By Melissa E. Hathaway
Senior Advisor with GP, President of Hathaway Global Strategies, LLC
[Mirrored from Bloomberg.com]
When Donald Trump takes the oath of office on Jan. 20, he'll face an urgent and growing threat: America's vulnerability to cyberattack. Some progress has been made in fortifying the nation's digital defenses. But the U.S. is still alarmingly exposed as it leaps into the digital age. If the 45th president wants to make America great again, he needs to address this growing insecurity.
Three areas -- energy, telecommunications and finance -- are especially vital and vulnerable. The government must commit itself to defending them. And it must recognize that the risks posed to all three are increasing as more and more parts of our lives are connected to the internet.
Start with energy. There is already malware prepositioned in our national power grid that could be used to create serious disruptions. It must be cleaned up. Last December, three of Ukraine's regional power-distribution centers were hit by cyberattacks that caused blackouts affecting at least 250,000 citizens. The U.S. is just as vulnerable, because the malware used in that attack is widespread and well placed here. It would be a federal emergency if any region or city were to lose power for an extended period, and it could easily happen -- taking down much of our critical infrastructure in the process.
The government historically has taken steps to ensure the availability of communications in an emergency (for instance, the 911 system). It should do the same for power. In particular, Trump should direct the Federal Emergency Management Agency to use the Homeland Security Grant Program to improve cyber resilience at state and local power facilities. These efforts must be focused on removing malware and fielding better defenses, beginning with the highest-risk facilities crucial to the centers of our economic and political power.
Next, protect telecommunications. The integrity our telecommunications system is essential for the free flow of goods, services, data and capital. Yet the U.S. is home to highest number of "botnets," command-and-control servers and computers infected by ransomware in the world. Compromised computers are being used to launch paralyzing distributed denial of service (or DDoS) attacks against a wide range of companies. In October, such an attack knocked numerous popular services offline, including PayPal, Twitter, the New York Times, Spotify and Airbnb. Thousands of citizens and businesses were affected.
To address this problem, the next president should start a national campaign to reduce the number of compromised computers plaguing our systems. This campaign should be managed like the Y2K program -- the largely successful effort, led by the White House in tandem with the private sector, to fix a widespread computer flaw in advance of the millennium. With the same sense of urgency, the government should require that internet service providers give early warning of new infections and help their customers find and fix vulnerabilities. Just as water suppliers use chlorine to kill bacteria and add fluoride to make our teeth stronger, ISPs should be the front line of defense.
Third, the U.S. must work with other countries to protect the global financial system. In recent years, financial institutions have experienced a wide range of malicious activity, ranging from DDoS attacks to breaches of their core networks, resulting in the loss of both money and personal information. In the past year, a number of breaches at major banks were caused by security weaknesses in the interbank messaging system known as SWIFT. The entire financial system is at risk until every connected institution uses better security, including tools to detect suspicious activities and hunt for the malicious software that enables our money to be silently stolen.
The U.S. should work with China and Germany -- the current and future leaders of the G-20 -- to deploy better cyberdefenses, use payment-pattern controls to identify suspicious behavior and introduce certification requirements for third-party vendors to limit illicit activity. The Treasury Department should work with its global partners and U.S. financial institutions to set metrics and measure progress toward improving the trustworthiness and security of the financial ecosystem.
All these problems, finally, may be exacerbated by the rise of the Internet of Things. As more and more devices are connected to the internet, it isn't always clear who's responsible for keeping them secure. Without better oversight, the Internet of Things will generate more botnets, command-and-control servers, and computers susceptible to ransomware. Flawed products will disrupt businesses, damage property and jeopardize lives. When medical devices can be subject to serious e-security flaws, and when vulnerable software in security cameras can be exploited to knock businesses off-line, government intervention is required.
Manufacturers, retailers and others selling services and products with embedded digital technology must be held legally accountable for the security flaws of their wares. We need to put an end to the "patch Tuesday" approach of fixing devices after they're widely dispersed. A better approach is an Internet Underwriters Laboratory, akin to the product-testing and certification system used for electrical appliances. Such a system could help ensure that internet-connected devices meet a minimum level of security before they're released into the marketplace.
Trump should make it clear in his first budget proposal that these four steps are vital priorities. The digital timer on our national security is ticking.