Stringent Cyber Policy Under a Trump Administration?

Over the final years of the Obama administration, cybersecurity had become a top priority of government agencies.  Massive compromises of citizen data have propelled the issue to the forefront of discussions to reshape government, most recently the Office of Personnel Management (OPM).  After campaigning on a robust response to cybersecurity, what will the Trump administration do to improve the cyber resilience of government institutions?

From 2014 to 2015, OPM announced that there were major breaches of government databases that impacted over 22 million current and former federal employees.   An initial hack, made sometime in early 2014, was not first reported to the public, and was only revealed to the public by a New York Times article in July 2014.  It was suspected that the breach impacted nearly 400,000 current and former federal employees and may have been caused by stolen keycards.

A second breach, believed to have begun in December 2014, was not revealed to the public until June 2015 when OPM reported that 4 million current and former federal employees had their personal information compromised.  Within the next few months FBI Director James Comey estimated that an additional breach of data impacted 18 million individuals, and an OPM investigation fixed this number at 19.7 million individuals.

 

The Obama Administration’s Response

An audit released by the Inspector General for OPM highlighted the IT security management system and high turnover of information security officers as two key concerns in the agency’s cybersecurity role.  Additionally, the audit found many of the investigative service technology systems used by OPM were past due for security checkups.  While OPM’s Federal Investigative Service, which conducts civilian background checks, remains within the agency, it is now secured by the Department of Defense and is now the National Background Investigation Bureau.

 

In December, the Obama administration’s Commission on Enhancing National Cybersecurity released a comprehensive report on Securing and Growing the Digital Economy.  Among several recommendations the Commission suggested a national cybersecurity public-private program as a forum to address cyber concerns and for all agencies that interface with the public to use strong authentication software.  Additionally they set forth several workforce planning initiatives to attract 100,000 new cybersecurity practitioners by 2020, and a motion to move federal agencies into a management approach based on enterprise risk management to better adapt to challenges and design better solutions.

 

The Commission’s report noted however that the Obama administration was mostly powerless to implement any of these recommendations, as they were released with a little over two months left before Trump took office.  This highlights the approach that has been taken toward cyber reform within the past few years, which has been mostly through executive memorandum or orders and little legislation.  One of those few pieces of legislation was the Cybersecurity Information Sharing Act of 2015, which gave private companies the legal protection to share information with government to help protect consumers.

 

The Trump Administration’s Approach

The Trump administration can change course from the previous administration by undoing or overturning executive orders or memorandums on cyber initiatives.  However, efforts on the congressional front are already showing that cybersecurity efforts are a top priority for the 115th Congress.  The National Defense Authorization Act (NDAA), passed by Congress before their final recess in 2016, includes several provisions for workforce planning that focus on attracting top cyber talent to the Department of Defense.  Congressional action on this front adheres to the belief that the best way to remain on the forefront with cyber resilience is to hire the best talent.  

 

According to President Trump’s platform, there will be a comprehensive review to all cyber defenses within the country and continued work across all levels of government to respond to cyber incidents.  Additionally, there will be a push for ‘offensive’ cyber warfare in response to the attacks and government system compromises within previous years.  The proposals given in Trump’s platform are more broad strokes, and may not reflect what next steps will be taken.

 

After the San Bernadino shooting, Trump called for a boycott of Apple products when the company signaled that it wouldn’t assist the FBI in breaking into the iPhone of the shooters.  According to some security and privacy experts, calling on a private company to give its secure communications over to government so easily is an area of concern.  While the cooperation of private companies with government falls in line with Obama cybersecurity recommendations, the encryption of consumer data by private companies is a level of protection that many feel is necessary given the frequent cyber breaches in the U.S.  Trump’s comments suggest that the new administration may be more willing to compel private companies to cooperate with federal investigations on data breaches, which can be helpful in better understanding attacks and preventing future compromises of data.

