It seems like an age since President Donald Trump took office. A turbulent presidency has seen an army of senior officials publicly hired and fired, often in real time via Twitter. A series of investigations, controversial foreign trade wars and public disagreements – not to mention a shutdown of government – with a mercurial President have been a major distraction. Against this chaotic backdrop, how has the administration fared in addressing the ongoing issue of cybersecurity?
“I think we’ve seen very weak and inconsistent attention to cybersecurity,” says Jody Westby, head of cyber-risk management company Global Cyber-Risk, who advised the Department of Homeland Security on cybersecurity research and development for eight years. “The talk doesn't match the walk.”
There has certainly been a lot of talk. There was an Executive Order, originally planned for January 2017 and eventually released in May that year, calling for reports from various quarters of government on their cybersecurity preparedness. Those reports are all now in. They informed a cybersecurity strategy released around 18 months later that took a more offensive stance to cyber-attacks while also calling for the modernization of domestic IT systems.
The fiscal 2019 budget seems to crystallize some of these sentiments. Provisions include $1bn to modernize Federal IT systems and $95m to help the DoE’s Office of Cybersecurity, Energy Security, and Emergency Response to help secure the electrical grid.
“We've seen very weak and inconsistent attention to cybersecurity”
Where’s the Leader?
That all sounds promising, but the most pressing question is: who will lead it? Perhaps one of the biggest shocks to the system came with the elimination of a discrete cybersecurity position altogether from the National Security Council (NSC). The Council, a Truman-era creation that advises the President on all security matters ranging from domestic and military to foreign policy, is a key coordinating tool for managing security policies across the different agencies.
UN Ambassador John Bolton, who Trump appointed as his national security advisor in April 2018, immediately demolished the Council’s existing cybersecurity control structure. He pushed homeland security advisor Tom Bossert out of the White House within a couple of days. His deputy Rob Joyce left his job as national cybersecurity coordinator within a month, and Bolton scrapped the position.
The move rolled back a growing emphasis on cybersecurity in the executive branch that began in 2001, when George W. Bush appointed Richard Clarke as a special advisor to the President on cybersecurity. Then, in 2008, his administration formed the National Cybersecurity Center to focus on domestic cybersecurity issues.
When the Obama administration finally created an official national cybersecurity coordinator position and appointed US CERT chief security strategist Howard Schmidt to the job, it was the first time that the White House had concentrated broad control of cybersecurity across all government networks and both national and international cybersecurity strategy in a single person.
Removing the role effectively gives control of the national cybersecurity strategy to Bolton, who has next to no experience in these matters compared to Joyce, who ran the NSA’s main network intrusion unit. It creates a vacuum in cybersecurity leadership at the time when the US needs it most, said critics.
These critics included House Representative Jim Langevin, co-founder of the Congressional Cybersecurity Caucus, who co-sponsored a bill – the Executive Cyberspace Coordination Act of 2018 – to create a National Office for Cyberspace within the executive branch separate from the NSC. The proposal has gone nowhere, at the time of writing.
The move didn’t leave the NSC completely bereft of cybersecurity expertise; it has two senior cybersecurity directors. Grant Schneider became federal CISO in July. Josh Steinman was reportedly aggressive about trying to take Joyce’s job.
The White House has stated that with these two advising, cybersecurity is now a “core function” of the President’s national security team. Herbert Li, senior research scholar for cyber policy and security at Stanford, disagrees.
“The only way to get attention paid to a specific issue is to designate someone to be in charge of it,” he says. “There’s no one person whose job it is to pull everything together as the coordinators did.”
“There’s no leadership at the top,” laments Westby, adding that it makes things difficult for the US to talk in multinational fora like the UN, or in their interactions with the EU or the OECD or any other of the multilateral bodies. “That significantly handicaps us in our foreign policy and in the decisions that are being made in those multinational bodies,” she says.
“It's possible that things are going to get worse before they get better”
Being More Offensive
This is not an administration that cares much for global collaboration. President Trump’s aggressively isolationist ‘America First’ strategy has seen him turn away from landmark multinational agreements including the Paris Accord. A few months after changing the guard at the NSC, the Administration took several measures to roll back checks and balances on international cybersecurity policy and adopt a more hawkish tone.
The shift began with a classified presidential document that rolled back Presidential Policy Directive 20 (PPD-20), a 2012 Obama-era document that formalized the rules of engagement for offensive cyber-attacks on other nations. Some criticized PPD-20 for introducing too many obstacles and requiring too much inter-agency collaboration. The new rules were classified but reportedly went the other way, delegating much of the decision making to field commanders.
“The State Department and Department of Defense (DoD) have different objectives and they’re hard to reconcile,” says Lin. “What you’re effectively doing is giving the military a final say and State Department be damned.”
The following month, the Administration launched its National Cyber Strategy, which explicitly called out Russia, China, Iran and North Korea for cyber-attacks and pledged “swift and transparent consequences” to deter further attacks. The DoD released its own strategy during the same month, pledging to “employ offensive cyber-capabilities and innovative concepts that allow for the use of cyberspace operations across the full spectrum of conflict.” This came just months after US Cyber Command announced its intention to “defend forward” with offensive cyber-operations.
The efficacy of this approach depends on one’s point of view. On one hand, as Westby points out, China and Russia articulated their cyber-offense approaches long ago. “We’ve really lagged behind so I thought it was a positive move,” she says. Attacks like the 2015 Office of Personnel Management breach, attributed to Chinese hackers, highlighted the urgency of the problem.
On the other hand, the Administration’s ability to muster support and consensus on a domestic level seems sorely lacking. Seven members of Trump’s 27-member National Infrastructure Advisory Council resigned in 2017, citing both an inattention to cybersecurity and Trump’s remarks after the clashes between protestors and neo-Nazis in Charlottesville. “Your actions have threatened the security of the homeland I took an oath to protect,” the resignation letter said. This came just days after the NIAC published a damning report warning of a closing window to avert a cyber-9/11 incident.
As with so many things in this Administration, ideas that sound good on paper can quickly dissolve in the caustic environment of Washington politics, where consensus and collaboration underpin everything. Even those ideas that survive can take years to produce results, points out Lin: “It’s possible that things are going to get worse before they get better. You can’t necessarily measure the effectiveness of a strategy in short timeframes.”
Even with the wisest, calmest heads at the helm, building and executing a national cybersecurity strategy has proven to be a slow, laborious process, points out long-time cybersecurity commentator Richard Stiennon, founder of analyst company IT-Harvest.
“I’ve been waiting 10 years now since Obama was first elected for an indication that there’s a leader that understands how you get down into the weeds and fix this problem at the individual agency level, and that just hasn’t happened,” he says.
Stiennon worries that previous administrations’ shortcomings, combined with the current leadership vacuum at the top, will set the US cybersecurity effort back 12 years.
“The best scenario is that we continue with major breaches like OPM. All the emails in the Pentagon and the joint chiefs of staff read by an adversary,” he says. In a worst case scenario, you could have “someone who has a terrorist mentality of causing damage for the sake of causing damage. Then you can be facing a shutdown of government services, the destruction of the VA’s records, the breaking of the social security network and creating distrust in IRS computer systems. It just goes on and on.”
With two years left before the next election, the current Administration still has much to prove when it comes to protecting America’s interests in cyberspace.
