Leigh Nakanishi, lead of Edelman's Global Security & Privacy Group, has spent considerable time assessing what the Trump Presidency and a new administration portends for cybersecurity. The risks and challenges are manifest on a variety of important fronts:
Of the many policy priorities for the Trump administration, how it tackles the cybersecurity and data privacy challenges facing the country will have a significant impact on the economy, national security and civil liberties. From the escalating hacking episodes by nation-states and calls to develop significant offensive cybersecurity capabilities, to combating cybercrime and improving critical infrastructure protection, there are no shortage of challenges facing the new administration.
In his press conference as president elect, Trump announced he will release a report in the next 90 days outlining the administration's approach to cybersecurity and he is set to pay off that promise with an executive order aimed at reviewing current vulnerabilities in Federal systems and devising plans to defend critical infrastructure. Like several other major policy issues presented by the administration, it's unclear how detailed the report and approach will be. However, one thing is clear: it will inevitably involve collaboration with the private sector through his new cybersecurity advisor, Rudy Giuliani.
Importantly, this new environment will also present potential challenges for businesses, but also potential opportunities to build common ground with the new administration. The following are major security and privacy areas where we are likely to see developments that companies will need to navigate:
Hardening the Federal Government and Business from Attacks
President Trump has said time and again that he believes the United States is "being hacked by everybody," citing the loss of millions of records by the Office of Personnel Management and a recent report that found federal agencies are less secure than every other private sector industry. It's likely that hardening the Federal government and critical infrastructure from attacks will be part of Trump's plan and an area where he will seek advice from the private sector.
For businesses with significant amounts of data, technology companies and those developing security solutions, President Trump's focus on engaging the private sector could provide an opportunity for industry experts to offer insight into the major challenges (technical, operational, etc.) that exist in protecting both the private and public sector from attacks.
This attention is likely to also bring risk for businesses. If there is a breach of US government systems, it will be viewed as a major failure, and the technology behind it will be at risk of receiving significant scrutiny from the President. Likewise, companies that are victims of big consumer breaches risk criticism for failing to protect Americans.
• Companies with security expertise should consider engaging the Administration on this issue to build goodwill, share best practices, and ensure that any policies that get developed are effective.
• The private sector also has an opportunity to share in the chorus helping educate the public on the current threat environment; this responsibility shouldn't only fall on the shoulders of the Government
• It's also important for all companies to have security incident response plans which are effectively communicated to employees and their business partners to ensure they are properly managing a major incident and are less likely to get in Trump's crosshairs.
Cybersecurity as a National Security Priority
With revelations of Russian hacking aimed at disrupting the presidential election, it's clear that we are likely to see more international conflicts taking place in cyberspace. The Trump administration has already indicated it will invest in offensive cyberweapons and will not shy away from using them, either as a deterrent or as a response to an attack. And, with no clear rules of engagement for the use of cyber-capabilities, the potential for a disproportionate response is much more likely than with traditional conflicts.
While intelligence agencies and the Department of Defense have greatly increased their capabilities to gather intelligence on foreign nation-state attacks, security companies also have strong capabilities in this space. It's possible that this new focus could lead to greater opportunities for threat intelligence sharing and a greater role for the private sector to play in helping shape the administration's strategy moving forward.
At the same time, this new environment will create increased risk for companies. As evidenced by previous attacks on Sony Pictures and many critical infrastructure providers over the past few years, it's possible that businesses will be caught in the middle and end up victims of advanced attacks due to an international cyber-conflict.
• The need for collective defense against threats facing both the government and private sector provides an opportunity for companies to revisit their stance on intelligence sharing. This could include pushing for new legislation to protect companies that share information from legal liability. More here.
Collective Action Against Cybercrime and Consumer Fraud
Trump is viewed as a law and order President. In addition to bolstering cyber-related funding and establishing new areas of focus within the Federal Government, one area where he may be able to make some traction is by taking more aggressive action against cybercriminals. Recently, the FBI took down a major international crime ring with the assistance of the private sector. Presumably these types of actions will continue to be a focus for federal law enforcement and could provide positive examples that Trump can cite to show he is successfully tackling cybersecurity.
Most of these actions require close collaboration with the private sector, who often have the intelligence and technical capability necessary to assist law enforcement. This creates another area for potential bridge-building and collaboration with the new administration.
• Companies targeted by attacks, those that experienced major security incidents, or those with intelligence about cybercriminal networks should ensure they are closely working with the FBI and other federal law enforcement agencies.
Privacy and Security at Odds
President Trump's focus on national security will likely lead to increased concerns around data privacy for citizens and foreign consumers. Following the fight last year between Apple and the FBI over the use of encryption to protect communications on the iPhone used by the San Bernardino shooter, we are likely to see more companies asked to compromise the security of their products in the interest of national security. It's also possible we will see more companies receive requests from the government for information they have on their consumers to aid in intelligence gathering.
Ultimately, this new approach will lead to significant scrutiny of companies by the privacy advocacy community, foreign data protection regulators and media. It will also lead to potential challenges for companies that do business abroad, where international governments are very sensitive to the potential exposure of information about their citizens to the US government. This tension has already presented significant headaches for US companies looking to collect and use data on European citizens.
• All companies should ensure they have a documented strategy and supporting messaging that explains under which circumstances they will provide information to the government.
• If a company develops communications technologies, it will be important that it proactively communicates about the danger of intentionally introducing vulnerabilities in its products, and the impact it can have on security.
While it remains to be seen how these issues will play out over the course of Trump's time in office, it's clearly an area that all businesses need to consider as part of their engagement with the new administration.