Government to be more engaged with security in 2017

On September 2001, the US suffered its most egregious terror attack ever in which 2,996 lives were lost. One of the indirect consequences of this disaster was that Federal Information Security Management Act (FISMA) was enacted unanimously in 2002.

FISMA initiated broad protections for federal information systems security. It’s very clear that the level of security in both public and private sectors has vastly improved in the past 15 years. Unfortunately, the sophistication of hackers has also increased at least as much. More defensive steps will need to be taken by the federal government in 2017. Only the next 12 months will define exactly what those steps will be.

2016 was marked by increasing brazenness by hackers, affecting public infrastructure and social processes. The most significant events were the hacks of the DNC and the Clinton campaign. These demonstrated a new understanding of ways that hacking attacks can be leveraged, in this case to try to affect our democratic process. It will not be possible to ignore this type of attack, just as it was not possible to ignore the 9/11 attack.

[ MORE PREDICTIONS: What 2017 has in store for cybersecurity ]

Beyond these attacks, 2016 also saw other significant attacks against public infrastructure and processes. Most recent was the penetration of a Vermont power company in December. Burlington Electric has less than 20,000 customers; was this a practice run? Attacks on the utility grid have been discussed for years, but we don’t know what form these may take.

Another attack that concerns me is the attack on Bangladesh central bank and the SWIFT interbank transfer system. Casting doubt on a financial backbone is another high-risk consequence, although these hackers were likely out only for the money.

Governments are going to need to step up their efforts in cybersecurity, although I would prefer that this task be carried out by private industry. New York State in 2016 was the first entity (Federal or state) to create a cybersecurity law for banking. (Massachusetts already has a security law for entities storing personally identifiable information from its residents). But I see that in New York, industry has pushed back and delayed the implementation of this law. I will be watching to see what changes are put into this 14-page statute.

Bottom line: I don’t see industry being very proactive to implement cyber security regulations for itself. Partly this is self-interest at work and partly, there is no single-dimensional remedy. Solutions are multi-dimensional and only government can orchestrate those.

So what should government do? If the incoming administration was Democratic, I would expect that some of the recommendations from the Presidential Commission on Enhancing National Cybersecurity would be pursued. Those that were significant to me included: using ad agencies and other creative types to promote security awareness; mandatory training programs for managers, whether or not they are involved directly with security; extending incentives to companies that have implemented cyber risk principles.

It is not clear what will happen under the incoming administration. President-elect Trump is the first President to have cyber security as a priority before taking office. On the other hand his recent comment that “no computer is safe” could suggest a return to paper documents or an even bigger program to boost cybersecurity.

But I will go out on a limb and predict that cyberattacks will continue to threaten our way of life and that governments, in the next 12 months, will take specific actions to protect against these attacks. I’ll check back in next January to see if I am right. Otherwise, have a great 2017.

Copyright © 2017 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.