Given recent cybersecurity incidents like the Google Android data breach, the DDoS attack on Dyn and the data breach of the DNC, President-elect Donald Trump will find cybersecurity policy a top priority when he takes office in January.
What should Mr. Trump do and what should he avoid? In my last blog, I presented some recommendations for the “do” column. Alternatively, here is a list of things President Trump should eschew in his administration’s cybersecurity agenda. The “don’t” column includes the following:
- Don’t obsess over cybersecurity intelligence sharing path. Public/private partnerships for cybersecurity cooperation have roots that go back to the Clinton administration’s original PDD-63 for critical infrastructure protection. In more recent times, congress struggled with CISPA then CISA as standalone bills before sneaking CISA into a federal spending bill in late 2015. Intelligence sharing is a good step but it’s been beaten to death and most large organizations have figured this out on their own. What’s needed is a concerted effort on best practices and sharing threat intelligence with small businesses. Yes, these things should happen but the feds should do so as part of CISA and not spin up another distracting effort. Remember that threat intelligence sharing is a means to an end (i.e., better cybersecurity visibility and analysis) and not an end in itself.
- Don’t propose yet another blue-ribbon cybersecurity panel. If Mr. Trump’s goal is to shake up Washington, the last thing he should do is appoint another blue-ribbon panel to study cybersecurity issues and provide recommendations – this action is on page one of every Beltway politician’s playbook. As an alternative, Mr. Trump should appoint high-level cybersecurity experts to go through President Obama’s cybersecurity commission’s findings and suggestions (as well as other historical similar reports), tailor them to his political agenda, and push forward the appropriate actions with congress as soon as possible.
- Don’t even think about giving national cybersecurity oversight to the military. The few cybersecurity plans Mr. Trump's camp talks about tend to include a military and intelligence component to them. This is fine when it comes to offensive operations and U.S. Cyber Command but it gets a little scary with regard to civilian agencies and the private sector. There are those at the Pentagon that will push for this by equating cybersecurity with national security but with all due respect to the military, Mr. Trump must absolutely follow the lead of past Presidents and draw a clear line between military and civilian cybersecurity involvement. In truth, ANY military, law enforcement, or intelligence involvement in private sector and consumer cybersecurity programs will turn into an all-consuming political and technology civil war with Republicans and Democrats alike pushing back. This unnecessary fight must be avoided as it could halt federal cybersecurity progress for months or years.
- Don’t push for a new federal cybersecurity agency. Since the military can’t be involved in private sector cybersecurity, many responsibilities fall to DHS, a massive bureaucracy that hasn’t had a strong record of success with its cybersecurity programs. Some in Washington see this as a reason to create yet another civilian agency, a department of national cybersecurity. While it may be tempting to consolidate cybersecurity responsibilities, it would be extremely difficult to unwind cybersecurity from DHS and every other nook and cranny in the greater DC area. This shouldn’t mean, however, that the Trump administration should live with an understaffed and under-skilled DHS steering the cybersecurity ship. As I mentioned in my last blog, Mr. Trump needs a skilled government insider to help streamline federal cybersecurity oversight, cut Washington fat, and create a model that empowers DHS with the right resources and programs.
- Don’t mess with encryption. This piece of advice is in the same neighborhood as one of my previous ones. Trump blasted Apple after the San Bernardino terrorist attacks and may be sweet-talked by intelligence and law enforcement insiders to push further for encryption loopholes for government surveillance. Once again this will only alienate the technology industry, privacy advocates, and half the population. Besides, bad guys will simply avoid U.S. technology and use open source or foreign alternatives. President Clinton pushed a similar agenda with the Clipper Chip in the 1990s. It failed miserably and there’s no reason to believe that Clipper 2.0 would be any different.
- Don’t rule out regulation. I realize that Mr. Trump was elected with a promise of cutting federal regulations but he should still be careful not to issue a George H.W. Bush-like proclamation (i.e., “read my lips, no new taxes”) that he will never change this position. For example, IoT vendors may continue to sell network-ready devices built on top of vulnerable software and default passwords leading to a wave of DDoS events a la the Dyn/Mirai attack this past October. Trump may find that the best way to improve IoT security is with some type of UL-like requirement for software. Mr. Trump should understand that you never say never with cybersecurity.
Finally, I’d suggest Mr. Trump to think hard about becoming trigger happy with offensive cybersecurity operations. Remember that the U.S. is more vulnerable than just about anyone else and no one will be happy with the administration if the power goes out in NYC for months.
The dos and don’ts I’ve laid out in the two blogs should provide an agenda that adheres to Mr. Trump’s politics and promises while accelerating federal actions. With a Republican congress in tow, President Trump has an opportunity to make real progress if he knows what to prioritize and what to avoid.