20 January 2017

Dear President Trump: We ran the numbers, you’ve inherited a cyber problem

Anne-Marie Chun

The Russian hacking saga, which initially created a stir last summer when Democratic National Committee officials announced their computer network had been breached, highlights a trend that has been developing over the past decade but is now just recently coming to public light: the cyber threat to the U.S. government and its citizens is increasing.

General awareness of big cybersecurity threats and hacks has been on the rise thanks to the steady cadence of news headlines, but there’s a substantial, long-term threat that is looming in the background while we continue to monitor topics like Russian interference (as well as Yahoo and others in the private sector).

President Donald Trump has pledged to do more in terms of bolstering cybersecurity efforts, but research shows he’s inheriting a problem that’s only growing exponentially by the month. David Sanger from The New York Times recently stated that there are “fundamental problems with America’s cyberdefenses and deterrence that president-elect [Trump] will begin to confront in two weeks.”

New Administration Faces Widening Gap

Part of these “fundamental problems” Sanger alludes to seem to stem from insufficient funding. We’ve analyzed data below that shows there is a growing gap between the U.S. government’s spend on cybersecurity protection versus the escalating threat, and the issue is coming to a head as Trump prepares to take the Oval Office this month.

Trump inheriting decades old security problem
Source: GAO Report on Information Security, FISMA Annual Report to Congress, Morgan Stanley Blue Paper on Cybersecurity, Synack Analysis.

The growth of federal cyber incidents (+1512% from 2006 to 2016, 32% CAGR) is grossly outpacing the growth of federal cyber investments (+155% from 2006 to 2016, 10% CAGR). While both the Bush and Obama administrations also faced a gap between number of incidents and spend, our projections show cybersecurity budgets increasing only marginally, while federal threats continue to skyrocket in 2017 and beyond.

Many factors are contributing to the problem, including:

  • Lack of Prioritization: The lack of focus on cybersecurity over the past decade has created problems that we are facing today. Fortune’s Jeff John Robert recently posed the question in his story, Should the Government Pay More for Cyber Talent?  It’s a valid debate and highlights one of the main battles our federal agencies face when attracting and retaining skilled security workers while we are  expected to face a global cybersecurity talent gap of roughly 1.5 million professionals by 2019. Not to mention, a lot of our current IT budgets tend to go towards operations and management of legacy systems, another potential pitfall.
  • Rise of Political Motivation: We’ve witnessed an uptick in politically-driven hacker activity, especially during last year’s election cycle, and the U.S. will surely face major cyber attacks early on in the new Trump administration as nation-states “test” the new regime. Policy-makers will be tasked with finding effective solutions to bolstering the country’s security posture—and the need is becoming more immediate every day.
  • Hackers Outpacing Defense: Overall, there is a sophistication with today’s hacking never seen before in the cybersecurity landscape. Historically, organizations and businesses would deploy antivirus software, protect their networks and perimeters, and ensure their employees stayed behind firewalls, etc. New wave threats like ransomware, phishing, fileless attacks, IoT botnets and more are leapfrogging the current approaches and solutions we’ve used in the cybersecurity realm for years.

Cyber Incidents Dip When Investments are Made

Federal topics, such as the potential IT Modernization Fund, Trump’s Cabinet picks, and others continue to drive discussion and debate, but our country’s adversaries will not wait for us to settle partisan differences to launch attacks.

What we’ve seen over the past decade is that investment and threat spikes are counter-cyclical – a spike in investment is often correlated with a decline in cyber incidents.

Trump inheriting decades old security problem
Sources: GAO Report on Information Security, FISMA Annual Report to Congress, Morgan Stanley Blue Paper on Cybersecurity, Synack Analysis.

The U.S. government has been playing catch-up with the federal cyber threat landscape. As you can see from the graph, investments in cybersecurity can help slow the growth of cyber incidents, but once budgets begin to taper, there is another uptick in attack activity.

Next Up: Silicon Valley and the Private Sector

Cybersecurity was once solely perceived as a technology or business issue, but it has never been more clear that it needs to be considered a national issue. While the Trump administration may be taking office, the private sector, namely Silicon Valley, can also help our nation stay ahead of the Federal Cyber Threat Curve. It’s our job as part of the cybersecurity community to help:

  • Promote a Bottom-Up & Top-Down Approach: With every organization’s leadership (c-suite, board of directors, etc.) making cybersecurity a priority, and every member of the organization taking steps to reduce the risk of a breach, we’ll better protect ourselves. It’s not just the IT team’s job anymore.
  • Maintain Close Public-Private Partnerships: Encouraging transparency and sharing best practices between the commercial and federal spaces will deepen a mutually beneficial relationship for all parties involved. Government agencies like the DoD and IRS have turned to Silicon Valley to help bolster their security postures through a crowdsourced model, and this trend will continue until federal agencies feel more secure.
  • Take Action to Plug the Talent Gap: The talent gap is growing, but by enhancing STEM education, as well as crowdsourcing top talent, we will help augment internal security teams. Obama’s special Commission on Enhancing National Cybersecurity called for the U.S. to train 100,000 hackers by 2020 – an ambitious goal, but one worth pursuing.

Other potential threats continue to pop up seemingly every day – the latest being the U.S. Energy Department warning that our country’s infrastructure used to deliver electricity is in “imminent danger” of cyber attacks – but with the proper investments and partnerships, we can take steps in the right direction of closing the threat gap. Federal agencies, like the DoD and IRS, continue to take nimble, startup mindsets when attacking the cybersecurity concerns surrounding their digital assets, and the progress has been impressive thus far. This year will be critical for our country, in the digital world and beyond.