyber-insecurity. And the fact that they have been drawnfrom market lessons and bipartisan advice should make them politically feasible for GOP leaders.

Ian Wallace

Co-Director, New America Cybersecurity Initiative

The most important task for the Trump Administration's cybersecurity policy will be to chart a strategy that strikes the right blend of public, private, and non-profit contributions. To do so it will need to abandon some of the president's more simplistic campaign rhetoric and develop a truly “whole of nation” approach. This is not a problem that the Department of Defense can “fix” in 90 days (or even four years), but rather a multi-decade challenge that will require a suite of measures across government, many of which are aimed at incentivizing private sector and international behavior. But neither should the Administration succumb to Mayor Giuliani’s fallacy that all the nations best cyber talent lies in the private sector. Both directly—through the intelligence agencies, government-led research and diplomatic engagement—and indirectly—through stewardship of standards processes, imaginative regulation, and support to state and local governments—the federal government has an essential role to play.