Trump’s First Cybersecurity Scorecard

Written by

‘C for effort – could try harder’ seems to be the overall judgment of Trump’s first quarter as President, reports Danny Bradbury

It has been one of the most disruptive presidencies so far. Donald Trump has rattled civil liberties advocates with a series of divisive executive orders in pursuit of his protectionist goals. The question is, how has this protectionism shown up in his cybersecurity policies, and how comprehensive are they?

Not very, according to cybersecurity lawyer and policy expert Jody Westby. The former PwC senior managing director now heads boutique legal firm Global Cyber Risk LLC. She advised the Department of Homeland Security on cybersecurity research and development for eight years.

“I found it all underwhelming,” she says, arguing that so far the administration has focused on talks and reports. “We’ve had so many reports over so many years about cyber that what we really need is funding, action and new direction. What’s proposed is old direction stuff.”

Cybersecurity review was a big feature of an executive order dealing with cybersecurity scheduled for signing on January 31, but it was delayed with hours to spare.

The order, which was leaked ahead of time, promised a vulnerabilities review board, which would analyze the nation’s cyber-exposure, and then make recommendations to plug the holes within 60 days of the order’s enactment. A similar report would analyze US cyber-capabilities. Other reports called for in the executive order would list cyber-adversaries that threaten the US and an analysis of incentives to get private sector organizations adopting cybersecurity methods.

Time for Action

Westby argues that we have all the reports we need already, and that it’s time for action. Most recently, the NIST-organized Commission on Enhancing National Security published a report in December, offering cybersecurity recommendations.

In any case, the order may look different if and when it finally sees the light of day. It hadn’t been signed at the time of writing, but has gone through several drafts, say experts.

“Trump’s failure to publish the executive order has been particularly disappointing as right now there are too many different groups claiming to be responsible for cybersecurity”, warns Richard Stiennon, chief strategy officer at Blancco Technology. A former Gartner analyst and author of a best-selling book on cyberwarfare, Stiennon still has hopes that the order will help fix the problem.

“One draft of the executive order called for assigning responsibility for cybersecurity to the cabinet secretaries, which would be a great motivator and help to clear up much of the confusion”, he says.

Industry watchers were hoping that the administration would announce the executive order at RSA, which took place February 13-17, two weeks later, but it didn’t materialize. Neither did the administration; none of Trump’s representatives attended the conference.

Trump has nevertheless made several cybersecurity appointments. He named Rudy Giuliani, the former New York City mayor and strong Trump campaign advocate, as his informal cybersecurity adviser on January 12.

Thomas Bossert, whom he appointed homeland security advisor on December 27, was deputy homeland security advisor under Bush. Trump has committed to elevating his position to independent status, and cybersecurity will play a big role in it. Bossert has said that he wants a cyber-doctrine that “reflects the wisdom of free markets, private competition and the important but limited role of government in establishing and enforcing the rule of law.”

The other significant appointment at the time of writing – which Stiennon calls “the one reason for optimism” – is the appointment of Rob Joyce as White House cybersecurity co-ordinator. However, as the former head of the NSA’s TAO cyber hacking team, Joyce’s appointment could be considered a statement about Trump’s view on surveillance policy in the US for the next four years.

Trump also made another statement that should worry privacy advocates. His blueprint budget carved out $61m to help law enforcement agencies crack encryption. This was a talking point for Trump during his election campaign, when he sided against Apple in its FBI dispute over decrypting the San Bernardino attackers’ iPhones.

The provision is “at odds with any attempts to strengthen data protections”, Stiennon says.

The blueprint also includes $35m to help the FBI develop biometric identification technologies with the DoD, at a time when Congress has been grilling law enforcement agencies on their accountability when using facial recognition technology.

The other big recipient in the budget was the DHS, which gets $1.5bn. The document earmarks the money for “a suite of cybersecurity tools and more assertive defense of Government networks.” It also promises to share more cybersecurity incident information with other federal agencies and the private sector to speed up responses.

“We’ve had so many reports over so many years about cyber that what we really need is funding, action and new direction"

A Long Way to Go

Westby is skeptical. For one thing, she says, the budget hasn’t been accepted yet. Trump’s stinging Congressional defeat over the revised healthcare act won’t help his credibility when trying to push through the finalized budget later in the year.

“Why does DHS need $1.5bn? It looks to me like OPM needs some money”, she argues, referring to the agency’s massive data breach in 2015. With agencies required to turn their FISMA reports in to Congress each year, we know which ones need an extra cybersecurity focus, she explains. “Get the funding over to those agencies and say ‘where do you have common problems?’ Let’s develop a solution”, she recommends.

Incidentally, Obama’s government issued a policy on sharing federal source code between agencies and releasing some of it as open source, although this policy has been deleted from the White House website by the current administration.

Amit Yoran, chairman and CEO at Tenable Network Security, was the national cybersecurity director at the DHS from 2003-4. Unlike Westby, he believes that cybersecurity is a top priority for this administration, and sees signs in the draft executive order that it will hold agencies accountable for it. Nevertheless, he says, you can’t just throw money at a problem to fix it.

“Prioritizing security needs to be set culturally at the very top of an organization and permeate across its entire culture,” he says. “There’s a huge difference between those that believe in the importance of their security program, and those that give it lip service and just meet their compliance minimums.”

Let’s be fair, says Westby: the Trump administration has only been in office for two months (at the time of writing). It takes time to organize these things, but his other cybersecurity-related distractions are not making it any easier.

Of note was a report by the New York Times in January that Trump was tweeting from an unsecured Android phone, and a later revelation that VP Mike Pence had used a personal AOL account to conduct state business while serving as Governor of Indiana. When it was hacked, Pence simply set up another account, the report said.

Most recently at the time of writing, Trump caused a rift with the UK government by accusing it of helping in an alleged wiretapping campaign against him, organized by the former administration.

Herb Lin, senior research scholar for cyber policy and security at Stanford’s Center for International Security and Cooperation, worked on the NIST Commission on Enhancing National Security report. He says that such distractions take away from an already difficult job.

“Anybody has limited bandwidth. There’s only 24 hours in a day,” he says. “[If] they’re distracted by a bunch of things, they won’t be able to pay good attention to the things that they need to be paying attention to.”

The chances are that things will have moved ahead dramatically by the time this article goes to print. The final executive order may be out, and there may be yet more scandals as a tempestuous President, prone to unpredictable public outbursts, muddies the waters further still. Let’s just hope that his advisors keep him in check – and don’t go off the rails themselves. Kellyanne Conway, current Counselor to the President, must be cringing over her suggestion that microwave ovens can turn into cameras. Or perhaps not. Honestly, with this shipful of loose cannons, it’s difficult to imagine just what they’re thinking.

What’s hot on Infosecurity Magazine?