November 25, 2016
President-Elect of the United States
Having faithfully served our nation for three decades as a cyber security leader in business, academia, and government, I believe it is my duty to offer advice on how your new Administration should address our accelerating national cyber risk. I hope you will take a moment to digest this message, because cyber security has the potential to defineyour Presidency, just as physical terrorism defined that of President George W. Bush.
Specifically, I believe that recent advances in offensive capability make it inevitable that significant, large-scale cyber attacks will be launched against our critical infrastructure during your time in office. These attacks will shift from the theft of intellectual property to destructive attacks aimed at disrupting our ability to live as free American citizens. I do not know of a single cyber security expert in our country who would disagree with this view.
Unfortunately, the capability to launch such cyber attacks is no longer limited to rich nation states. Instead, significant cyber offensive capabilities have now reached the hands of much smaller groups, including ones with no motivation other than to disrupt our country and way of life. As such, I believe your Administration must take immediate steps to shift the primary focus of our nation’s cyber security strategy from offensive hacking toward improved defensive posture.
To that end, I believe that the Trump Administration should issue Presidential Directives in the following three specific areas that I believe will improve our nation’s security posture by reducing cyber risk in a meaningful manner:
1. Direct that the NIST Framework shall be the only acceptable cyber security compliance standard in the United States. We have too many compliance frameworks and this diverts the attention of our nation’s cyber defenders from security operations to administrative paperwork. Demand that compliance be done properly, but that it be done only once using the NIST framework.
2. Direct that each government agency shall immediately implement a plan to reduce their dependence on an enterprise perimeter. When the first major cyber attack is launched against our country during your Administration, it will certainly exploit some weak existing perimeter, so this must be fixed at once. And if agency heads do not have the background to understand this issue, then you should replace them.
3. Direct that each government agency shall significantly expand their Cyber Corps program for young people interested in a cyber security career. Existing funds in this area pale in comparison to the billions of dollars offered to high school students each year in sports scholarships. Your Administration can change this equation, just as President John F. Kennedy did with the Peace Corps, by demanding an acceleration of college tuition programs in return for government service in cyber security.
These three actions will not remove the cyber security risk facing our country. But they can be accomplished from your desk without budgetary concerns, and they willsignificantly reduce our risk, especially in government. The only impediment that you will encounter along this path will be the dizzying assortment of competing, high tech cyber security proposals that will be presented to your team. My advice, based on a lifetime of experience, is to keep things simple. No one President can fix this entire problem during one Administration, but I have confidence that yours can and will make things better.
Dr. Edward G. Amoroso
Retired Senior Vice President and Chief Security Officer of AT&T; Elected 2010 AT&T Laboratories Fellow; Current CEO of TAG Cyber LLC; Member Board of Directors of M&T Bank, Senior Advisor to the Applied Physics Laboratory at Johns Hopkins University; Member of the NSA Advisory Board (NSAAB); Adjunct Computer Science Professor at the Stevens Institute of Technology; and Graduate Computer Science Instructor at New York University.