When President Trump took the oath of office in January 2017, cybersecurity industry officials were anxious — to put it mildly.
They feared that the outsider president — who’d already called on supporters to boycott Apple when it refused to help the FBI crack into its own encryption --- might go to open war with the cyber and tech companies whose help he needed to secure the nation.
Most importantly, they lamented how the incoming president refused to accept intelligence agencies’ conclusion that Russia was responsible for a hacking and influence operation that upended the election that brought him to office. They feared Trump, who famously suggested a lone 400-pound hacker could have been responsible, would stop naming and shaming its greatest foes in cyberspace.
What a difference two years can make.
Cybersecurity industry leaders and former government officials are now heaping praise on the Trump administration’s digital security policies -- describing them as smart and measured.
In fact — from how the government protects its own networks and critical infrastructure to how it cooperates with allies — experts at the RSA conference said the best word to describe Trump cybersecurity policy is continuity.
“It’s so remarkable I almost don’t want to call it out — the consistency you have [in cybersecurity policy],” Ryan Gillis, vice president for cyber strategy at Palo Alto Networks, told me in San Francisco.
Kiersten Todt, a former White House official, directed an Obama-era cybersecurity policy commission tasked with making recommendation to the next presidential administration. Two years later, she said, it’s striking how many of that commission’s recommendations — from addressing the threat of botnets to surging cooperation between government and the private sector — are being put into effect.
“Whatever your feelings about how other things are being managed in this administration, on the cybersecurity side we’ve seen significant and thoughtful progress,” Todt told me.
And the Trump team’s main break with the Obama administration — a pivot to more offensive hacking operations to punish nations that target the United States in cyberspace — has generally been popular with cybersecurity experts. Many have said stepping up offensive operations will deter attacks -- and even cheered how the Trump administration acknowledged a digital strike during the 2018 elections that disabled the same Russian troll farm that managed influence operations during the presidential contest.
Trump's strategy is also not quite as much of a break from former President Barack Obama's as it might seem, said the previous White House cybersecurity coordinator Michael Daniel. “If you look at the operations they’ve actually acknowledged, they’ve been fairly judicious and they’ve been pretty clearly in our national interest,” said Daniel, who’s now president of the Cyber Threat Alliance information-sharing group.
You don’t have to look far to see other examples of this continuity.
The Obama administration indicted government-linked hackers in China and Iran and sanctioned Russian and North Korean entities for supporting disruptive hacks against U.S. targets. The Trump administration has handed out indictments and sanctions targeting the same four regimes.
Under Obama, DHS officials pushed for a new law that would rename the department’s main cybersecurity agency and give it more operational control over government cybersecurity. That bill passed during the Trump administration.
Even the encryption debate — which might have been a divisive topic given Trump’s hammering Apple on the campaign trail — has not caused any major disruptions. FBI Director Chris Wray and other law enforcement officials continue to warn against warrant-proof encryption in major speeches, but the topic largely hasn’t been picked up by the White House.
To be sure, there have been rough spots. Trump continues to waver on whether Russia was solely responsible for the 2016 operation and he notably returned from his first summit with Russian President Vladimir Putin the following year with a widely-panned plan to cooperate on election security.
Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded..— Donald J. Trump (@realDonaldTrump) July 9, 2017
Sen. Lindsey O. Graham (R-S.C.) described that plan as “not the dumbest idea I've ever heard, but it's pretty close.” The plan was scrapped shortly after.
Trump’s comments and public wavering, however, have had little impact on his administration's broader cybersecurity policy.
Todt said a handful of top administration officials who worked with Obama holdovers and career federal employees during the early months of the Trump administration deserve credit for setting a clear and continuous path on cybersecurity policy. Her list includes Chris Krebs, who leads the DHS's Cybersecurity and Infrastructure Security Agency, Energy Department Assistant Secretary for Cybersecurity Karen Evans, who was part of the Trump transition team, and Tom Bossert, who was formerly the president’s top homeland security adviser.
