Never before has US cybersecurity taken such a front row seat as in this election year. The topic came up during the presidential debates and has gotten a lot of attention over the last several weeks. Neither candidate has expressed a well-defined strategy for handling the problem, despite how big the topic has been in the campaigns.
As a result of the DNC hack and the Office of Personnel Management breach, the public is questioning the US government’s ability to keep private data secure. Seeing sensitive data like that exposed is never a good thing; the silver lining is that it will likely raise awareness about how vulnerable our systems are and hopefully encourage people to invest resources into making sure it doesn’t happen again.
It is becoming clear that security breaches are increasingly conducted by nation-states. The fact that Russia was likely involved in the data breach in the lead up to the election has created an air of urgency. We can’t have foreign governments affecting elections to influence the balance of power. There’s already an increasing lack of trust in government as illustrated by the emerging populist movements on the left and right. Citizens need to trust the democratic process, and they need to trust the government to keep them safe. If people think they can’t trust the political process itself, the push for change for the sake of change will only grow. This is a real cybersecurity problem, and it’s a perception problem. Both need to be fixed.
I’ve been thinking a lot about this as I’ve invested in a number of startups that help companies keep their data and systems safe from attackers and cyber threats. I know what a big problem this is for companies of all shapes and sizes. The government can learn a lot of lessons from — and model its approaches on — Silicon Valley companeis. Here’s my view on what the next administration should do to address the cybersecurity problem and improve public trust:
1. Direct more money and resources to cyber defense. The Department of Defense budget is close to $600 billion a year, while the cyber portion for next year is budgeted at $6.7 billion, or just 1.12 percent of the total. The risks from cyber are not only growing exponentially, but they are increasingly shifting online. So too should our defense strategy, particularly when we are seeing cyber probing of state election systems in attacks that — even if they don’t directly impact elections — could affect voter confidence.
Officials are also seeing critical infrastructure being targeted in attacks, including financial institutions, a dam, and water systems, among others in the US. Stuxnet was not a one-off event. Earlier this year a German power plant got hacked, and cyber criminals attempted to disrupt a parliamentary election in Montenegro this month. As the nature of war and threats has changed, we haven’t shifted the allocation of resources to deal with the growing cyber risk, but we need to. This requires a shift in how we think about risk, threats, and defense.
2. Borrow innovation and ideas from startups. The government needs an injection of cybersecurity urgency, technology and innovation, much like Healthcare.gov got. Silicon Valley startups tend to operate on accelerated life cycles, with agile and speedy devops, while tech adoption moves incredibly slowly in government. Startups like AirBnB, Lyft, and TaskRabbit are disrupting established industries, while Google, Apple, Slack, and others are creating mobile, cloud, and other technologies that are helping organizations around the world grow faster and offer more customer services than ever before. Officials recently created a U.S. Digital Services, Defense Digital Service, and appointed the U.S. government’s first CISO. It’s a good start, but we can’t stop there. We need to act now.
3. Adopt a more open and collaborative approach to solving important problems like cybersecurity. Hillary Clinton has backed bug bounty programs like the plan the Department of Defense recently announced, and there are various information-sharing programs, but none seem to have been very impactful to date. As we learned with the 9/11 attacks, vital national security information is often siloed within different departments and agencies, a problem that continues to today. Sharing threat information across agencies and with outside, private companies and other groups can help everyone stay safer.
As the gap between the capabilities of defenders and the resources of attackers continues to increase, the government must play a critical role in improving the collective capabilities and readiness of the private sector as well as ensuring our government’s assets are safe and secure. The time for doing so is now.
Ariel Tseitlin is a Partner at Scale Venture Partners focused on investments in the cloud and security industries. He currently sits on the board of directors at Agari, CloudHealth Technologies, and Threat Stack. Previously, he was Director of Cloud Solutions at Netflix, where he was responsible for creating and operating one of the most modern cloud infrastructures in the industry. Prior to Netflix, he was VP of Technology and Products at Sungevity and before that was the founder and CEO of CTOWorks. Earlier in his career, he held senior management positions at Siebel Systems and Oracle.