When Donald Trump takes the oath of office on Jan. 20, he’ll face an urgent and growing threat: America’s vulnerability to cyberattack. Some progress has been made in fortifying the nation’s digital defenses. But the U.S. still is alarmingly exposed as it leaps into the digital age. If he wants to make America great again, Trump needs to address this growing insecurity.
Three areas — energy, telecommunications and finance — are especially vital and vulnerable. The government must commit itself to defending them. It also must recognize that the risks posed to all three are increasing, as more parts of our lives are connected to the internet.
Start with energy. There is already malware prepositioned in our national power grid that could be used to create serious disruptions. It must be cleaned up. Last December, three of Ukraine’s regional power-distribution centers were hit by cyberattacks that caused blackouts affecting at least 250,000 citizens. The U.S. is just as vulnerable because the malware used in that attack is widespread and well placed here.
The government historically has taken steps to ensure the availability of communications in an emergency — the 911 system, for instance. It should do the same for power. In particular, Trump should direct the Federal Emergency Management Agency to use the Homeland Security Grant Program to improve cyber resilience at state and local power facilities. These efforts must be focused on removing malware and fielding better defenses, beginning with the highest-risk facilities crucial to the centers of our economic and political power.
Next, protect telecommunications. The integrity our telecommunications system is essential for the free flow of goods, services, data and capital. Yet, the U.S. is home to highest number of “botnets,” command-and-control servers and computers infected by ransomware in the world. Compromised computers are being used to launch paralyzing distributed denial of service, or DDoS, attacks against a wide range of companies. In October, such an attack knocked numerous popular services offline, including PayPal, Twitter, the New York Times, Spotify and Airbnb. Thousands of citizens and businesses were affected.
To address this problem, the next president should start a national campaign to reduce the number of compromised computers plaguing our systems. This campaign should be managed like the Y2K program — the largely successful effort, led by the White House in tandem with the private sector, to fix a widespread computer flaw in advance of the millennium. With the same sense of urgency, the government should require that internet service providers give early warning of new infections and help their customers find and fix vulnerabilities. Just as water suppliers use chlorine to kill bacteria and add fluoride to make our teeth stronger, internet service providers should be the front line of defense.
Third, the U.S. must work with other countries to protect the global financial system. In recent years, financial institutions have experienced a wide range of malicious activity, ranging from DDoS attacks to breaches of their core networks, resulting in the loss of both money and personal information. In the past year, a number of breaches at major banks were caused by security weaknesses in the interbank messaging system known as SWIFT. The entire financial system is at risk until every connected institution uses better security, including tools to detect suspicious activities and hunt for the malicious software that enables our money to be silently stolen.
All these problems, finally, may be exacerbated by the rise of the Internet of Things. As more and more devices are connected to the internet, it isn’t always clear who’s responsible for keeping them secure. Without better oversight, the Internet of Things will generate more botnets, command-and-control servers and computers susceptible to ransomware. Flawed products will disrupt businesses, damage property and jeopardize lives. When medical devices can be subject to serious e-security flaws, and when vulnerable software in security cameras can be exploited to knock businesses offline, government intervention is required.
Manufacturers, retailers and others selling services and products with embedded digital technology must be held legally accountable for the security flaws of their wares. We need to put an end to the “patch Tuesday” approach of fixing devices after they’re widely dispersed. A better approach is an Internet Underwriters Laboratory, akin to the product-testing and certification system used for electrical appliances. Such a system could help ensure that internet-connected devices meet a minimum level of security before they’re released into the marketplace.
Trump should make it clear in his first budget proposal that these steps are vital priorities. The digital timer on our national security is ticking.
Melissa Hathaway is the president of Hathaway Global Strategies and a senior adviser at Harvard Kennedy School’s Belfer Center. She headed the Cyberspace Policy Review for President Barack Obama and the Comprehensive National Cybersecurity Initiative for President George W. Bush.