In the fall of 2008, a bipartisan group of cybersecurity experts delivered some sage advice to Barack Obama, set to become president in January: “Don’t start over.” That group, organized by the Center for Strategic and International Studies, made a strong and persuasive case that the Obama Administration needed to build from the progress that the Bush Administration had made. Specifically, the new team needed to follow through with the Comprehensive National Cyber Initiative (CNCI), which began the previous winter.
It was good advice. The tendency to discount the value of anything done in the previous administration runs high in Washington, particularly after a contentious election. Yet on cybersecurity, a rough bipartisan consensus has developed in the two decades since President Bill Clinton signed Presidential Decision Directive-63. That document outlined the public-private partnership that has been the bedrock of U.S. cyber policy for 20 years.
Over time, that approach has been tested and challenged, and no alternative has been found. Solutions that would take responsibility away from the private sector and make cybersecurity a government mission alone have been found wanting. Any effort to interpose government between the private sector and the network they rely on to reach customers and conduct business will be a cure worse than the disease. After a failed attempt at expanding regulation threatened to split apart that partnership, the Obama administration focused on finding ways to work with the private sector that were less adversarial.
President Donald Trump’s new cyber team would be wise to pick up where the Obama team left off. Many who served in the Bush administration will see elements of programs they started alive and well today. Trump, a master at branding, can chalk up big wins on cybersecurity by simply rebranding many of the initiatives that the Obama Administration began. If he can also convince Congress to start spending, he will be able to make progress in a host of areas where Obama could not.
The Trump team should start with a federal agency for cybersecurity. Taking a “not on my watch” attitude to the kind of breaches that occurred in the Obama administration, Trump should move quickly to finish implementation of the programs kicked off under the Cyber National Action Plan.
Getting Congress to sign off on the IT Modernization Fund to speed the replacement of antiquated and vulnerable federal computing systems should be an easy sell in a friendly Congress. The Trump team should also build out the vision for shared services and networks for small agencies, something that will take an infusion of cash up front but will reduce costs over the long term.
To better defend federal civilian agencies and assist with the private sector, Trump should work with his allies in Congress to create a civilian cybersecurity agency within the Department of Homeland Security as proposed by Chairman of the House Homeland Security Committee Mike McCaul (R-TX) earlier this month.
If the Trump team really wanted to stick its thumb in the eye of the outgoing administration it could say nasty things about how the Obama administration did not do enough for the 22 million Americans who had their personnel records stolen from the Office of Personnel Management. It could then launch a free program to provide the victims a trusted identity solution based on one of the many successful pilots to come out of the National Strategy for Trusted Identities in Cyberspace.
Working with the private sector, Trump needs to ensure that his cybersecurity team completes the work of enhancing the mechanisms for sharing cybersecurity information. Programs such as Enhanced Cybersecurity Services and Automated Indicator Sharing as well as the network of Information Sharing and Analysis Organizations require a real boost in time, attention and resources.
Internationally, the Trump team needs to keep the pressure on China to maintain its commitments to stop stealing intellectual property from U.S. companies. That task may be made more difficult if disputes over trade lead to a deteriorating relationship more generally. However, the playbook left by Obama’s team for how to handle China—by threatening its great-power status and market access—will continue to work if applied judiciously.
The harder challenge will be how to handle Russia. The current honeymoon with Putin is unlikely to last as U.S. and Russian interests will inevitably clash. Anyone who thinks otherwise should recall that it was none other than Hilary Clinton who tried to orchestrate a “reset” with Russia in 2009.
No matter what his hopes are for better relations with the Kremlin, Trump needs to demonstrate that the United States will not tolerate interference in our election process. Even if there is no truth to the dossier released by Buzzfeed, Trump should fear that Russia or other countries might try and do to him what was done to Clinton in 2016. The Obama Administration has begun to implement a response to Russia’s meddling in U.S. elections that Trump would be wise to continue and build on it.
The Trump team should no doubt develop their own strategy for securing the nation in cyberspace but, in doing so, they should build off of the many successes and lessons learned from Obama’s eight years in grappling with these issues.