 

Beyond the President, what will top policymakers in the new administration do with cyber reform? Of the appointments announced so far, Trump’s pick for Attorney General, Senator Jeff Sessions (R-AL), provides some insight into what cyber could resemble under the next administration.  As a member of the Senate Judiciary Committee, Sessions also stood in solidarity with the FBI over its battle with Apple over encryption.  He also supports greater power for the NSA and other surveillance agencies that may limit civil protections, and an amendment he proposed for the Email Privacy Act would have allowed government officials to demand data from tech companies without a warrant in emergency situations.

Fewer privacy protections in place and stringent requirements for companies to share data with government entities resembles a cyber environment that caters less to consumer protections and more to security concerns. However, the sharing of data between private and public entities, while mandatory, may improve the government’s response to cyber attacks in the new administration.

Image source: New America

G-7 Cybersecurity Accord Aims to Protect Financial Institutions

The Group of Seven (G-7) leaders recently agreed on a set of guidelines to better protect global financial institutions from cyberattacks.  This non-binding accord recognizes the recent pervasive cyberattacks that have hit accounts of major institutions, including the U.S. Federal Reserve.  While the accord signals attention to this international problem, does it really have the ability to better secure the financial integrity of institutions?  Will a new administration seek to pursue cybersecurity through a multinational lens, or will it seek a unilateral approach?

Cyber Policy So Far

Congress passed the Cybersecurity Information Sharing Act of 2015 to make it easier for private companies to share cyber threat information with each other and also with government entities.  The Obama Administration built on the legislation by setting forth a Cybersecurity National Action Plan (CNAP), calling for more funding to modernize government IT systems and place Federal Chief Information Security Officers to implement these changes in agencies across government.  CNAP also partnered with large private companies, like Google, Microsoft, and MasterCard to make it easier for their customers to have more secure accounts and data security.

Cybersecurity is a crucial concern not only for public and private entities, but also for consumers.  Executive Order 13681, ‘to improve the security of consumer financial transactions’ is a 2014 example of an effort to secure government payments, federal transactions online, and better find the perpetrators of theft from financial cybercrimes.  In both its 2015 and 2016 annual reports, the U.S. Financial Stability Oversight Council (FSOC) highlighted cybersecurity as a top priority for agencies to better protect consumer information and the entire financial system.

This past summer, the Administration released a Presidential Policy Directive (PPD) on U.S. Cyber Incident Coordination, to better differentiate significant cyber incidents, categorize government efforts, designate lead agencies to specific categories, and ensure a consistent response with national preparedness.

An Integrated Problem

Attention toward cybersecurity has spiked in the previous weeks with malicious attacks on the internet infrastructure.  On Friday, October 21, a massive internet outage was brought on by requests from millions of IP addresses that disrupted the internet directory services at least three times throughout the day.  The same problem of permeability is an issue for the international financial system.  Prior to the announcement of the G-7 Accord, hackers used the closed communication system that central banks use to send false money transfer requests to the Federal Reserve Bank of New York.  The requests were to move money out of the Bangladesh Bank’s accounts and into ones set up by the hackers, which lead to an estimated $81 million in stolen assets.

What does a G-7 Accord do?

The G-7 nations are a group of industrialized democracies that meet to discuss global economic governance, energy, and international security.  Formerly the G-8, the nations include the U.S., Japan, Canada, France, Germany, Italy and the U.K., with Russia removed from the group after its annexation of Crimea.  An accord from the group spells out a common doctrine that all member states will adopt as a baseline for their own national policies or legislation to work off of.

The G-7 Fundamental Elements of Cybersecurity for the Financial Sector breaks down the high-level fundamental pieces of cybersecurity into eight elements:

  • a cybersecurity strategy and framework informed by national, international and financial industry standards that would respond to specific attacks;
  • governance structures for clear reporting lines, as well as cyber risk tolerance policies for regulatory or oversight bodies;
  • identify activities and services that have cyber risk, identify controls to protect and manage the risks;
  • establish effective monitoring processes, whether on-site, supervisory, or even through joint public-private exercises;
  • establish timely containment, notification, and coordination of cyber incidents and response activities;
  • ensure quick and recovery of operations once stability is regained;
  • allow safe information sharing among entities to share insights; and
  • allow for continuous review and learning.

