On Nov. 9, 2016, my colleague, Chris Pogue, and I published our cybersecurity wish list for President-elect Donald Trump. On Dec. 1, 2016, President Obama's Commission on Enhancing National Cybersecurity issued its Report on Securing and Growing the Digital Economy. The Commission was charged with "developing actionable recommendations for securing and growing the digital economy by strengthening cybersecurity in the public and private sectors."
I took the time to read the Commission's report, something I encourage anyone interested in our nation's cybersecurity to do, and find it to be well researched, presenting the problems it identified and solutions to those problems clearly. What I like most is that the Commission's report and our wish list are quite similar.
"He who hesitates…"
After reading the Commission's report and meditating on the cybersecurity and insider threat problem set, I kept coming back to one particular aspect of both our wish list and the Commission's report. When we first wrote our wish list, we did not include any references to time in executing our suggestions. The Commission didn't make the same omission — they laid out what actions should be taken in the first 100 days, and then continued by detailing a two-year requirement for high-priority items and five years for medium-priority actions.
All this kept me awake pondering recently. The old idiom, "He who hesitates is lost," kept popping into my head. After all, what else do I have to do at 2 a.m.? But what exactly does that phrase have to do with our wish list and the Commission's report?
We live in a digital world — in case you haven't already heard. Threats are measured in nanoseconds and minutes, not years. If the incoming administration implements some of the more critical action items mentioned by the Commission's report, that's wonderful news! We, however, will remain under a significant threat. Those action items labeled as "critical" don't begin to cover the threat landscape if we have to wait two years to implement them.
Two to five years is a very long time, especially in technology. Incorporating and finalizing the action items marked as high or medium priority over this span of time leaves the solutions at risk of being obsolete before they ever go into effect. That does nothing but leave us exactly in the same situation we face today.
It's not going away
As the former head of the insider threat and counterintelligence program for a U.S. government agency, I know too well the resource and political issues at hand. I also know that too many government leaders and private sector executives are still not convinced that cybersecurity and insider threat programs are important enough in their respective organizations.
Threats are not going away. The Office of Personnel Management, the National Security Agency, and the Democratic National Committee are some recent examples of government or political organizations damaged by cyberattacks. There are many more in the private sector. It is estimated that the cost of damage, including loss of revenue, repair, and prevention, is at least $400 billion each year to the world economy. We are also faced with threats to SCADA and by internet of things (IoT) devices. Soon, if it has not already occurred, human lives will be lost due to these threats. We cannot afford to wait to begin protecting our data and people.
Everyone who runs a commercial or governmental organization that solicits, maintains, or uses critical information must not wait two or even five years, much less 100 days, to protect that data from loss, destruction, or alteration. There are those who seek to use, manipulate or damage data for any number of reasons. If you possess critical value data, then you are obliged to protect that data.
I think it important enough to adjust my thoughts from our wish list to include one more wish. My new wish is one for all senior government and private sector leaders: Do not wait for the incoming administration to lay out its plans. The critical value data you possess is vulnerable. You need to protect your reputation, the people you serve, our economic and national strength and yes, perhaps even our personal safety.
Be proactive. Don't wait to be told or informed what path to take. Recognize that you must act right now. To counter personal, economic, and national threats, we as a whole must begin to understand the digital world in terms of nanoseconds, not days and years.
Keith Lowry is the senior vice president of Nuix USG and Nuix's Business Threat Intelligence and Analysis division. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, as well as an information security consultant in the private sector.