What Should be on the Next President’s Cyberagenda?

When the new president takes up residence at 1600 Pennsylvania Ave., cybersecurity will be on the shortlist for action. What’s a president to do?

TechNewsWorld asked more than a dozen experts what should be at the top of the new leader of the free world’s cyberagenda. Following are some of their responses.

“The president has to set the tone early on cybersecurity — within the first 100 days — and say right off the bat that this matters,” said Sam Curry, chief product officer at Cybereason.

The first priority should be protecting government systems, he explained.

“New cabinet secretaries have to understand that their mission can’t be done without secure systems,” said Curry. “Far too often, cybersecurity is not even on the list of priorities for initiatives and agencies and staffing.”

All government agencies should be required to adopt a formal assumption of breach framework, recommended Jeffrey Carr, CEO of Taia Global.

“This means that they acknowledge that they are currently in a state of breach,” he explained, “and must immediately act to identify and secure their critical assets as well as build in resiliency.”

Share the Wealth

Information sharing is another issue that needs executive attention.

Some progress has been made in sharing cyberintelligence between public and private sectors during the current administration, but the next administration should ramp up those efforts, recommended Scott J. White, director of the cybersecurity program at The George Washington University.

“The United States has the largest intelligence-gathering apparatus in the world,” he pointed out.

“Who is it gathering that intelligence for? If it’s gathering intelligence just for its own internal consumers in government, then we’re making a mistake,” White continued. “We have to be able to get real-time, threat-based cyberintelligence to the private sector.”

Public-private cooperation is important in organizing the nation’s cybersecurity efforts, maintained Damien Van Puyvelde, an assistant professor at The University of Texas at El Paso.

“This is something that President Obama has been focusing on, and it’s something I’d expect the next president to focus on,” he said. “If the president wants a strong economy, then the president needs to make efforts to make sure the private sector is protected from cybercrime and cyberthreats.”

Do No Harm

The new president should concentrate on initiatives that strengthen cybersecurity and not weaken it, maintained James Scott, a senior fellow at the Institute for Critical Infrastructure Technology.

Critical infrastructure organizations protect their sensitive data through strict access controls and data encryption, he explained, yet legislation has been introduced in Congress to undermine those protections.

“Legislation that would weaken those controls by imposing nonessential access, such as backdoors, or that would weaken consumer protections such as encryption, are demonstratively harmful to the cybersecurity of the nation,” Scott said.

“Legislators would better spend their time, attention and resources focusing on correcting or mitigating the fundamental root faults in systems and processes that enable attackers to compromise systems, and that prevent public and private sector organizations from mitigating the risk before harm is realized,” he added.

New Civil Defense

The new president also should turn up the heat on protecting the nation’s infrastructure from cyberattack, recommended Scott Borg, CEO of the U.S. Cyber Consequences Unit.

The creation of a national cyber-recovery plan designed along the lines of the civil defense plans created for response to a nuclear attack is one thing he advocates.

“We really haven’t acknowledged the extent of the damage that could be done by a cyberattack on our infrastructure,” Borg said. “Industrial control systems could be hijacked and cause massive physical damage. That could be done with a migrating piece of malware with no Internet connection, as was done with Stuxnet.”

The Russians and Chinese already may have planted in U.S. industrial systems malware sleepers that can be triggered remotely. However, since it’s likely the United States has planted similar malware on those countries’ systems, something similar to the nuclear stalemate during the Cold War exists.

“I’m not particularly worried about the Russians or Chinese,” Borg said. “What I’m worried about is some completely irresponsible agent without any involvement in the modern economy acquiring these capabilities.” [*Correction – Oct. 17, 2016]

Don’t Fumble

Above all else, the new administration should not set out to reinvent the wheel.

“We should keep making progress where we’re making progress,” said Jeff Greene, director of government affairs for North America at Symantec.

“New administrations have a habit of coming in and wanting to start everything anew,” he said.

“Make improvements, add new policy, but don’t do one of these complete fresh looks — that would set us back,” Greene cautioned.

“The momentum needs to continue and grow,” said Cybereason ‘s Curry. “The handoff between administrations should not be a fumble.”

