Following Presidents Trump’s abrupt termination of FBI Director James Comey earlier this month, the US government is left in a vulnerable spot as officials struggle to create the right policies to avoid cyber-attacks. Comey was one of the few federal officials equipped to get the job done right; he handled the investigation into Hillary Clinton’s use of a private email server and led a criminal investigation into whether Trump advisers colluded with the Russian government to steer the 2016 presidential election.
Although the Justice Department last week appointed ex-FBI director Robert S. Mueller III to head the investigation in Comey’s place, the developments nonetheless beg broader questions over what kinds of protections against cyber-attacks should Americans expect from the US government?
Without senior leadership in many of these government agencies, very few agencies are willing or even able to make large financial outlays or make decisions for new software, architecture, or counter-measures. Per reporting from Politico and USA Today, top-ranking positions across U.S. Defense, Treasury, and State departments, as well as key ambassador spots, are still awaiting appointments. In other words, rather than addressing the issue with press-laden, sweeping executive orders, perhaps the problem is simpler – putting talent into key open positions and enabling them to do their jobs. While Trump’s full cabinet has been confirmed, the Nonpartisan Partnership for Public Service has identified 557 ‘key’ government appointments that have yet to be confirmed by the Senate (not to mention the thousands of appointments that do not require Senate confirmation).
As time passes and without leadership in place, any decisions around major cybersecurity initiatives must be put on hold.
Former President Obama proposed a $19 billion cybersecurity plan in 2015 and 2016 (as part of the President’s Fiscal Year 2017 Budget) to improve IT infrastructure. But many deals are on hold while awaiting President Trump’s team that would help replace old government systems that are the most vulnerable to cyberattacks. While Trump did sign a separate cybersecurity order earlier this month, it’s improvements are incremental. Even as Trump also proposed increases in cybersecurity budgets for U.S. Homeland Security, he still flirts with the notion that a government shutdown would be “good for government,” as suggested ina recent tweet. As government employees worry about getting paid and are furloughed, America’s capacity to build and secure its digital boundaries flounders.
It is now time to start building a more comprehensive plan for protecting and prosecuting cyber-attacks against our citizens and organizations. As Fortune 500 companies make cybersecurity a responsibility that even corporate board members are held to, perhaps it’s time for the Administration to appoint a cybersecurity czar to direct and manage cybersecurity across agencies, reporting directly to the President. Similar to coordinating physical security, cybersecurity needs to be elevated in mindshare, management, and resources. A proactive approach must be the priority. Rather than acting in a reactionary way, this approach enables leadership to coordinate efforts across agencies and internationally, and may provide impetus for filling positions more rapidly and effectively across the organization in the same way the private sector protects itself from cyber hacks.
Unfortunately, it’s not enough to keep the police on the streets and the military bills paid anymore. When governments are compromised by a hack, their people and their organizations are held up for ransom and the leadership is bogged down in identifying where the blame lies. How can we expect to protect ourselves? Let’s not wait until there is another Federal breach that undermines the security of our nation (remember the Office of Personnel Management hack in 2015?) to put a spotlight on the problem. What we’ve seen so far is just the beginning.
Theresia Gouw and Jennifer Fonstad are the co-founders and managing partners of Aspect Ventures, a Silicon Valley-based venture capital firm.