While broad, the Accord does already match current U.S. efforts in cybersecurity especially with the recent Presidential Policy Directive and the 2015 Cybersecurity Act.  Bringing all member nations under a similar rules regime could make it easier for non-affiliated and even state-sponsored hackers to be tracked and thwarted when engaging in major cyber incidents.  As the Accord reads,

“Public authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system.”

As a non-binding accord, the guidelines have little authority to completely guide the national priorities of the G-7 nations.  While representatives from the nations have agreed to these broad strokes in policy, the entire web of international cybersecurity can succumb to the adage that “a chain is only as strong as its’ weakest link.”  When major financial institutions and central banks interact with entities in each of these nations there are plenty of opportunities for hackers to take advantage of less strenuous cyber policy.  With no concrete mandate for each member to fully comply, there can be little guarantee that a G-7 Accord can protect international financial systems from a cyberattack.

What happens under the next Administration?

Trump’s proposal calls for an immediate review of all cyber defenses and develop protocols and cyber awareness for government employees.  Like the Obama Administration’s protocols, Trump calls for joint task forces throughout the U.S. to coordinate cyber threats and make recommendations to U.S. Cyber Command for offensive and defensive cyber tasks.  He also calls for the development of offensive cyber capabilities to respond to independent and state actors.

While executive actions can guide how agencies implement policy, only Congress can appropriate funding toward cyber initiatives to address the G-7 elements.  International coordination in this arena can help guide the administration, but in no way does this dictate national policy or direct legislative or executive action.  Instead the G-7 Accord can only guide the Administration in its’ quest for effective cyber policy to protect financial institutions, meaning it packs less of a punch that it would appear.

From their proposals, it seems that cybersecurity will continue to be a top priority across the federal government under a Trump administration.  Since both proposals fall within the eight elements set forth in the G-7 Accord, Trump would be poised to continue and even exceed the guidance set forth by the industrial powers.  Despite these ongoing efforts, the cyber infrastructure linking the global financial system remains at risk to the independent actions of highly skilled hackers.

Image source: The Hill

President Obama’s Plan to Expand Computer Science in the Classroom

In President Obama’s final budget released last month, he asked for $4 billion over 3 years to develop the next generation of computer science and technology professionals. The President’s Computer Science for All plan aims to equip students with the skills needed to compete in the global economy by allocating $100 million for a competitive grant program that would expand computer science classes in school districts across the country. This expansion would be specifically targeted to girls and minority students, who until now have had less access to computer science classes and the leg up they provide in the job market. In the words of the President, “In the new economy, computer science isn’t an optional skill — it’s a basic skill, right along with the three ‘R’s’. ”

The need for computer science continues to increase. Over 600,000 tech jobs were available last year throughout the country, and a projected 51 percent of all STEM jobs will be in computer science (CS)-related fields by 2018. As computer science continues to expand, two-thirds of tech jobs are based in non-tech fields such as transportation, healthcare, education and financial services. Currently, the federal government needs an additional 10,000 IT and cybersecurity professionals, and the private sector needs many more.

Computer science doesn’t count towards graduation, leaves out girls and minorities

Currently, only 25 percent of K-12 schools offer computer science according to the White House, and only 28 states allow these courses to count toward graduation. In 2015, less than 15 percent of high schools offered AP computer science, and the demographics of the students were not representative of the student population consisting of just 22 percent girls and 13 percent black or latino. In other developed countries such as England, computer science is offered from the ages of 5 to 16. If we want to compete globally, we need to offer our students the same opportunities.

That’s why the Computer Science for All plan is the largest federal effort to expand this learning opportunity and has asked tech companies and philanthropists to support the initiative. This administration will allocate $135 million in existing funds (mostly from the National Science Foundation and the Corporation for National and Community Service) to help train teachers and develop lesson plans for the next 5 years [1]. The budget has already factored in $5 billion in savings over the next 10 years that the Federal Communications Commission can generate from charging spectrum license user fees and auctioning satellite services.

