Xconomy | By Bernadette Tansey | May 12, 2017
On a day dominated by news about President Trump’s firing of FBI director James Comey, and its impact on the ongoing investigation of Russian hacking of the 2016 presidential election, two significant developments for the cybersecurity industry also emerged Thursday.
First, President Trump signed an executive order laying out plans to shore up data security for federal agencies as well as for critical U.S. infrastructure, which can include private companies such as electric utilities. The order, which calls on executive branch agencies to assess and remedy their security vulnerabilities, could open up opportunities for cybersecurity companies.
Second, at a Senate Intelligence Committee hearing primarily focused on the Comey firing, senators and U.S. intelligence chiefs discussed whether American agencies should avoid doing business with Kaspersky Lab, a major U.S. seller of antivirus protection, because the company is based in Russia.
The public hearing surfaced a controversial question: Should customers looking for cybersecurity services first consider the national origin of security providers, and even the ex-U.S. ties of their founders and executive team members?
Xconomy sounded out Bay Area cybersecurity experts on these two fronts.
Executive order on cybersecurity
Veteran cybersecurity investor Bob Ackerman applauded President Trump’s executive order for calling on U.S. agencies and departments to take responsibility for their own security, and to cooperate to conform with common technology standards.
“It’s a good starting point as a baseline,” Ackerman says.
Steven Grossman, vice president of strategy at cybersecurity company Bay Dynamics, praised the executive order for building on an initiative launched by President Obama in 2014 and making some valuable additions. He pointed to a section calling for efforts to build up the nation’s workforce to address a shortage of experts trained in cybersecurity.
The executive order sets a 90-day deadline for the leaders of each executive branch agency to submit a risk management report detailing their security measures and any unmitigated risks. The document also calls for a study on the feasibility of operating all or some of the agencies under consolidated network architectures, with shared services such as e-mail, Web-based software, and cybersecurity.
“The executive branch has for too long accepted antiquated and difficult–to-defend IT,” the report states.
Grossman says cybersecurity companies stand to gain government contracts to help assess the current risks and then help fill in the security gaps.
“It’s a huge amount of opportunity,” Grossman says.
Oren Falkowitz, co-founder and CEO of cybersecurity company Area 1 Security, says simplifying the security infrastructure and creating common standards are good steps.
“Complexity in networks is one of the things attackers take advantage of,” Falkowitz says. He emphasizes the urgency of security improvements, not only for government agencies but also for companies and organizations.
“The trend in cybersecurity is not good,” Falkowitz says. “Intellectual property is being stolen, elections are being hacked, and financial damage is being done.”
Falkowitz says he expects the administration’s plan will be followed by further executive orders and perhaps Congressional action to add elements to the federal security framework.
Ackerman, founder and managing director at Allegis Capital, already has some ideas to suggest. He proposes that the government create an “IT department” that would serve all government agencies, so that each wouldn’t have to develop its own cybersecurity methods. He also advocates for a mechanism whereby cybersecurity experts in U.S. intelligence agencies could share some of their knowledge with U.S. industries. That government expertise could also be an element of a “cybersecurity infrastructure bank,” proposed by Ackerman. The bank would make loans of government funds to small water plants, utilities, and other key entities to help them quickly upgrade their defenses against attack.
The bank could focus on institutions that lack the expertise and capital available to better-funded and more sophisticated parts of the critical infrastructure, such as stock exchanges, Ackerman says.
“You’re only as strong as your weakest link,” he says.
The government also should make it easier for innovative security startups to compete for government work, which is currently a slow and “resource-intensive” process that few startups can afford, Ackerman says.
The question of “cyber-nationality”
The conclusion by U.S. intelligence agencies that Russia interfered with the 2016 presidential election— by means such as hacking into e-mail accounts of Democratic campaign officials and spreading fake news—has now forced the Russian cybersecurity company Kaspersky Lab into the public spotlight.
The company’s national origins became a focus Thursday for the Senate Intelligence Committee, which is investigating Russia’s role in the U.S. election and the possibility that the Trump campaign colluded with Russian operatives to gain an advantage over Trump’s Democratic opponent, Hillary Clinton.
Senators at the committee hearing voiced concerns that the Russian government might use Kaspersky’s software to infiltrate U.S. agency computers or damage broader American information networks. The intelligence chiefs said they were monitoring Kaspersky. When Sen. Marco Rubio (R-Florida) asked leaders of the agencies whether they would be comfortable using Kaspersky software, the heads of the FBI, CIA, NSA, and three other intelligence agencies all said no.
Ackerman says the underlying concerns are not limited to Kaspersky, or even to cybersecurity companies. “In this globalized economy, everyone is in favor of open trade,” he says. But the inspections and commerce system isn’t prepared to deal with the speed and diversity of goods moving among countries. Customers need to develop criteria to decide whom to trust, whether they’re buying food, microprocessors, or cybersecurity services, he says.
“You do have to look at the nation, or nations, of origin,” Ackerman says.
While Ackerman isn’t saying that Kaspersky has done anything wrong, he says it might be a pragmatic decision to choose another cybersecurity provider.
“There’s clear, irrefutable evidence that Russia is engaging in nefarious activities,” he says. There’s also good evidence that Russia collaborates with the “private cybersecurity firms” in Russia, he says.
“Anything from Russia immediately becomes suspect,” Ackerman says.
In addition to looking at the national origins of companies, people are also scrutinizing the backgrounds of cybersecurity company founders and other executives for links to other nations, Ackerman says. The concerns extend not only to U.S. national security, but also to fears that cybersecurity companies might share sensitive intellectual property with competitors in other countries, he says.
Area 1’s Falkowitz says company risk management departments are always looking into factors such as the supply chains of their vendors and other possible threats to security. But he’s uncomfortable with the idea of ruling out a business partner based on geography alone.
“I think we would take great offense to such assertions by other governments that our cybersecurity or tech companies were agents of our government,” Falkowitz says.
“To create fear around the national origins of companies is a mistake,” Falkowitz says. “There are many amazing companies here in the U.S. that were founded by people of foreign origin—Google, for example.’’
Instead, buyers should examine the merits of a company’s work, such as the standards it uses to ensure quality, Falkowitz says. Certainly, though, if company wrongdoing is uncovered, that should be brought forward, he says.
“I also don’t see anything wrong with buying American,” Falkowitz says. “There are other reasons why that might be the right thing to do—such as that the companies’ work is very good.”
Find Article Here: www.xconomy.com