As we move into 2017, cybersecurity concerns continue to escalate. This past few months, we’ve seen some scary incidents, such as the Oct. 21 distributed denial of service (DDoS) attack on the DNS services at Dyn that used IoT devices like home routers and cameras as a botnet. Oh, and the last few months of the U.S. presidential election featured data breaches of the DNC and Clinton campaign manager John Podesta’s email and the subsequent posting of this information on WikiLeaks.
It's pretty alarming, and it doesn’t appear things will get better anytime soon. This begs the question: What type of cybersecurity response can we expect from President Donald Trump’s administration?
Of course, no one knows, but based on what we know from the candidate and the campaign, President Trump’s cybersecurity policy looks uninformed, misguided and elementary so far.
Let’s start by looking at what the incoming President said on the campaign trail first:
- Trump continually denied that Russia was behind the DNC data breach. During one debate he stated, “…I mean it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?” U.S. intelligence professionals (and many of the security researchers I know personally) are pretty darn convinced that the Federal Security Service of the Russian Federation (FSB) was behind the hacks.
- On the campaign trail, Trump continually praised WikiLeaks and referred to the emails exposed on WikiLeaks to his advantage, even though these emails were obtained illegally. That’s sort of like praising Jeff Gillooly because you thought Nancy Kerrigan was a bit too smug.
- Although Trump did deliver one cogent speech on cybersecurity, it was pretty clear from his day-to-day statements that he doesn’t understand it. At the first debate, Trump rambled about cybersecurity: “It (cybersecurity) is a huge problem. I have a son, he’s 10 years old. He is good with computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable. But I will say, we are not doing the job we should be doing.” Huh? What did that mean?
OK, so Trump doesn’t know cybersecurity, but no one who voted for him seemed to care. So, maybe now that he’s the President-elect, he will surround himself with the right people and put together a coherent strategy, right?
Alarmingly, there is no evidence of this so far. Trump does have a cybersecurity "vision" statement on his website, however, stressing that he plans four things:
1. Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure. For a guy whose message is change, this exercise is right out of the mainstream Washington playbook. We’ve already audited and studied cybersecurity to death! It’s time for action, not more blue ribbon panels.
2. Create a joint task force to fight cyber-crime. While this effort can certainly be improved, the feds are already working with states and local law enforcement and have been doing so since the George W. Bush administration. Nothing new here.
3. Provide recommendations for enhancing U.S. Cyber Command. Trump is calling on military leaders to provide input and ideas for bolstering military cyber operations. Again, this type of effort has been a work in progress for the past 12 years. Are there new ideas? Sure, but we are probably already exploring them.
4. Develop more offensive cyber capabilities. Trump wants to deter attacks by both state and non-state actors and, if necessary, to respond appropriately. OK, but the U.S. already has some of the best offensive capabilities (remember Stuxnet?). Besides, the stakes here are pretty grim. We take out websites or servers, they launch a DDoS attack on critical infrastructure—not a very good tradeoff.
Aside from the fact that there’s nothing new here, Trump’s “vision” ignores the biggest cybersecurity issue of all—improving our cybersecurity defenses. What will he do here? Who knows.
Note to the incoming administration: Cybersecurity issues need to be a top priority from day one. I strongly suggest that President Trump consult with government and private sector cybersecurity experts as soon as possible and move beyond its current myopic and embarrassing vision. Remember, American critical infrastructure, businesses and individuals are vulnerable to attack and citizens are looking for the President’s leadership to mitigate risk in this area.