Computer science teaches students to solve problems

Computer science is not only an increasingly important skill, it also gives students the opportunity to work hands-on, in real-world interactions with math, science and engineering, making consumers into producers of the digital economy, according to the White House. Lisa Singh, an associate professor of Georgetown University, argues that working with computers helps students develop “algorithmic thinking”, the opportunity to break down problems into a series of steps using theoretical knowledge. She believes that both the theoretical knowledge and the ability to code are essential “because if you don’t understand that, the fact that you can code something up, it doesn’t have the same meaning to you. You’re not thinking about that problem the same way.”

The President’s Proposal Requires Action from Congress

Whether Congress decides to fund the expansion of computer science in our schools remains to be seen.

This is particularly true this year, given that the Republican chairmen of the Senate and House budget committees, Senator Michael B. Enzi and Representative Tom Price, respectively, have yet to invite Shaun Donovan, the director of the Office of Management and Budget to testify on the President’s final budget plan [2]. As Republicans continue to try to develop a budget this year, while others are seeking lower spending levels to attempt to reduce the deficit, the less likely any of the President’s plans will be considered.

What we do know is that more than 9 out 10 surveyed want their children’s school to teach computer science. The Every Student Succeeds Act (ESSA) signed in December 2015 gives states and districts the opportunity to offer computer science. States such as Delaware, Hawaii and over 30 school districts have already committed to expand computer science. In the past 3 years, 17 states have allowed for computer science to count toward graduation, and more states are also working on expanding CS curriculum into elementary and middle schools.

The Computer Science for All plan builds on the President’s previous commitments to expand STEM opportunities through the White House Science Fair and the Educate to Innovate initiative. These efforts have helped a total of 50,000 new STEM teachers get training, leading to $1 billion in private sector investment for STEM education and expanded opportunities for underrepresented students in STEM [3]. The President’s TechHire and ConnectED initiatives, have resulted in over 500 employers partnering in 35 cities, states and rural areas to expand access to tech jobs, causing the digital divide to be cut in half since 2013. Organizations such as the National Science Foundation, the Corporation for National and Community Service, the National Math and Science Initiative, the Department of Defense, and the Department of Education are working together to train teachers and develop lesson plans.

As a country, we are struggling to provide all students the skills they need to compete in the global economy. While Obama is the first President to write a line of code, if Congress does not fund his proposal, many students will not have the opportunity to develop the skills for today’s technologically advanced job market.

 

Sources:
[1] Washington Post https://www.washingtonpost.com/local/education/obama-outlines-4-billion-computer-science-for-all-education-plan/2016/01/29/3ad40da2-c6d9-11e5-9693-933a4d31bcc8_story.html
[2] The New York Times http://www.nytimes.com/politics/first-draft/2016/02/08/congress-declines-to-hear-obamas-budget-proposal-in-person/
[3] The White House https://www.whitehouse.gov/the-press-office/2016/01/30/fact-sheet-president-obama-announces-computer-science-all-initiative-0
Image source: AP/Jacquelyn Martin

Connectivity Error: The Access Gap in Broadband Internet

As part of her campaign infrastructure plan, Democratic presidential front runner Hillary Clinton called for connecting 100 percent of households by 2020 with affordable, high-speed internet access. Her proposal highlights a gap in broadband internet access within lower income and rural communities, and seeks to eradicate it through affordable solutions and investment in free Wi-Fi for public spaces. Current federal agency programs and partnerships with private companies have also attempted to bridge this gap, however the U.S. is 23rd in the world for best broadband access. Despite these shortcomings, alternative solutions at the state and local level have given new hope to the possibility of bridging the internet access gap, and as a result, fulfilling Clinton’s campaign proposal.

According to a January 2015 White House report, the access gap refers the nearly 51 million Americans that cannot purchase wired broadband connection with speeds up to 25 megabits per second (Mbps). The report also highlights that 63% of the these 51 million Americans have access to speeds of 100Mbps[1] or greater with available internet broadband, the speed at which the Department of Education says is the baseline to support 21st century digital learning. At a recent Brooking’s Institution event which highlighted the internet access gap, scholars noted that the federal government plays a vital role in removing these barriers to access and affordability which often compound disparities in education and wealth throughout the country. Many efforts at the federal agency level have sought to address these barriers, including Administration programs and massive funding distributed as a result of the American Recovery and Reinvestment Act (ARRA).