Breach Diary

• Oct. 3. U.S. Surgeon General warns 6,600 medical professionals in his “commissioned corps” that their personal information is at risk by a breach of the agency’s personnel system.
• Oct. 3. U.S. District Court Judge Andrea R. Wood dismisses class action lawsuit against Barnes & Noble related to a compromise of its point-of-sale systems in 2012. Plaintiffs failed to show they had suffered any actual damages because of the data breach, she found.
• Oct. 3. Internet Insurance Group launches DataBreachCoverage.com to offer cyberliability insurance coverage options to small businesses nationwide.
• Oct. 3. SANS Institute releases survey showing more information security professionals are concerned about unauthorized outsiders accessing data stored in a public cloud this year (62 percent) compared with last year (40 percent).
• Oct. 4. Yahoo last year built a custom program to search all its customers’ incoming emails for information provided to it by U.S. intelligence officials, Reuters reports. Yahoo later denies the claims in the report.
• Oct. 4. Amazon has alerted some of its customers that their passwords have been reset after discovering their Amazon email address and password corresponded to a login list posted online, The Sunday Express reports.
• Oct. 4. Thomas White, aka “The Cthulhu,” posts to his website as a free download information from more than 68 million Dropbox accounts stolen in a 2012 data breach of the service.
• Oct. 4. Personal data of more than 15 million users of websites run by C&Z Tech Limited, which include HaveAFling.mobi, HaveAnAffair.mobi and HookUpDating.mobi, is at risk after a database for the sites was found exposed to the Internet without a password.
• Oct. 5. The FBI has arrested Harold T. Martin, a former employee of NSA contractor Booz Allen Hamilton, and is investigating whether he stole and disclosed classified security code developed by the agency to compromise the networks of foreign governments, The New York Times reports.
• Oct. 5. UK Information Commissioner’s Office orders TalkTalk to pay fine of Pounds 400,000 in connection with a 2015 data breach that affected 150,000 customers.
• Oct. 5. Fancy Bears, the hackers who published online medical records stolen from the World Anti-Doping Agency, may have doctored some of the data in those records, the BBC reports.
• Oct. 5. Australian Public Service Commission removes its annual employee census from public access on the Internet over security concerns about the database, which contains confidential information about the agency’s 96,000 workers.
• Oct. 6. Verizon wants the US$4.8 billion it agreed to pay for Yahoo reduced by $1 billion due to bad news about the company, including the theft of data in 2014 affecting 500 million accounts, the New York Post reports.
• Oct. 6. American 1 Credit Union in Jackson, Michigan announces it will decline all purchases made at Wendy’s by its payment card holders because it doesn’t believe the fast food chain has removed all the malware that infected its point-of-sale systems in more than 1,000 locations in 2015.
• Oct. 6. Montana Department of Justice reports 110,000 citizens of the state were victims of data breaches in the last 12 months.
• Oct. 6. Central Ohio Urology Group reports to U.S. Department of Health and Human Services that 300,000 patients were affected by data breach in August, the eighth largest breach in the U.S. this year.
• Oct. 7. U.S. government formally accuses Russia of a campaign of cyberattacks against Democratic Party organizations ahead of the Nov. 8 presidential election.

Upcoming Security Events

• Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
• Oct. 18. IT Security and Privacy Governance in the Cloud. 1 p.m. ET. Webinar moderated by Rebecca Herold, The Privacy Profesor. Free with registration.
• Oct. 18-19. Edge2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before Aug. 15, $250; after Aug. 15, $300; educators and students, $99.
• Oct. 18-19. SecureWorld St. Louis. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
• Oct. 18-19. Security of Things, A Smart Card Alliance Event. Hilton Rosemont Chicago O’Hare Hotel, 5550 N. River Rd., Rosemont, Illinois. Registration: members $775 before Oct. 8, $885; nonmembers, $895 before Oct. 8, $1,045.
• Oct. 19. Crisis Communication After an Attack. 11 a.m. ET. Webinar by Hewlett Packard Enterprise and FireEye. Free with registration.
• Oct. 20. Securing Cloud with Multifactor Authentication. 1 p.m. ET. Webinar by Vanguard Integrity Professionals. Free with registration.
• Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
• Oct. 20. B-Sides Raleigh. Marbles Kid Museum, 201 E. Hargett St., Raleigh, North Carolina. Registration: $20.
• Oct. 22. B-Sides Jacksonville. Sheraton Hotel, 10605 Deerwood Park Blvd., Jacksonville, Florida. Registration: $10.
• Oct. 27. SecureWorld Bay Area. San Jose Marriott, 301 S. Market St., San Jose, California. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
• Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before Sept. 3, Pounds 1,199 with VAT; before Oct. 29, Pounds 1,559 with VAT; after Oct. 28, Pounds 1,799 with VAT.
• Nov. 9-10. SecureWorld Seattle. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
• Nov. 12. B-Sides Jackson. Old Capitol Museum, 100 South State St., Jackson, Mississippi. Free.
• Nov. 12. B-Sides Atlanta. Atlanta Tech Village, 3423 Piedmont Rd. NE, Atlanta, Georgia. Free.
• Nov. 12. B-Sides Boise. Trailhead, 500 S. 8th St., Boise, Idaho. Cost: $10.
• Nov. 12. B-Sides Charleston. Beatty Center, College of Charleston, Charleston, South Carolina. Free.
• Nov. 28-30. FireEye Cyber Defense Summit 2016. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: through Sept. 30, general admission, $495; government and academic, $295;Oct. 1- Nov. 21, $995/$595; Nov. 22-30, $1,500/$1,500.

*ECT News Network editor’s note – Oct. 17, 2016: Our original published version of this column incorrectly quoted Scott Borg, CEO of the U.S. Cyber Consequences Unit, as saying, “I’m particularly worried about the Russians or Chinese.” He actually said that he was “not particularly worried about the Russians or Chinese” (italics ours). We regret the error.