President Donald J. Trump’s Administration has suggested massive overhauls in a number of policy areas, but few have remained as shrouded in uncertainty as Trump’s vision for the future of cybersecurity. All that is known is through Trump’s statements that attribution is hard, China spies for economic purposes, the private sector is key, the military should play a central cybersecurity role, and that a Cyber Review Team will conduct a comprehensive inspection of the country’s cybersecurity posture within the first three months of taking office. And, of course, that Russia was behind the Democratic National Committee breach.
Over the last eight years, the Obama Administration has worked to better secure the nation’s cyberspace, but while strides were made in building policy and institutional resources to address the growing perils of our digitally connected world, many experts would agree that the threats have outpaced countermeasures. Never before has the country been so vulnerable to the ebb and flow of numeric data traversing the globe.
So where are these vulnerabilities in cyberspace and what lessons can be derived from past incidents? Most importantly, what should the Trump Administration do to close the gap between the quickly evolving capabilities of attackers and the country’s ability to defend its commercial networks, critical infrastructure, and democratic integrity?
Starting from square one under the new Administration would be devastating to national security—we are already playing catch-up with attackers and time is of the essence. Therefore, it is important to begin with the progress already made by the Obama Administration, which has laid the foundation the Trump Administration should build on. The institutional resources for cybersecurity efforts under Obama have been enhanced by his creation of the cybersecurity coordinator role in the National Security Council—a position not yet filled under Trump—that can help orchestrate the varying roles across government agencies.
Rob Knake, the former Director for Cybersecurity Policy at the National Security Council and now Senior Fellow at the Council on Foreign Relations, agrees, suggesting “President Donald Trump’s new cyber team would be wise to pick up where the Obama team left off,” and if Trump “can also convince Congress to start spending, he will be able to make progress in a host of areas where Obama could not,” possibly most urgently with the modernization of the antiquated federal IT networks that provided a window of opportunity for breach of the Office of Personnel Management, compromising the personal information of 22 million federal employees, many with security clearances.
The Obama Administration largely focused its efforts on information sharing mechanisms through the Department of Homeland Security—intentionally a non-intelligence, non-law enforcement, and non-military body—to not only coordinate efforts across the government with the purpose of securing federal networks, but also to engage with the often reticent multinational private sector, of which much of the vulnerable attack surface belongs to, including critical infrastructure.
Gilman Louie, founder and former CEO of In-Q-Tel, suggests that one of the most important considerations for the Trump Administration will be “which agency should be put in charge, what authorities and resources it should be given, and how will it execute its mission.” He argues that “the best approach is to strengthen DHS by taking three critical steps: define and focus the DHS cyber mission; create the National Cybersecurity Agency as an independent, operational component at DHS, and strengthen other key agencies such as the State Department, FBI, Commerce Department and the Intelligence Community.”
Another major foundation built by the Obama Administration was stemming the economic cyber espionage conducted by China to steal intellectual property and gain insight into trade negotiations for competitive advantage. This first began with the indictment of five members of the Chinese military for conducting economic cyber espionage in May 2014. Then Obama signed an executive order in April 2015 giving the Department of Treasury the authorities to impose sanctions on individuals and entities determined responsible for, or complicit in, cyber-enabled activities that threaten U.S. national security or economic stability. The threat of economic sanctions—previously imposed on North Korea following the Sony hack—led to an agreement with China to halt economic espionage. While some activity persists, the level of economic cyber espionage emanating from China has greatly reduced.
Knake argues that “the playbook left by Obama’s team for how to handle China—by threating its great-power status and market access—will continue to work if applied judiciously” by the Trump Administration. However, Russia presents a more difficult challenge with consideration for their breach of the DNC—likely through criminal proxies—and subsequent influence campaign throughout the U.S. presidential election season. The April 2015 executive order was updated at the end of last year to include interference in U.S. democratic systems, giving the Department of Treasury the authorities to impose targeted sanctions on Russian intelligence agencies and their leadership in response.
Knake points out “the Obama Administration has begun to implement a response to Russia’s meddling in U.S. elections that Trump would be wise to continue and build on it.” At the same time, Louie maintains that “changing the behavior of our cyber opponents will require a more serious and sustained effort than anything we have seen to date.” While there is no inherent need to respond to cyber attacks with cyber capabilities, the Obama Administration also oversaw the Pentagon’s push to create U.S. Cyber Command for such offensive cyber operations, which reached its initial operating capacity in October with over 6,000 military cyber operators.
Aside from administrative and institutional reforms, as well as aggressively pursuing a deterrence policy against cyber espionage and covert action by foreign adversaries, the Trump Administration will need to make strides in curbing rampant cybercrime. Large scale distributed denial of service attacks, data theft, botnets, and ransomware have escalated and require immediate attention. To that end, Louie advocates for developing “measures that imped the monetization of stolen data and credentials, develop techniques that either paralyze the attacker’s infrastructure or diverts their resources to defense, accelerate the use of multifactor authentication to reduce anonymity and improve attribution, find better ways to counter and disrupt botnets, and improve cyber hygiene through the creation of standards and performance metrics.” He also advocates for international cooperation through a negotiating vehicle similar to the Budapest Convention on Cybercrime but where Trump “re-engages Brazil, India, and perhaps China by giving them a voice in how cybercrimes should be handled.”
Ultimately, as Knake notes, “the Trump team should no doubt develop their own strategy for securing the nation in cyberspace but, in doing so, they should build off of the many successes and lessons learned from Obama’s eight years in grappling with these issues.”
Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.
