Trump Administration Should Read and Heed Obama Cyber Report

As the nation deals with intelligence reports of Russian hacks of the U.S. presidential election, some of us in industry are pondering how President Donald Trump will tackle cybersecurity issues.

He already has a good road map. In December, the Commission on Enhancing National Cybersecurity issued its “Report on Securing and Growing the Digital Economy.” Kudos are in order. It is high time the executive branch dug deeply into cybersecurity issues.

The commission surveyed published material and talked with government, university and business experts in visits to five locations across the country, producing a truly outside-in state of cybersecurity survey. I’ve been involved in the industry for decades, and have never seen anything like it. We should applaud the commission’s charge that “our commitment to cybersecurity must match our commitment to innovation.” Commission leaders Tom Donilon, former national security adviser, and Sam Palmisano, retired CEO of IBM, impressed me.  

The commission did not sugarcoat its findings, which are clear and actionable and confirm what RedSeal has been declaring for the last three years—focusing cybersecurity efforts on prevention and detection is necessary, but not enough. Where people are involved, there is no perfect defense. Someone somewhere will err, allowing bad actors into a network.

Organizations must be resilient so they can minimize damage and recover quickly. “Resilience must be a core component of any cybersecurity strategy,” reads a portion of the commission’s report. “Today’s dynamic cyberthreat environment demands a risk management approach for responding to and recovering from an attack.”

We cannot just stand up a cyber army and expect to defeat cyber criminals. It requires a combination of people and innovative technology to overcome enemies.

To that end, I offer this to the Trump administration: heed a few action items from the report, such as the need for public and private cooperation. The commission calls for a “joint cybersecurity operation program for the public and private sectors to collaborate on cybersecurity activities to identify, protect from, detect, respond to, and recover from cyber incidents affecting critical infrastructure.”

This kind of collaboration requires information sharing and mutual trust. Candidly, it will be tough to convince skeptical businesses to share information with the government. We must try to get it right.

The report also emphasizes the importance of metrics, and calls for creation of a working group to develop industry-led, consensus-based metrics. It even recommends that the Office of Management and Budget integrate cybersecurity metrics with agency performance metrics. I could not agree more. It is an established business truth that you can’t manage what you can’t measure. Those measurements need to be relevant across and between business and government.

I do disagree with the commission’s call to create a new position, an assistant to the president for cybersecurity. Rather than focusing solely on cybersecurity, this position should focus on risk—examining the combination of physical and digital risks. With so many “things” controlled by software, our digital world has become an inextricable part of our physical world. To consider one without the other is not a good strategy.

Improving cybersecurity won’t be simple. I hope the Trump administration takes this issue seriously. As the old saying goes, Rome wasn’t built in a day. We won’t solve this in a day. But Rome was built. And we will solve this issue, too. To get started, we need a road map.

Ray Rothrock is chairman and CEO of RedSeal, a network modeling and risk scoring company.

Image credit: www.bluecoat.com/