Cybersecurity Report for Trump Includes Benefits for Businesses

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Cybersecurity poses both a major risk mitigation challenge and a software development business opportunity for U.S. companies during the Trump administration, security analysts told Bloomberg BNA.

Companies should review the recommendations in the recent report by the Center for Strategic & International Studies (CSIS) Cyber Policy Task Force, despite the fact it was created for President-elect Donald Trump, they said. In particular, companies should follow the report’s recommendation that they obtain cybersecurity insurance and may be able to leverage the report’s call for government incentives to adopt cybersecurity.

The task force, that included Sen. Sheldon Whitehouse (D-R.I.) and Rep. Michael McCaul (R-Texas), intended to articulate “practical steps for policy, resources and organization that the next Administration can use to build better cybersecurity.”

U.S. businesses face proliferating cybersecurity threats, so the next administration should incentivize “improvements in the general population of online actors through jawboning, tax policy, regulation, and investment,” the report said.

“The report highlights our vulnerability to a wide range of cyber threats—both in government and private industry,” Whitehouse told Bloomberg BNA Jan. 11. “Companies should prioritize cybersecurity to the CEO level, make sure data is well and frequently backed up, and operate on the principle that no computer is safe.”

Market Incentives

“The cybersecurity market has become a multibillion-dollar source for innovation and services to secure vulnerable networks,” the Jan. 4 report said.

There are a number of areas where the report recommends using incentives to boost the private marketplace.

“U.S. companies should take note of the policy recommendations for government to incentivize responsibility and accountability among the developers of software and devices that can put customers’ privacy at risk,” workplace communications company Slack Technologies Inc. Chief Security Office Geoff Belknap told Bloomberg BNA Jan. 12.

One of those areas is bug bounty programs, where researchers are paid to find and disclose software vulnerabilities.

“Given the usefulness of these programs, the administration should focus on clarity and incentives to accelerate vulnerability discovery,” the report said, touting the benefits to the U.S. of a secure internet infrastructure and open source software.

Cybersecurity Insurance

Cybersecurity insurance is another area that could benefit from market incentives, the report said. However, cybersecurity insurance market will take time to mature, the report said, comparing it to the fire and auto insurance, which “took decades for price signals and incentives to play out.”

The importance of cybersecurity insurance is one of the central takeaways from the report for U.S. business, McCaul told Bloomberg BNA when discussing the report at a press event Jan. 11.

Brian White, chief operating officer of RedOwl Analytics LLC and senior associate at CSIS, told Bloomberg BNA Jan. 10 that efforts to figure out how to measure liability for cybersecurity insurance needs to continue, and provide incentive by providing policy discounts or other incentives for organizations that are taking appropriate precautions with their network security.

These incentives are crucial because companies and governments will need to rely on these products to improve their cybersecurity, which isn’t a core business function for most companies.

Managed Services Model

Shared services present both a solution for companies and governments that don’t have the resources or competencies to establish their own cybersecurity programs, and major business opportunities for companies that provide these services.

Organizations that don’t have cybersecurity as their core competency and don’t have enough qualified security personnel use third-party security services to fill security gaps, the report said.

White said that many organizations don’t need to hire full network operations and incident response teams to manage their networks, but can rely on this large market for off-the-shelf products.

“The recommendation on Shared Services and the Cloud, with an emphasis on security, could be a game changer for federal agencies,” Belknap said. “There’s a business opportunity to be sure but, more broadly, the chance to reflect on what services their technology teams are currently delivering, but might not be strategic and under-resourced in a way that puts them at risk.”

“Investing people or money into problems that are not core to your mission is rarely a path to success,” Belknap said.

A significant step that companies can take is to take advantage of commercial cloud computing and managed service providers, White said. Continued distrust of cloud security is “more smoke and mirrors than reality,” and data is “likely to be more secure in an Amazon.com Inc. data center than a person data center,” he said.

Not Enough Security Pros

A “key challenge” for both U.S. business and government is improving the cybersecurity workforce, McCaul said.

“We don’t have the engineers in this country,” he said, adding that it’s also dangerous to hire foreigners for sensitive work, in critical infrastructure, for example, and that it’s difficult for the government to compete with the private sector for compensation in an area where demand far outstrips supply.

The report recommended that the next administration implement “an ambitious education and workforce model for cybersecurity.”

McCaul said he is very supportive of these efforts, citing the success of past cybersecurity training programs funded by congress.

But it isn’t only cybersecurity professionals who would benefit from brushing up on these issues.

“Because an educated public is a democracy’s first line of defense, we do need to improve transparency and information-sharing about the cyber threats that exist,” Whitehouse said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security