After about 15 years of constant, cumulative progression, the U.S. cybersecurity strategy is adding a new dimension. The Trump administration released its cybersecurity strategy last month with a promise to take a stronger offense to attacks.
It also aims to be tougher on third-party vendors who host federal data on their networks.
Larry Clinton, president and CEO of Internet Security Alliance, said it was a positive sign that leaders are looking to consolidate and clarify cybersecurity responsibilities, as well as to rely on the Homeland Security Department for non-defense protection needs.
“I think that the evolution of the need to have senior management involved at the agencies is a natural and positive evolution in that direction,” Clinton said on Federal Monthly Insights: Cybersecurity. “I think that the notion that when the agencies review their cyber policies they need to involve their budgeting process into it and they need to be addressing cyber risk management, not just from a technical — from an economic perspective.”
A sloppy risk assessment can lead to the misallocation of resources, false positives and an unrealistic sense of security, he said. Clinton recommended better budgeting and ditching the favored “check box” model used until now.
He said that agencies merely work through a series of steps with context as to why they are taking such measures or whether one step is more critical than another. The X-Analytics risk quantification model patented by Secure Systems Innovation Corporation, and the Factor Analysis of Information Risk (FAIR) model by the FAIR Institute were offered as examples of other options.
And Clinton said that contractors also need to offer more sophisticated cyber risk management options as well.
“If you are a potential contractor who can be at the head of the line with regard to articulating a more sophisticated understanding of the cyber problem, of the risks associated and how your products can help in that broader sense, I think that you’re going to be in a much better position competitively than a traditional entity that is just sticking to the traditional model,” he said on Federal Drive with Tom Temin. “I think the government, which is a lagging indicator in the space, is going to be coming around to that way of thinking and I think the contracting community would be wise to get on board.”
However, too many requirements on smaller defense providers may cause them to walk away from government business, he said.
He said that while the Obama administration’s National Infrastructure Protection Plan 2013 acknowledged the public and private sectors have similar yet different methods for cyber risk management, DHS is now making a concerted effort to address the gaps. Clinton called this “somewhat subtle but important” changes in national cyber strategy.
A new risk management center at the agency, as well as re-examining the economics of supply chain management and linking science and technology to cybersecurity will make for an overall more sophisticated strategy.
On the foreign investment intellectual property theft fronts, the Trump administration’s strategy is going further than past plans. Clinton stressed that while he and the Internet Security Alliance do not think the federal government is moving fast enough, the changes are welcome.
As for an enhanced offense, he said the matter is a sensitive one. The internet is not like a land perimeter, as it is inherently vulnerable and weakened on a regular basis as technologies develop, he said. How to respond to cyber attacks, such as “hacking back” or issuing sanctions based on the hacker’s origins can get problematic because they hacker can disguise their true identity. Clinton also said that military responses to attacks on civilian entities, such as hospitals and power grids, means the private sector needs to be a cybersecurity partner, not merely a stakeholder.