Daniel suggested the continuity is largely possible because cybersecurity policy is being ignored by more partisan figures higher up in the administration.
“It certainly doesn’t have the same degree of importance [at the White House] as it did under the Obama and Bush administrations,” Daniel told me.
An industry cybersecurity leader echoed Daniel’s analysis and pointed to Vice President Pence's remarks at a DHS cybersecurity summit in New York. The event, where the agency unveiled a new “risk management center” focused on tackling long-term cybersecurity threats, focused on unity and cooperation with industry. Yet Pence's speech savaged the Obama administration for being weak and feckless in cyberspace — a remarkable shift in tone.
The summit “was a great example of how people from inside the government and outside the government, with current and past government experience, all continue to operate together on these problems separate and aside from politics,” the industry official said.
“Then Vice President Pence came in,” the industry official said under condition of anonymity because they were not authorized to comment publicly about relations with government officials. “He picks up on the same sort of lines the president often uses — ‘we were given a mess to fix’ — and half the audience were people who worked on Obama’s cybersecurity. I can imagine the air sort of goes out of the room. It’s not in line with the way people who are actually working on these problems think about them.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Trump administration requested $9.6 billion for Defense Department cybersecurity priorities in its annual budget request Monday — an approximately 11 percent hike over the previous year — that the budget document said would “grow the capacity of U.S. military cyber forces,” and “maintain the highest cybersecurity standards at DOD.” Here’s more on the proposed funding hike from Fifth Domain’s Mark Pomerleau.
The budget request also called for “more than $1 billion for DHS’s cybersecurity efforts,” but didn’t provide a specific figure and DHS hasn’t released a more detailed budget document. The proposed DHS funding would allow the department to “hire at least 150 new cybersecurity employees” and to conduct more digital risk assessments, including of state and local election systems, the budget states.
Administration budget requests set out broad budget goals, but are generally just advisory for House and Senate Appropriation committees, which have their own ideas about how federal money should be spent. Here’s a helpful historical breakdown of cybersecurity funding across the government from Third Way, a national security-focused thin tank.
PATCHED: Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) reintroduced a bill aimed at improving the cybersecurity of Internet-connected technologies ranging from connected cars and medical devices to cameras and speakers. Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Tex.) introduced a companion bill in the House.
The bill, which Warner and Gardner introduced in 2017, would require the Commerce Department to write voluntary standards for how industry can securely develop and maintain those devices but mandates that government agencies and their contractors abide by those standards. It would also urge “Internet of Things” manufacturers to cooperate on fining and alerting people about hackable computer bugs in their products.
Internet of things devices are expected to proliferate over the next decade as the United States and other nations transition to ultra-fast 5G wireless networks. Cybersecurity experts fear the devices could be seized by hackers or their computing power could be harnessed into an army of zombie computers known as a botnet. The 2016 Mirai botnet attack, which disrupted major websites including Twitter and Netflix, was partly powered by such connected devices.
PWNED: The Trump administration is warning Germany that it might have to limit intelligence sharing with its longtime ally if it allows the Chinese telecom giant Huawei to construct parts of its next-generation 5G networks, the Wall Street Journal’s Bojan Pancevski and Sara Germano reported.
The stern warning to one of the United States’ closest European intelligence partners would mark a major escalation in U.S. efforts to keep Huawei out of global 5G networks because of concerns the company could be used as a platform for Chinese spying. The news was delivered in a letter to Germany’s economics minister from U.S. Ambassador to Germany Richard A. Grenell, the Journal reported.
Security news from the public sector:
Cybersecurity news from the private sector:
- The House Armed Services Committee’s emerging threats panel hearing on the U.S. Cyber Command budget request.
- The House Appropriations Committee’s DHS panel hearing on securing federal networks and state election systems.
- The Senate Small Business Committee hearing on the cybersecurity threat to small businesses.