Any time there is a change of White House administrations, especially with a change of political party, it’s normal to wonder how changes in the government will impact your industry. At the FAIR Institute, this means that we are wondering how an incoming Trump administration will impact the private and public sectors’ appetites for cyber risk management and, specifically, cyber risk quantification with FAIR.
With the upcoming administration, we can look at what the President-elect did during his first term in office to get a glimpse of what might be in store for the next term. When considering what the administration will do for cybersecurity, we should look at two fronts: cybersecurity regulation for the private sector and cybersecurity management in federal agencies.
Todd Tucker is Managing Director for the FAIR Institute. Watch Todd's Welcome Address to the 2024 FAIR Conference.
New Administration: Outlook for Cybersecurity Regulation
Let’s look at regulation, first. The President-elect has shown a preference for deregulating the private sector; we should expect pressure by the administration to reduce cybersecurity regulations on businesses.
Is this a good thing? After all, regulations such as HIPAA, Gramm-Leach-Bliley Act, the Federal Information Security Modernatization Act (FISMA, affecting both agencies and contractors), and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) have arguably led to increased private-sector investments in cybersecurity.
But do these regulations encourage compliance-centric approaches to cybersecurity over risk-centric ones? And could deregulation lead to more risk-centric, business-aligned approaches?
I would argue that deregulation only results in better cybersecurity if two things happen:
>>First, businesses must take a risk-based approach to cybersecurity, whereby investments are made based on a more systematic and continuous approach to risk assessment, monitoring and management. We see that more and more businesses are doing so using FAIR.
>>Second, law enforcement agencies, the courts and our broader legal system must continue to hold businesses accountable for failures to properly protect data and systems. Fines and other damages must remain part of the risk management equation.
New Administration: Outlook for Cybersecurity Management in the Public Sector
Now let’s look at cybersecurity management in the public sector. The next four years may not be a mere continuation of President-elect Trump’s first (given the four years in-between), but we can expect many of his priorities to remain similar to those from before. During that term, the administration arguably placed a strong emphasis on cybersecurity with actions including:
>>National Cybersecurity Strategy (2018): Released the first comprehensive strategy in 15 years, focusing on protecting critical infrastructure, promoting resilience, enhancing offensive cyber capabilities, and advancing American influence in global cybersecurity.
>>Elevation of U.S. Cyber Command (USCYBERCOM): Elevated USCYBERCOM to a Unified Combatant Command, granting it greater authority to conduct offensive cyber operations against adversarial nations and enhancing national cyber defense.
>>Expansion of the Role of CISA (Cybersecurity and Infrastructure Security Agency): By signing the Cybersecurity and Infrastructure Security Agency Act of 2018, Trump expanded CISA's footprint to include roles in securing elections and the census, managing National Special Security Events, and the U.S. response to the COVID-19 pandemic.
>>Executive Order 13800 (2017): Mandated federal agencies to adopt the National Institute for Standards & Technology (NIST) Cybersecurity Framework (NIST CSF - then known as the Framework for Improving Critical Infrastructure Cybersecurity), enhance risk management, and report on cybersecurity improvements, while fostering public-private partnerships.
>>Critical Infrastructure Protection: Strengthened cybersecurity measures across critical sectors, including energy, healthcare, and election infrastructure, through collaboration with the private sector and stricter compliance standards.
Compliance-based Cyber Risk Management Still the Rule
Despite these accomplishments, the federal government then and now takes a compliance-centric approach, not a risk-centric approach, to cybersecurity.
As described in a blog post on federal cyber risk management by FAIR Institute founder Nick Sanna over four years ago, the executive branch “meant well in pushing for a risk-based approach to cybersecurity in the Federal Government, but their requirements fall short of helping agencies effectively prioritize and right-size their cybersecurity investments.”
Instead, federal agencies focused on meeting compliance requirements and lacked “clear and measurable expectations for assessing cybersecurity risk and effectiveness of controls.” This remains true today.
Lessons from the TBM Experience
President-elect Trump’s first administration sought to boost federal efficiency and innovation by adopting proven private-sector management models. I experienced this firsthand at the Technology Business Management (TBM) Council, where I helped establish and lead the federal Commission on IT Cost, Opportunity, Strategy, and Transparency (the IT COST Commission).
This collaboration brought together federal CIOs and private-sector experts to create standards and guidelines that gave agency CIOs greater transparency into their IT spending. Launched in 2016 with support from the Obama administration, the commission addressed the pressing need for transparency in government operations. After the transition to the Trump administration, the IT COST Commission maintained bipartisan backing, as TBM’s business-driven (and private-sector borne) approach resonated.
The work culminated in a report featuring 21 recommendations, a White House Summit on Technology Business Management and the prioritization of TBM by the federal CIO and the Office of Management & Budget (OMB).
Over the years, federal adoption of TBM has given agency CIOs greater control over their IT investments by providing greater transparency into the billions of dollars they spent each year. It influenced state and local governments, who often follow federal practices. And it encouraged foreign governments to adopt TBM.
The Case for FAIR Adoption in the Federal Government
Could the same thing happen with cyber risk management and FAIR?
FAIR has been adopted by a handful of government agencies. But federal standards remain silent or neutral on the use of cyber risk quantification. Indeed, there are challenges in using quantification methods in the federal sector where agencies are beholden to missions, not often revenue or profits.
But federal agencies regularly weigh investments against assumed dollar values for hard-to-quantify things such as a human life lost or a failed rocket launch. FAIR is not only possible with federal agencies, but it’s necessary if the federal government is to get the most value out of its cybersecurity investments.
So what’s in store for cybersecurity with the new administration?
If it deregulates cybersecurity in the private sector, a quantitative and business-centric approach like FAIR should be required instead. And as the administration looks for ways to improve efficiency, it should prioritize FAIR and quantitative cyber risk management practices over compliance-driven approaches for government agencies.
FAIR has empowered thousands of organizations to improve their understanding of risk, make better cybersecurity investment decisions, employ cyber insurance more cost-effectively, and get more risk reduction value for the dollars they spend. The federal government would be best served by doing and encouraging the same.