On a day dominated by news about President Trump’s firing of FBI director James Comey, and its impact on the ongoing investigation of Russian hacking of the 2016 presidential election, two significant developments for the cybersecurity industry also emerged Thursday.
First, President Trump signed an executive order laying out plans to shore up data security for federal agencies as well as for critical U.S. infrastructure, which can include private companies such as electric utilities. The order, which calls on executive branch agencies to assess and remedy their security vulnerabilities, could open up opportunities for cybersecurity companies.
Second, at a Senate Intelligence Committee hearing primarily focused on the Comey firing, senators and U.S. intelligence chiefs discussed whether American agencies should avoid doing business with Kaspersky Lab, a major U.S. seller of antivirus protection, because the company is based in Russia.
The public hearing surfaced a controversial question: Should customers looking for cybersecurity services first consider the national origin of security providers, and even the ex-U.S. ties of their founders and executive team members?
Xconomy sounded out Bay Area cybersecurity experts on these two fronts.
Executive order on cybersecurity
Veteran cybersecurity investor Bob Ackerman applauded President Trump’s executive order for calling on U.S. agencies and departments to take responsibility for their own security, and to cooperate to conform with common technology standards.
“It’s a good starting point as a baseline,” Ackerman, the founder and managing director of Allegis Capital, says.
Steven Grossman, vice president of strategy at cybersecurity company Bay Dynamics, praised the executive order for building on an initiative launched by President Obama in 2014 and making some valuable additions. He pointed to a section calling for efforts to build up the nation’s workforce to address a shortage of experts trained in cybersecurity.
The executive order sets a 90-day deadline for the leaders of each executive branch agency to submit a risk management report detailing their security measures and any unmitigated risks. The document also calls for a study on the feasibility of operating all or some of the agencies under consolidated network architectures, with shared services such as e-mail, Web-based software, and cybersecurity.
“The executive branch has for too long accepted antiquated and difficult–to-defend IT,” the report states.
Grossman says cybersecurity companies that provide value and solve real problems stand to gain government contracts to help assess the current risks and then help fill in the security gaps.
“It’s a huge amount of opportunity,” Grossman says.
Oren Falkowitz, co-founder and CEO of cybersecurity company Area 1 Security, says simplifying the security infrastructure and creating common standards are good steps.
“Complexity in networks is one of the things attackers take advantage of,” Falkowitz says. He emphasizes the urgency of security improvements, not only for government agencies but also for companies and organizations.
“The trend in cybersecurity is not good,” Falkowitz says. “Intellectual property is being stolen, elections are being hacked, and financial damage is being done.”
Falkowitz says he expects the administration’s plan will be followed by further executive orders and perhaps Congressional action to add elements to the federal security framework.
Ackerman, founder and managing director at Allegis Capital, already has some ideas to suggest. He proposes that the government create an “IT department” that would serve all government agencies, so that each wouldn’t have to develop its own cybersecurity methods. He also advocates for a mechanism whereby cybersecurity experts in U.S. intelligence agencies could share some of their knowledge with U.S. industries. That government expertise could also be an element of a “cybersecurity infrastructure bank,” proposed by Ackerman. The bank would make loans of government funds to small water plants, utilities, and other key entities to help them quickly upgrade their defenses against attack.
The bank could focus on institutions that lack the expertise and capital available to better-funded and more sophisticated parts of the critical infrastructure, such as stock exchanges, Ackerman says.
“You’re only as strong as your weakest link,” he says.
The government also should make it easier for innovative security startups to compete for government work, which is currently a slow and “resource-intensive” process that few startups can afford, Ackerman says.
The question of “cyber-nationality”
The conclusion by U.S. intelligence agencies that Russia interfered with the 2016 presidential election— by means such as hacking into e-mail accounts of Democratic campaign officials and spreading fake news—has now forced the Russian cybersecurity company Kaspersky Lab into the public spotlight.
The company’s national origins became a focus Thursday for the Senate Intelligence Committee, which is investigating Russia’s role in the U.S. election