Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
Cybersecurity poses both a major risk mitigation challenge and a software development business opportunity for U.S. companies during the Trump administration, security analysts told Bloomberg BNA.
Companies should review the recommendations in the recent report by the Center for Strategic & International Studies (CSIS) Cyber Policy Task Force, despite the fact it was created for President-elect Donald Trump, they said. In particular, companies should follow the report’s recommendation that they obtain cybersecurity insurance and may be able to leverage the report’s call for government incentives to adopt cybersecurity.
The task force, that included Sen. Sheldon Whitehouse (D-R.I.) and Rep. Michael McCaul (R-Texas), intended to articulate “practical steps for policy, resources and organization that the next Administration can use to build better cybersecurity.”
U.S. businesses face proliferating cybersecurity threats, so the next administration should incentivize “improvements in the general population of online actors through jawboning, tax policy, regulation, and investment,” the report said.
“The report highlights our vulnerability to a wide range of cyber threats—both in government and private industry,” Whitehouse told Bloomberg BNA Jan. 11. “Companies should prioritize cybersecurity to the CEO level, make sure data is well and frequently backed up, and operate on the principle that no computer is safe.”
“The cybersecurity market has become a multibillion-dollar source for innovation and services to secure vulnerable networks,” the Jan. 4 report said.
There are a number of areas where the report recommends using incentives to boost the private marketplace.
“U.S. companies should take note of the policy recommendations for government to incentivize responsibility and accountability among the developers of software and devices that can put customers’ privacy at risk,” workplace communications company Slack Technologies Inc. Chief Security Office Geoff Belknap told Bloomberg BNA Jan. 12.
One of those areas is bug bounty programs, where researchers are paid to find and disclose software vulnerabilities.
“Given the usefulness of these programs, the administration should focus on clarity and incentives to accelerate vulnerability discovery,” the report said, touting the benefits to the U.S. of a secure internet infrastructure and open source software.
Cybersecurity insurance is another area that could benefit from market incentives, the report said. However, cybersecurity insurance market will take time to mature, the report said, comparing it to the fire and auto insurance, which “took decades for price signals and incentives to play out.”
The importance of cybersecurity insurance is one of the central takeaways from the report for U.S. business, McCaul told Bloomberg BNA when discussing the report at a press event Jan. 11.
Brian White, chief operating officer of RedOwl Analytics LLC and senior associate at CSIS, told Bloomberg BNA Jan. 10 that efforts to figure out how to measure liability for cybersecurity insurance needs to continue, and provide incentive by providing policy discounts or other incentives for organizations that are taking appropriate precautions with their network security.
These incentives are crucial because companies and governments will need to rely on these products to improve their cybersecurity, which isn’t a core business function for most companies.
Shared services present both a solution for companies and governments that don’t have the resources or competencies to establish their own cybersecurity programs, and major business opportunities for companies that provide these services.
Organizations that don’t have cybersecurity as their core competency and don’t have enough qualified security personnel use third-party security services to fill security gaps, the report said.
White said that many organizations don’t need to hire full network operations and incident response teams to manage their networks, but can rely on this large market for off-the-shelf products.
“The recommendation on Shared Services and the Cloud, with an emphasis on security, could be a game changer for federal agencies,” Belknap said. “There’s a business opportunity to be sure but, more broadly, the chance to reflect on what services their technology teams are currently delivering, but might not be strategic and under-resourced in a way that puts them at risk.”
“Investing people or money into problems that are not core to your mission is rarely a path to success,” Belknap said.
A significant step that companies can take is to take advantage of commercial cloud computing and managed service providers, White said. Continued distrust of cloud security is “more smoke and mirrors than reality,” and data is “likely to be more secure in an Amazon.com Inc. data center than a person data center,” he said.
A “key challenge” for both U.S. business and government is improving the cybersecurity workforce, McCaul said.
“We don’t have the engineers in this country,” he said, adding that it’s also dangerous to hire foreigners for sensitive work, in critical infrastructure, for example, and that it’s difficult for the government to compete with the private sector for compensation in an area where demand far outstrips supply.
The report recommended that the next administration implement “an ambitious education and workforce model for cybersecurity.”
McCaul said he is very supportive of these efforts, citing the success of past cybersecurity training programs funded by congress.
But it isn’t only cybersecurity professionals who would benefit from brushing up on these issues.
“Because an educated public is a democracy’s first line of defense, we do need to improve transparency and information-sharing about the cyber threats that exist,” Whitehouse said.
To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
The full CSIS Cyber Task Force report can be found at https://csis-prod.s3.amazonaws.com/s3fs-public/publication/170110_Lewis_CyberRecommendationsNextAdministration_Web.pdf.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)