ConnectHome, an Obama administration initiative launched by the Department of Housing and Urban Development (HUD), seeks to build public-private partnerships between internet service providers and businesses to provide computer training and technical support.  Additionally, the program encourages education groups to offer services for students and young adults looking to engage in SAT prep courses of job training. Thus far, the program is active across 28 communities, including one tribal nation, reaching a total of 275,000 homes in public housing.

Within the Department of Commerce, the National Technology and Information Administration (NTIA) manages different programs to expand access to and quality of internet connectivity. For example, BroadbandUSA works with key stakeholders to provide technical assistance and improve quality. When Congress passed the American Recovery and Reinvestment Act in 2009 (ARRA), several new programs sought to expand broadband to particular areas, including the Rural Utility Service’s Broadband Initiatives Program and Broadband Technology Opportunity Program within the Commerce Department.

Despite this progress, not all agency programs have been as successful. Last summer, Politico reported the Rural Utility Services’ mismanagement of nearly $277 million in ARRA funding intended for broadband access to rural communities. Of the 192 different projects that relied on this funding, 42 projects (totaling $300 million) were never started. Additionally, the program has to date only impacted several hundred thousand residents, a serious shortcoming from the 7 million residents originally projected to benefit from the funding.

While federal programs have been able to deliver broadband internet, state and local efforts have also been somewhat successful in their drive to expand broadband internet access. For example, municipal broadband provided by local governments has the ability to connect underserved communities while competing with private providers to drive prices down and increase the quality of service. In one such instance, the Vermont Telecommunications Authority (VTA) launched a $100 million project to provide grants for infrastructure projects in underserved areas for commercial, residential, and community institutions. The VTA was able to lease services to different internet service providers that would meet their stringent requirements.

Chattanooga, Tennessee provided a successful public solution to the internet access gap based on speed of service. The city recently began offering 10 gigabit[2] broadband speeds to 170,000 customers within the urban area, beating the speed of the local competition –a 2 gigabit-speed Comcast service. Similar high-speed services have been offered to smaller populations in Salisbury, North Carolina and Springfield, Vermont, where faster speeds benefit local businesses, households, and schools.

Public intervention into the broadband service sector has been met with hostility from several private companies that claim an interference with the free market system. Providers fearful of losing their market share have already taken action to prevent public involvement in their business. From a policy perspective, a delicate balance should be struck between business growth and the government’s ability to provide services for everyone.

Broadband for All: A Way Forward

In particular, two pieces of legislation introduced last year might provide an interesting solution to this problem. First, the ‘Federal Spectrum Incentive Act’ would give the FCC tools to make more electromagnetic spectrum available for auction from federal agencies. As the single largest user of spectrum, auctioning within the federal government could greatly assist private companies which are looking to carve out a greater market share and expand their business.

Second, the ‘Broadband Community Act of 2015’ could protect local and municipal governments by providing broadband services to individuals or businesses. Maintaining the government as a possible competitor will force larger providers to consider lowering prices or improving service to remain in business. If passed, this legislation would greatly assist needy communities that are often neglected by larger providers.

A lack of broadband internet access can stifle education, the economy, and the competitiveness of the U.S. labor force. Expanding broadband access to underserved areas continues to be the sole objective of several federal agencies, dozens of grant programs, and even public services at the municipal level.  To improve these efforts, policymakers should pass legislation both to maintain the government’s ability to service neglected areas and to encourage the sale of unused spectrum to private companies that can turn it into broadband for consumer use. A comprehensive, long-term solution requires the interplay of private business’ innovation with the government’s resources and its all-encompassing mandate. This dual approach could be the key to meeting the goal of 100 percent household access by 2020.

[1] For comparison’s sake EagleSecure operates at speeds of 100-150 Mbps, which many complain is still too lethargic.

[2] 1 gigabit = 1,000 Mbps.

Image source: Shutterstock