What to keep an eye on from Trump’s cybersecurity policy
What does the incoming Trump administration hold for cybersecurity? Predictions—such as those that called for Hillary Clinton to win by a landslide—are notoriously hard to get right. But by looking at previous Trump pronouncements on cybersecurity, experts approached by The Parallax have sounded off on key issues that consumers should keep an eye on in the coming year.
“The first thing he’s going to have to do is make amends with the intelligence community, given that he openly doubted the veracity of U.S. intelligence that Russia was behind these various cyberattacks,” during the campaign, says Greg Garcia, former assistant secretary of cybersecurity and communications under President George W. Bush from 2006 to 2008, and currently executive vice president at Signal Group.
Theresa Payton, the first woman White House chief information officer during the same years as Garcia, and currently the president and CEO of security consulting company Fortalice Solutions, echoed his comments. Trump, she says, should “listen to the team that’s defending the White House infrastructure. He has to make sure everybody has the tools to do their job, and he needs to take the time to listen.”
“If Trump does have better relations with Putin, will he be able to put the brakes on cybercrime coming from Russia?” — Darren Hayes, assistant professor and director of cybersecurity, Pace University
Given Trump’s hateful rhetoric during the campaign, it’s not clear he has the temperament or ability to do that. Backlash against his denigrating comments regarding women, minorities, immigrants, disabled people, gays, Jews, and Muslims has already made it difficult for Trump to fill key cybersecurity roles. And as those positions remain open, cyberattacks against the U.S. government specifically and the country in general are getting worse, according to James Clapper, the director of national intelligence.
“Our primary concern is low- to moderate-level cyberintrusions from a variety of sources, which will continue and probably expand,” Clapper said in January. “They impose increasing costs to our businesses, to U.S. economic competitiveness, and to national security.”
In 2015, Clapper said Russia is the United States’ top cyberthreat, citing both Russia’s Ministry of Defense and “unspecified Russian cyber actors.”
While Trump’s campaign platform calls for an “immediate review of all U.S. cyberdefenses and vulnerabilities,” that’s just what any incoming administration would be expected to say about cybersecurity, says Keith Lowry, who has held several government positions during the Obama administration, including security liaison for the Food and Drug Administration, and chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence, and security at the Pentagon.
“Cybersecurity and insider threats and all of that have been amplified in this latest election cycle. We, as a government, haven’t gone far enough,” says Lowry, who is currently the senior vice president of business threat intelligence and analysis at security company Nuix. “They need to make this a cabinet-level position: a secretary for cybersecurity.”
Statements by Trump expressing admiration for Russia and President Vladimir Putin may have an unexpected benefit to cybersecurity, says Darren Hayes, assistant professor and director of cybersecurity at Pace University in New York.
“Russian cybercrime is a huge problem,” Hayes says. “If Trump does have better relations with Putin, will he be able to put the brakes on cybercrime coming from Russia?”
Hayes also worries that the cybersecurity hiring crisis that businesses and government agencies currently face could get much worse under Trump. Businesses are estimated to have at least 15 percent of their cybersecurity positions unfilled by 2020, according to an Intel study published last week.
By hiring “people of all kinds of ethnicities, races, and backgrounds” to fill open positions within the federal government, he says, “you expand your competencies—for example, monitoring social media for threats [by being fluent in multiple foreign languages]. If you turn those people off, you increase your risk of missing a threat to national security.”
Threats posed by hacks against the government should force the Trump administration to review how it protects U.S. companies and citizens from cyberattacks, says Sumit Agarwal, a former Google product manager who has held multiple cybersecurity roles at the Department of Defense during the Obama administration. Agarwal, co-founder and COO of Shape Security, was one of the more than 21 million people affected by the security breach at the Office of Personnel Management in 2015.
“When I look at OPM, the failing is really that they are not equipped to go toe to toe with foreign powers,” he says. The departments of Homeland Security and Health and Human Services “need the security abilities from those agencies, but not the control of the intelligence assets.”
Edward Snowden’s leaks and whistle-blowing amplified privacy complaints already dogging the Obama administration. And given that Trump supports the ability of a government agency to force a tech company to decrypt its customers’ devices on-demand for surveillance purposes, experts worry that Silicon Valley might lose its fight over encryption backdoors with Washington.
“While [Trump] has an antiregulatory bent, that’s a regulatory requirement on the tech sector,” Garcia says. “A logical progression of that point of view is that you’d see a more heavy-handed approach to the private sector on cybersecurity.”
“If you’re using WhatsApp or Facebook today, all those messages are being stored on servers in Ireland,” Hayes says. “What’s going to happen with that in a Trump presidency?