On the 11th of May 2017, President Trump signed an executive order targeted at improving the US cyber security infrastructure. Tom Bossert, homeland security adviser, stated that the order is in keeping with the president’s pledge to enhance safety across America, the cyberspace inclusive.
The executive order highlights three main areas of focus for the administration, in managing the cyberspace. These include ensuring collaboration between all departments and agency heads, replacement of old cyber security structures and more protection for the national network. However, yet again, the executive order shows how the West is still not fully awake to the threats posed by “under the radar” cyber attackers.
Negatives Highlighted and How The UK Should Avoid Them
1. Small Businesses are still unprotected
Overall, the new executive order doesn’t ultimately change the overall approach to cyber security in the US since the Bush administration into the Obama administration. It is a positive step for businesses under the US homeland because cyber security is being given the attention it deserves without any partisan undertones.
However, the executive order doesn’t change the responsibility of businesses towards cyber security. The onus still lies on business owners to ensure maintenance of the integrity of their cyber security networks.
In the UK, the government mapped out a total of £1.9bn to improve the UK cyber security structure for the period 2016-2021. However, a large chunk of this money goes to enhancing security across government sponsored structures and businesses leaving the average business owners, who are mainly the target of small scale attacks, to protect themselves.
Unfortunately, the promise of a more secure cyberspace seems to have led to a dangerous sense of security across top UK businesses. Even with the recent ransomware attack on the NHS, only 48% of UK businesses are considering improving investments into the cyber security.
The UK Government created a National Cyber Security Centre to “share knowledge and address systemic vulnerabilities” but there has been no legislation to make businesses understand their responsibilities and enforce entwined risk assessments. As long as small businesses are allowed to remain vulnerable to attacks, either as a result of a lack of investments or through inadequate legislations, the UK cyber space will never be quite safe.
2 State-Sponsored Activity is Still the Focus
The executive order reiterated what many experts in the cyber security world already knew: state-sponsored activity will always get the whole attention. This is a dangerous approach as cybercriminals do not always target government systems and structures. Even when a cyber-attack does not directly impact the government it can have negative effects on public confidence and depending on focus, could affect the economy.
The UK cyber security setup is eerily similar to the US. There is a classification for cyber monitoring and the people on the lower rungs of the ladder are often left to themselves. Until there is legislation and investments that allow security setups to monitor the UK cyberspace from a unified standpoint, cyber threats will remain with us. A perfect solution would be one that incorporates attack vector analytics, threat-focused vulnerability intelligence and network modelling to adequately safeguard the UK cyber infrastructure and identify ALL attack vectors in the UK cyberspace in real time.
3 Purchase of security equipment from foreign sources is still an issue
Many people were disappointed in the Trump Executive Order because there was no mention of cessation of cyber technology collaborations between the US and foreign countries. Recent Russian and Chinese backed attacks on the US should have seen a shift on this front. The US has banned all businesses with Huawei Technologies because of links to the China’s People Liberation Army and Congress is now pushing for Kaspersky Lab, a Russian cybersecurity company to leave the US.
Interestingly, both companies operate freely across the UK. Such foreign companies may not have had triggered red flags in the UK cybersecurity structure at any point but there is legitimate reason to be wary of countries with a history of state-sponsored cyber-attacks. In early May, The CIA, NSA and FBI were a part of six intelligence agencies that said they would not be comfortable using Kaspersky software at a Senate Intelligence Committee hearing. Why should businesses across the UK be comfortable?