adamparent - Fotolia

US information security lobby group hopeful of reform under Trump

The Internet Security Alliance is hopeful that the Trump administration will take decisive action on shoring up US cyber security policy

The Information Security Alliance (ISA), which lobbies for corporate security interests, has said it believes the Trump administration could be “very progressive” for cyber security policy.

Little progress has been made on the issue under the Obama administration, which has come under criticism for avoiding a show of force in cyber space against nation states targeting IT systems in the US.

“We are quite hopeful – based on their public statements on cyber, post-convention and pre-election – that a Trump administration will intensify some of the policy directions we have been advocating,” said Larry Clinton, president and CEO of the ISA, a non-profit trade association set up in 2001.

“Specifically, we are expecting a welcome increase in attention to cyber security as a criminal issue in addition to the traditional emphasis on critical infrastructure protection and military uses of cyber,” said Clinton.

According to the ISA, cyber crime is costing the US economy between $500bn and $1tn a year, but less than $5bn is being allocated for fighting cyber crime.

Although US president-elect Donald Trump has not said much on the issue of cyber security, according to his campaign website, he plans an “immediate review of all US cyber defences and vulnerabilities”.

As a result, the ISA said it expects the Trump administration to begin to correct the imbalance between the cost of cyber crime and the funding of efforts to combat it.

The ISA has long been critical of what it calls the “dysfunctional regulatory structure that has grown up in cyber security” and said it is hopeful that Trump will address this too.

“We now have an uncoordinated and weed-like regulatory structure at multiple layers of government that is burdening enterprises with redundant and inconsistent regulations,” said Clinton.

“Not only is this superstructure costly and inefficient, it is anti-security. We know we don’t have enough cyber experts and many of them are being pulled away from their security work to do regulatory compliance,” he said.

Read more about cyber espionage

The ISA called for these regulations to be streamlined, which should include an empirical assessment of what regulations are actually improving cyber security, which are effective and which are cost effective.

“Once we know what elements are empirically cost effective, these will naturally be adopted without further mandates because they are cost effective,” said Clinton.

“We will likely also discover interventions that are necessary and effective, especially for critical infrastructure, but are cost prohibitive. These are the elements that ought to revive incentive programs as industry obviously cannot continually make uneconomic investments even for cyber security,” he said.

Clinton said he expects the Trump administration to verify this in the top-down review on cyber they have proposed and that it will then begin to address the issues either through legislation or executive order.

“I don’t know where in the panoply of initiative the new administration will undertake cyber, however we do think on these issues there is cause for optimism and ISA will be helpful in any way we can,” he said.

Cyber security recommendations

The ISA briefed the Republican National Committee on cyber policy at its convention in July 2016 and provided pre-publication editions of its book entitled Cyber Security Social Contract, which analyses cyber security needs on a sector by sector basis.

The book includes 106 recommendations for the incoming US Congress and Trump Administration on cyber policy, including a specific list of what can be accomplished in the first 100 days, during which the US is likely to face a cyber crisis, according to a recent report by research firm Forrester.

This crisis could be the result of hostile actions from another country or internal conflict over privacy and security legislation, according to Forrester analyst Amy DeMartine, lead author of Forrester’s 2017 Predictions report.

The new US president will face pressure from foreign entities looking to embarrass him early on as US government agencies jockey for position in the new administration, she said, according to CNBC.

The report predicts that cyber warfare between Russia and the US will escalate, and the US government will respond in 2017. However, the report was written before the election result was known, which could de-escalate tensions with Russia in light of president-elect Trump’s friendly stance on Russia.

International threats

However, Forrester predicts Chinese government hacking will continue in 2017, despite a joint agreement not to conduct cyber theft of intellectual property, and notes that the breach of the US Office of Personnel Management, which exposed the records of 21 million US government employees, has strained diplomatic relations between the US and China, which is believed to be behind the attack.

According to the report, knowledge of who has access to certain security clearance levels could enable attacks through internet-connected devices, and access to government employee healthcare records could expose people’s genetic markers or fingerprints.

Countries such as North Korea and Iran, the report said, have been building capabilities for offensive purposes and they are likely to try to hack public and private databases in search of data that can be used to manipulate the US political system and embarrass US organisations.

In 2017, the US will have to decide what information is protected by the United States Constitution and what information the government should have access to so it can protect US citizens, said DeMartine.

She also predicted that the government will have to intervene in the battle between government agencies seeing greater access to data and US companies pushing for greater privacy.

The worst-case scenario, she said, is that the new US president will have to deal with all of these internal and external cyber security-related crises in the first 100 days.

Read more on Hackers and cybercrime prevention