Given the unexpected results of the US election, it is hard to predict the future, particularly in sorting out campaign rhetoric from policy intent. In general, Trump’s pro-jobs, pro-business resolve will likely loosen constraints on companies in terms of industry regulations and taxation while supporting employee expansion and capital investments.
Trump will need to reconcile his image as a populist Washington outsider who will champion the common man with the business leader that will ease burdens and restrictions.
Changes will be made to cyber security - this is nearly certain. The election itself was highly charged with security issues that created at the very least tension, and at its height, a kind of hysteria. A string of email attacks that ensnared DNC leaders and even Hillary Clinton’s campaign manager revealed the impact that cyber warfare can have on a national election.
A survey conducted at Black Hat this summer in Las Vegas, attended by those most would consider “cyber savvy”, showed that 66 per cent believed cyber criminals were influencing the outcome of the presidential election. If cyber professionals hold this view, imagine the temperament of the rest of the country.
Security concerns didn’t end with the high-profile DNC email hacks. Loose talk of a “rigged” election sent state elections agencies scrambling to ensure that the elections process—the hallmark of democracy—was free from cyber threats and tampering.
Now, with growing outrage over the Yahoo breach and the lengthy notification delays, cyber security is becoming a runaway public issue. It could easily cost Yahoo a billion dollars or more in its acquisition price—which I like to call “the data breach discount”—or derail the agreement altogether. This comes against a backdrop of a myriad of other network attacks, including the National Security Agency (NSA) being hacked and its clandestine exploits offered up for auction to the highest bidder. Tesco Bank and Adult Friend Finder also learned this month how dangerous—and damaging—cyber attacks can be.
Data breaches are not only becoming bigger and more frequent, but are generating more devastating consequences. Manipulation of financial systems and resulting losses at international banks show that cyber attacks can lead to fraudulent wire transfers, millions of dollars of losses, and even, potentially, financial instability. And what could be more frightening than the admission from the International Atomic Energy Agency (IAEA) director, Yukiya Amano, who last month admitted that an unnamed nuclear power plant had been “disrupted” but not shut down by a cyber attack. Imagine what could have happened.
Clearly cyber security will be a big issue for the President Elect. It must be addressed in multiple dimensions. First, there is the federal government itself. Then there is the issue of how to better protect consumers. Finally, there are the offensive and defensive capabilities of cyber warfare.
Most government agencies and functions face housekeeping and a stern review by the Trump Cabinet. If the public has sagging confidence in the ability of federal agencies to protect information and resources, something must change. There is a long track record of failure after failure, ranging from the Office of Personnel Management (OPM) to the Internal Revenue Service (IRS) to the FBI and even the White House. Like most enterprises, federal agencies are simply not equipped to find network attackers early and stop them before theft or damage occurs. This has to change.
Trump may appoint political outsiders to assess federal cyber security or may demand accounting from each department. Top down efforts have already improved security hygiene, but most agencies still lack true detection capability. Changes to authentication, access, encryption, network segmentation, patching and other forms of security improvements provide worthwhile tune-ups for preventative security and may make it more difficult for an attacker to get to assets, such as data and intellectual property, but it does not solve the overall attack problem. Like enterprises, federal agencies need to take on the ability to find an active attacker—whether a malicious insider or a targeted external party—that is at work on the network, secretly working towards their nefarious goals. They need to add a new approach that will accurately detect such an attacker.
In terms of better protection for consumers dealing with commercial entities, Trump may well consider new potent legislation that could add formidable requirements and penalties for safeguarding personal information and make organisations face significant punitive measures if they have a data breach.
Sweeping legislation such as the General Data Protection Regulation (GDPR) in the EU would be a true test of business versus consumers for Trump. Once enforceable in May 2018, the GDPR sets out penalties of up to 4 per cent of worldwide revenue or €20 million, whichever is greater. Even to a Fortune 500 company this represents a significant cost. In addition, companies face clean-up costs and settlement pay outs for damages.
Trump should weigh consumer concerns and frustrations against industry regulations that impinge on business. It is certainly reasonable for US citizens to expect that they would have similar protections as Europeans in regards to timely breach notification and the application of best practices to safeguard personal data. The level and magnitude of breaches today is alarming, and organisations should be compelled to apply the latest measures and best efforts to turn the tide.
Finally, the election and some news cycles referenced the country’s overall cyber warfare capabilities in terms of both offence and defence. Clearly threats may come from large or small countries. Is cyber warfare a cat and mouse game that is played out between any countries, or does a country like the US have a considerable advantage both offensively and defensively? Does the US need to improve and grow its cyber warfare capabilities? If pushed, could the government deliver a striking cyber blow on an antagonist?
At the same time, could it step in and properly protect infrastructure to avoid a catastrophe or meltdown of commerce and daily life? By answering these questions, we can begin to devise a plan that addresses the most critical security risks.
Kasey Cross, Director of Product Management, LightCyber
Image source: Shutterstock/jijomathaidesigners