As we move into 2017, cybersecurity concerns continue to escalate. These past few months, we’ve seen some scary incidents like the October 21 distributed denial of service (DDoS) attack on the DNS services at Dyn that used IoT devices like home routers and cameras as a botnet. Oh, and the last few months of the U.S. Presidential election featured data breaches of the DNC and Clinton campaign manager John Podesta’s email and the subsequent posting of this information on WikiLeaks.
Pretty alarming, and it doesn’t appear like things will be getting better anytime soon. This raises the question: What type of cybersecurity response can we expect from President Donald Trump’s administration?
Of course, no one knows, but based upon what we know from the candidate and the campaign, President Trump’s cybersecurity policy looks uninformed, misguided, and elementary so far.
Let’s start by looking at what the incoming President said on the campaign trail first:
- Candidate Trump continuously denied that Russia was behind the DNC data breach. During one of the debates, he said, “…I mean it could be Russia but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, okay?” US intelligence professionals (and many of the security researchers I know personally) are pretty darn convinced that the FSB was behind the hacks.
- On the campaign trail, Donald Trump continually praised WikiLeaks and referred to the emails exposed on WikiLeaks to his advantage, even though these emails were obtained illegally. That’s sort of like praising Jeff Gillooly because you thought Nancy Kerrigan was a bit smug.
- Although Mr. Trump did deliver one cogent speech on cybersecurity, it was pretty clear from his day-to-day statements that he doesn’t understand it. At the first debate, Mr. Trump rambled about cybersecurity as follows, “It (cybersecurity) is a huge problem. I have a son, he’s 10 years old. He is good with computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable. But I will say, we are not doing the job we should be doing.” Huh? What did that mean?
Okay so Trump doesn’t know cybersecurity but no one who voted for him seemed to care. So, maybe now that he’s the President-elect, he will surround himself with the right people and put together a coherent strategy, right?
Alarmingly, there is no evidence of this so far. Mr. Trump does have a cybersecurity vision statement on his website, stressing that he will do 4 things:
- Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure. For a guy whose message is change, this exercise is right out of the mainstream Washington playbook. We’ve already audited and studied cybersecurity to death! It’s time for action, not more blue ribbon panels.
- Create a joint task force to fight cyber-crime. While this effort can certainly be improved, the feds are already working with states and local law enforcement and have been doing so since the George W. Bush administration. Nothing new here.
- Provide recommendations for enhancing U.S. Cyber Command. Trump is calling on military leaders to provide input and ideas for bolstering military cyber operations. Again, this type of effort has been a work-in-progress for the past 12 years. Are there new ideas? Sure, but we are probably already exploring them.
- Develop more offensive cyber capabilities. Trump wants to deter attacks by both state and non-state actors and, if necessary, to respond appropriately. Okay, but the U.S. already has some of the best offensive capabilities (remember Stuxnet?). Besides, the stakes here are pretty grim. We take out a website or servers, they launch a DDoS attack on critical infrastructure – not a very good tradeoff.
Aside from the fact that there’s nothing new here, Mr. Trump’s “vision” ignores the biggest cybersecurity issue of all – improving our cybersecurity defenses. What will he do here? Who knows?
Note to the incoming administration: Cybersecurity issues need to be a top priority from day one. I strongly suggest that Mr. Trump consult with government and private sector cybersecurity experts as soon as possible and move beyond its current myopic and embarrassing vision. Remember, American critical infrastructure, businesses, and individuals are vulnerable to attack and citizens are looking for the President’s leadership to mitigate risk in this area.