Back in time
On this first day of a Donald Trump presidency, many people around the world are watching and wondering what is going to happen in corporate America. The speculation is no less prevalent in the security industry. After all, cybersecurity has become a “hot topic” in the last few years, gaining a great deal of public awareness and interest. With that heightened awareness—and the realities (dangers) of increased digital assets—the Obama administration made grand gestures towards improving cybersecurity policies and programs which promised $19 billion in funding, support, and increased public-private collaboration.
New initiatives were launched within the federal government, and private enterprises stayed the course in developing new tools and technologies to defend against a growing number of threats. More recently, the freshly inaugurated U.S. President has had strong words for our adversaries, and he’s vowed publicly to improve cyber capabilities. But what will the next four years hold? Only time will tell, and industry experts have some thoughts.
Tell me doctor, where are we going this time
President Trump is, by all accounts, a businessman and not a politician so it’s not surprising that his inclination for managing security is to handle it in a business-like manner. In this regard, it’s no coincidence that his pick for security advisor is also a businessman and not a security subject matter expert. Many in the industry have expressed displeasure with Trump’s pick—Rudy Giuliani. A billionaire businessman most infamous for his swift and decisive actions in the 9-11 attack aftermath, Giuliani’s security “expertise” seems to be relegated to Giuliani Partners, a cybersecurity consulting firm with a now-defunct but previously vulnerability-riddled website. The security community had a field day when the appointment was announced earlier in January:
It’s not unexpected that Giuliani’s appointment was met with criticism from the security community. In the bigger picture, the jury is still out on how the administration, as a whole, will handle cybersecurity.
Ben Rothke, Senior eGRC Consultant at The Nettitude Group, says, “While neither [Trump] nor Giuliani are information security experts by any stretch of the imagination, both know quite well its value and how it’s critical to the security of every U.S. business and government agency. If the last years are any example, President Obama didn’t push anything that radically changed the way information security operates within corporate America.” In other words, despite the Presidential Policy Directives and formation of the National Cyber Incident Response Plan, we as an industry haven’t seen much actual progress on or help from the government in tactical terms. Trump promises sweeping changes in all areas of administration and policy, security included, but only time will tell.
Is this the 50’s, or 1999
As far as private industry is concerned, Rothke paints a more optimistic picture. He says, “The Republican party is generally pro-business and is often reticent to introduce legislation that would affect the bottom lines of those businesses.” However, he also points out that in the wake of the Edward Snowden revelations, U.S. technology sales dropped because foreign companies feared U.S. spying:
So while technology companies are forging ahead fighting the good fight, the government has been slowing forward progress.
All I wanted to do was play my guitar and sing
It is unlikely that tech companies, security providers especially, will be deterred; the industry is committed to developing new products that help with threat monitoring, detection, mitigation, eradication, forensics, and the like. No one seems to be hanging hopes on assistance from the government, though. At MISTI conferences, attendees frequently lament the lack of public-private sector collaboration as it pertains to threat intelligence sharing and tools, techniques, and processes (TTPs) for fighting our adversaries in the cyber realm. Sure, government agencies talk about wanting and needing that collaboration, but in most practitioners’ eyes, the sharing is unidirectional—and not in favor of private companies. Because of this, and because the government’s actions have had a negative impact on private enterprises in the past, it’s “wait and see” for many.
Rothke concurs, “I see the next four (and possibly eight) years filled with a lot of talk of the importance of security, but very few new government regulations and a significant increase in attacks and data breaches.” To sum it up, he adds that, “just as most people had no idea who Gregory Touhill was or what exactly he did, the next Federal Chief Information Security Officer will suffer the same fate.”
So take me away, I don’t mind
Tonight President Trump and his team celebrate and dance the night away at the Inaugural Balls. In the coming weeks, though, they will have to get down to brass tacks and start setting clear policies and strategies for handling the country’s most pressing problems, cybersecurity among them. Right now, we, without our dancing shoes on, can only speculate.
What do you think? Send InfoSec Insider your thoughts and we’ll update this post with ideas from around the industry.