Task Force Issues Cybersecurity Advice to Donald Trump'From Awareness to Action: A Cybersecurity Agenda for the 45th President'
A task force co-chaired by two U.S. lawmakers and a former federal CIO is issuing a 34-page report recommending a cybersecurity agenda for the incoming Trump administration. The report recommends the new administration jettison outdated ways the federal government tackles cybersecurity, noting: "Once-powerful ideas have been transformed into clichés."
The report from the CSIS Cyber Policy Task Force - From Awareness to Action: A Cybersecurity Agenda for the 45th President - will be formally unveiled on Jan. 5. It comes from the think tank Center for Strategic and International Studies, which sponsored the Commission on Cybersecurity for the 44th Presidency that made recommendations to then-President-elect Barack Obama in 2008.
"In the eight years since that report was published, there has been much activity, but despite an exponential increase in attention to cybersecurity, we are still at risk and there is much for the next administration to do," the new report's introduction states.
Cybersecurity Goals for Trump Administration
The task force outlined five major issues President-elect Donald Trump and his administration should address, including:
- Deciding on a new international strategy to account for a very different and dangerous global security environment.
- Making a greater effort to reduce and control cybercrime.
- Accelerating efforts to secure critical infrastructures and services and improving cyber hygiene across economic sectors. As part of this, the Trump administration must develop a new approach to securing government agencies and services and improve authentication of identity.
- Identifying where federal involvement in resource issues, such as research or workforce development, is necessary, and where such efforts are best left to the private sector.
- Considering how to organize the U.S. effort to defend cyberspace. Clarifying the role of the Department of Homeland Security is crucial, and the new administration must either strengthen DHS or create a new cybersecurity agency.
Ditching Outmoded Security Practices
Task force members recommend the new administration should get rid of outdated ways the federal government tackles cybersecurity. The report notes: "Statements about strengthening public-private partnerships, information sharing or innovation lead to policy dead ends. ... Once-powerful ideas have been transformed into clichés. Others have become excuses for inaction."
As an example, the task force cites the National Strategy for Trusted Identities in Cyberspace, a government initiative unveiled in 2011, which envisioned a cyber-ecosystem that promotes trust and security while performing sensitive transactions online. The task force contends NSTIC "achieved little," asserting that such initiatives fail because they aren't attuned to market forces. "There are few takers for a product or service for which there is no demand or for which there are commercial alternatives."
The task force makes recommendations on dozens of policies and technologies.
On encryption, for instance, it suggests that the president develop a policy that supports the use of strong encryption for privacy and security while specifying the conditions and processes under which assistance from the private sector for lawful access to data can be required. It also states that the president should direct the National Institute of Standards and Technology to work with encryption experts, technology providers and internet service providers to develop standards and ways to protect applications and data in the cloud and provide secure methods for data resiliency and recovery.
"Ultimately," the report says, "encryption policy requires a political decision on risk. Untrammeled use of encryption increases the risk from crime and terrorism, but societies may find this risk acceptable given the difficulty of imposing restrictions. No one in our groups believed that risk currently justifies restrictions."
In battling cybercrime, the task force sees "active defense," a term it says has become associated with vigilantism, hack back and cyber privateers, as only a stopgap measure to address the private sector's frustration over the apparent impunity of trans-border criminals. The Trump administration should seek ways to help companies move beyond their traditional perimeter defenses and focus on identifying federal actions that could disrupt cybercriminals' business model or expand the work of federal agencies and service providers against botnets, according to the report.
To make cybercrime less profitable, the task force recommends the new administration identify actions that would impede the monetization of stolen data and credentials. Other recommendations include accelerating the move to multifactor authentication and identifying better ways to counter and disrupt botnets, a growing risk as more devices become connected to the internet. The task force says this could be done by expanding the ability to obtain civil injunctions for use against botnets and raising the penalties for using botnets against critical infrastructure.
The role of the military to protect civilian critical infrastructure turned out to be among the most contentious issues the group debated. A few task force members said that the Defense Department should play an expanded and perhaps leading role in critical infrastructure protection, according to the report. Most members, though, believed that this mission must be assigned to a civilian agency, not to DoD or a law enforcement agency such as the FBI.
"While recognizing that the National Security Agency, an element of DoD, has unrivaled skills, we believe that the best approach is to strengthen DHS, not to make it a 'mini-NSA,' and to focus its mission on mitigation of threats and attacks, not on retaliation, intelligence collection or law enforcement," the report states.
Organizing Government Cybersecurity
DHS is the focal point in cybersecurity protection among civilian agencies as well as civilian-led critical infrastructure. The task force recommends that an independent agency be established within DHS focused exclusively on cybersecurity.
The task force says Trump should quickly name a new cybersecurity coordinator and elevate the White House position two notches to assistant to the president from special assistant to the president. Also, the group says Trump should back away from his pledge to conduct a cybersecurity review, as was done at the beginning of the Obama administration.
The task force co-chairs are:
- Rep. Michael McCaul, R-Texas, chairman of the House Homeland Security Committee and co-founder of the Congressional Cybersecurity Caucus;
- Sen. Sheldon Whitehouse, D-R.I., sponsor of legislation to require federal law enforcement and national security agencies to account for cyberattacks;
- Karen Evans, a cybersecurity adviser to the Trump transition team who's national director of the U.S. Cyber Challenge and formerly served as White House administrator for e-government and information technology, a position now known as U.S. CIO; and
- Sameer Bhalotra, co-founder and CEO of the cybersecurity startup Stackrox and a senior associate at CSIS.
CSIS Senior Vice President James Lewis, the think tank's cybersecurity expert, served as the task force project director.
Correction: In an earlier version, the last name of one of the task force's co-chairs was misspelled. He's Sameer Bhalotra, not Ghalotra.