Shortly before taking office, U.S. President Donald Trump promised to deliver a comprehensive plan to improve the nation’s cybersecurity within 90 days of his inauguration. Instead, three weeks after that the 90-day mark, he signed a 3,070-word executive order focused on protecting government networks. It broke little new ground in fighting cybercrime.
Nearly a year later, Trump has still not released a comprehensive national cybersecurity policy, and pressure is growing on his administration to expand on his executive order. In August, Arizona Sen. John McCain, a Republican like Trump, accused his administration of “weak” leadership on cybersecurity. In October, members of the Senate Armed Services Committee complained that the United States does not have a clear policy for dealing with cyberattacks.
READ MORE ON CYBERSECURITY AND GOVERNMENT POLICY
Trump’s cybersecurity order not likely to have a major impact, experts say
No end in sight for NSA and CIA exploit leaks
Time for a Department of the Internet of Things?
Trump’s largely opaque cybersecurity intentions
False hack attributions carry dangerous risks (opinion)
Hacking our way through the new Cold War (Q&A)
Then, on March 10, Sen. Mark Warner repeated his earlier calls for a national cybersecurity policy, saying the United States lacks a “coherent plan” to deal with cyberattacks and online disinformation campaigns.
Policymakers should consider imposing new legal liabilities on companies for adequately addressing software vulnerabilities, Warner, a Virginia Democrat and vice chairman of the Senate Intelligence Committee, said during a panel discussion at the South by Southwest Interactive Festival in Austin, Texas.
“Software liability needs to be debated,” he said. Breached credit-monitoring firm Equifax “didn’t put a patch in place for six months. There should be a penalty…and it shouldn’t just be a slap on the wrist.”
Warner, sponsor of an Internet of Things security bill, also called on the federal government to use its massive software-purchasing power to drive up minimum security standards. Because the future of conflict is in cyberspace, he said, reallocating some of the U.S. military’s $639 billion annual budget from tanks and jet fighters to cyberdefense “would be worthy of debate.”
Cybersecurity experts agree that the United States needs a more in-depth cybersecurity policy—and that it has to be more than words on paper. They note that guidelines for making organizations more accountable already exist, including those from the U.S. National Institute of Standards and Technology, but breaches continue nearly unabated.
The U.S. government needs to shift away from words like “should” and “may”—and toward regulations that use words like “must” and “shall,” says Michael Magrath, director of global regulations and standards at mobile-security vendor Vasco Data Security.
“The federal government has the authority to do so because so many private-sector industries have their hands out for federal dollars,” Magrath says.
It also has the responsibility to protect its citizens from more than physical threats, he says. “We are now in a cyberwar, and U.S. citizens’ digital lives are under constant attack.”
Paul McGough, founder and CTO of Qwyit, a cybersecurity and telecommunications services vendor, agrees that the United States needs enforceable minimum security standards. When security lapses result in damages, “there needs to be restitution, just as it’s required for fraud or larceny,” he says.
The challenge for policymakers is to write rules that will apply to current and future cybersecurity problems, McGough adds. The regulations need to last “in the face of today’s rapid technological disruption, and it is imperative that the correct foresight be written into it.”
A national cybersecurity policy needs to include definitions, objectives, and penalties that will remain relevant beyond current security products and methods, he says. “These are sure to change, but the protections provided…never should.”
Some people are skeptical that the current administration is capable of passing—or willing to pass—strong cybersecurity regulations. Trump would likely oppose most new cybersecurity rules, given that cutting regulations was one of the centerpieces of his presidential campaign.
Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company, questions whether Congress can keep up with cyberthreats.
One of the reasons the U.S. government doesn’t have a national cybersecurity strategy is “the inability of Congress to move at the speed, and with the adaptability, that is so imperative when addressing cybersecurity issues,” he says. “Simply put, changes in technology and techniques happen so quickly that we just can’t keep up with them from a regulatory or policy-based perspective.”
In addition, one-size-fits-all regulations wouldn’t work for all industries and organizations, Wenzler says.
Instead, he says, the federal authorities should help create a mission statement “unifying both private- and public-sector entities into a shared view of the importance of securing our respective networks, systems, and data assets, while providing many options and ways to accomplish this, depending on the needs of the individual organizations.”