The next U.S. president will be saddled with a long list of cybersecurity challenges, from tracking and deterring hackers to parrying threats posed by the fast-growing "internet of things."
But whoever occupies the Oval Office next year would do well to recall the basics of good online hygiene and hold officials accountable for them, experts said yesterday at the seventh annual Billington CyberSecurity Summit in Washington, D.C.
"Over the last 18 months, we’ve responded to a number of high-profile incidents, and what we’re observing is a lot of these are basically the result of environments not implementing basic cybersecurity practices," said Donald Heckman, deputy chief of information assurance capabilities at the National Security Agency.
He estimated 80 percent of the data breaches NSA encountered could have been thwarted by simple measures such as security awareness programs or tougher company USB policies. "If we would just do the basics, I think we would prevent a lot of these intrusions."
President Obama is rushing to wrap up unfinished cyber business before the clock runs out on his second term. Presidential Policy Directive 41, issued in July, rallied agencies to prepare for "significant" cyber hazards and tasked outgoing administration officials to organize the federal response to a major attack, such as one targeting the power grid or wastewater systems. In February, Obama convened the President’s Commission on Enhancing National Cybersecurity, a 12-member body due to release recommendations for Obama and his successor later this year.
Despite these efforts, senior White House officials at yesterday’s conference acknowledged that plenty of work will remain for the 45th presidency.
"Clearly, the governance issues of how we organize are still going to be very relevant," Michael Daniel, special assistant to the president and cybersecurity coordinator at the White House, said on the sidelines of yesterday’s conference. "How does the government actually work and interact well with critical infrastructure to really raise the level of cybersecurity across the national economy? What does that partnership actually need?"
Daniel added that the next administration will also likely need to work on building "rules of the road" for acceptable behaviors in cyberspace, on a diplomatic level.
"We’ve positioned ourselves to have a good foundation, but there’s just a lot of work that needs to be done," he said.
Kiersten Todt, executive director of the President’s Commission on Enhancing National Cybersecurity, told conference attendees that her work "is not a victory lap toward the last eight years," but rather focused on the future.
She called attention to the lack of "clear lines of authority for the current threat environment," while cautioning that her comments did not reflect the views of the full commission.
In particular, she pointed to dangers from the internet of things, referring to the ubiquitous internet-connected devices cropping up in industries and environments where they never existed previously.
"It’s not that these [cyber] threats have become more sophisticated — it’s that we’ve created more opportunities for these threats to occur," she said.
"Arguably, we’ve had some pretty destructive cyber incidents and events that have happened, but they haven’t killed anybody yet," Todt said.
One such incident targeted Sony Pictures in late 2014. Hackers who were eventually traced back to the North Korean government broke into Sony’s networks, stole and leaked emails, and wiped out key company data.
The case generated millions in losses for the company and earned a rare public rebuke from the Obama administration, which later imposed added sanctions on the North Korean individuals said to be responsible for the hack.
John Scimone, senior vice president and global chief information security officer for Sony, declined to comment specifically on the 2014 incident and its aftermath but spoke to the need to prepare for a "destructive" cyberattack.
He said the "frustrating irony" of his talk at the cybersecurity summit yesterday was that most of his cyber recommendations did not go beyond basic risk-management practices, such as keeping backups of certain hardware on hand in case hackers wreak physical havoc.
"The simple truth is these are simple things that generally are not prioritized," he said of cyber best practices. "Unfortunately, it’s just not getting done."