As it stands, the United States has been going about our federal cybersecurity all wrong, and as the 115th Congress begins and the new presidential administration prepares to assume power, we should view this as a potential turning point for how we address cyber threats and cyber incidents.
{mosads}In the months since the election, Washington has been abuzz with chatter about cyber topics – most notably allegations that foreign adversaries used cyber tactics to influence the United States’ choosing of a new leader. As President Obama continued to make the case that Russian interference played a role and President-elect Trump argued that no such events transpired, Senate Majority Leader Mitch McConnell declined to create a select committee to investigate the issue despite the pleas of high profile senators including John McCain and Lindsay Graham.
There may be no better recent example of our misguided cyber priorities than this. Congress has tended to point fingers after an incident occurs and after the damage is done, but the budget fights in Congress fail to adequately address the massive need for funding in these areas. As the old saw attributed to Ben Franklin goes, “an ounce of prevention is worth a pound of cure.”
In the past year, there have been a number of high profile cyber incidents that Congress has reacted to after the fact, including the breach at the Office of Personnel Management that compromised some 21.5 million government employee records and led to the departure of OPM Director Katherine Archuleta and OPM Chief Information Officer Donna Seymour. In the interest of full disclosure, my company, CyTech Services, played a key role in discovering this breach while demonstrating our CyFIR software and, once it came to light, in providing incident response.
Shortly before the holidays, Trump announced that he had chosen South Carolina Congressman Mick Mulvaney to serve as his Director of the Office of Management and Budget. As multiple outlets reported in their coverage of the selection, Mulvaney’s tenure in the House of Representatives has established him as one of the leading advocates of slashing federal spending even more deeply than many of his colleagues in the Republican leadership. In addition, he was one of the leaders of the opposition to budget proposals put forth by his own party.
In short, Mulvaney is no stranger to the budget process. If confirmed for this new role, he will be charged with overseeing the president’s spending requests and working with his former colleagues to guide them through Congress.
Included under the OMB umbrella is the head of the Office of E-Government and Information Technology, also known as the federal chief information officer, a presidential appointment that has yet to be named.
As with the beginning of any administration, this has the potential to be a turning point in how we identify, respond to, and protect against threats and challenges in the cyber arena.
After the OPM breach, Congress spent countless hours in hearings and investigations to determine what went wrong and why. But at what cost? We are spending countless amounts of federal dollars cleaning up after these cyber incidents when fully-funded preventative measures on the front end would cost pennies on the dollar, comparatively. This potential for massive cost savings, I hope, should be something that Mulvaney can get behind.
I have no doubt that as OMB Director, Mulvaney will continue to advocate for spending cuts at the federal level. And as Trump puts forth his proposals to invest in the United States’ physical infrastructure, I would urge Mulvaney to look at our cyber infrastructure as an area that would greatly benefit from more – and smarter – spending.
Regardless of whether Russia played a role in influencing the 2016 election, the many cyber threats we face are increasingly sophisticated and we must stay ahead of them. Neglecting to prioritize funding for our many cyber needs will only serve to set us behind.
Ben Cotton is the CEO and founder of Cytech Services, an industry leading computer forensics and incident response firm serving both public and private industry. Prior to founding CyTech in 2002, Ben was a twenty-one year veteran of the U.S. Army, Special Operations Command. He served in both unclassified and classified units fighting the Global War on Terrorism, specializing in sensitive site and digital device exploitation, Computer Network Attack, and Computer Network Defense. He is a plank holder for the SOCOM capabilities that now exist within these technical areas. Ben holds a M.S. in information technology management and has also earned numerous technical certifications, including the CISSP and other industry-recognized computer forensic and incident response certifications.
The views expressed by Contributors are their own and are not the views of The Hill.