Kirstjen Nielsen’s departure this month will hurt the Homeland Security department’s cybersecurity efforts, according to a majority of experts surveyed by The Cybersecurity 202.
“We’re in the middle of cyberwar with no general at the helm,” said Jay Kaplan, the founder of the cybersecurity company Synack.
He was among the 59 percent of respondents to The Network -- an ongoing, informal survey of more than 100 cybersecurity experts from government, academia and the the private sector -- who worried about the impact of Nielsen's ouster as DHS faces many significant digital challenges. These include protecting the 2020 elections from Russian hacking and disinformation campaigns, protecting next-generation 5G wireless networks against digital threats from China and elsewhere, and securing critical infrastructure such as energy plants, hospitals and airports. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
Nielsen — who was forced to resign because President Trump was dissatisfied with her handling of the border — had, by far, the longest cybersecurity resume of any DHS secretary and was lauded by many security pros for her efforts to prioritize digital security.
“Cybersecurity talent at Kirstjen's level is unique, and someone with government policy experience is even more scarce," said Mark Weatherford, a former DHS cybersecurity official now global information security strategist at Booking Holdings. "This is another huge blow to our nation's momentum in the cybersecurity arena and the effects with be felt even more broadly on the international stage."
“Kirstjen Nielsen elevated cybersecurity as a critical priority for DHS and her departure will, at a minimum, be disruptive to those efforts," added Steve Grobman, McAfee's chief technology officer.
Several experts feared Nielsen's successor would be focused on implementing Trump’s hard-line border priorities at the expense of other missions, including cybersecurity.
“It seems likely the White House will choose a nominee focused on immigration issues with no background or particular interest in cybersecurity,” said Suzanne Spaulding, who led DHS’s cybersecurity division under President Barack Obama.
Kaplan, who served in the NSA and Defense Department, said Nielsen's departure showed “Trump’s perception of DHS is that they should be focused on building border walls, not protecting the nation from cyberattacks."
Former State Department cyber coordinator Chris Painter worried “cyber will be lost in a sea of other priorities, particularly as DHS appears to focus primarily on immigration alone.’’
Jay Healey, a former White House cybersecurity official who is a senior research scholar at Columbia University, put it bluntly: “Clearly any replacement for [Nielsen] will be hired for their loyalty to the president and a commitment to a hardcore immigration policy. Any secretary who takes that job will be highly motivated to ignore all of the DHS missions except immigration.”
Some experts lamented the collective loss of cybersecurity talent from the Trump administration. Tom Bossert, a cybersecurity-savvy White House homeland security adviser, and Rob Joyce, the White House cybersecurity coordinator, left last year. And Joyce's White House role was eliminated when he returned to work at the National Security Agency.
This drumbeat of exits is likely to diminish the government’s overall focus on cybersecurity, said Jamil Jaffer, a former George W. Bush administration official who is the director of George Mason University Law School’s Homeland and National Security Law Program.
“It's not just Nielsen's departure, but the lack of leadership overall” that will damage DHS cybersecurity, added Betsy Cooper, a former DHS policy adviser and director of the Aspen Institute’s Aspen Tech Policy Hub.
Nielsen advised Bush on cybersecurity and homeland security issues, founded a cybersecurity-focused consulting group and served as a senior fellow at George Washington University’s Center for Cyber and Homeland Security. The acting director who will replace her, former Customs and Border Protection chief Kevin McAleenan, by contrast, has no professional background in the field.
Nielsen’s departure will make it harder to advocate for cybersecurity issues at the Cabinet level, said Michael Daniel, a former White House cybersecurity coordinator.
“It also makes proposing larger policy shifts or legislation much more challenging,” said Daniel, who leads the Cyber Threat Alliance information-sharing group.
Yet 41 percent of Network experts did not think Nielsen’s departure would damage DHS’s cybersecurity mission. Many pointed to lower-ranking cybersecurity officials and career staff who they said could carry on the mission without her.
“The professional staff under Chris Krebs is capable of executing the mission so long as they have top cover and congressional support,” Accenture Security Managing Director Anup Ghosh said of DHS's Cybersecurity and Infrastructure Security Agency drector. “Any Cabinet executive ignores [the] cybersecurity of the nation at their own peril.”
Jeff Greene, Symantec's vice president for global government affairs, also cited “strong leadership” from Krebs and his staff who “should be able to keep driving [the mission] forward.”
And Luta Security CEO Katie Moussouris noted that “as with most organizations, the work on the ground determines success or failure … despite top leadership changes.”
Other experts, however, said Nielsen’s departure wouldn’t damage DHS’s cybersecurity mission because that mission wasn’t doing very well even under her leadership.
“Nielsen's departure is another sad indication that the government lacks the will to make real cybersecurity and safety improvements,” said David Brumley, who directs CyLab, a Carnegie Mellon University security and privacy institute.
Sascha Meinrath, a Penn State University professor who runs X-Lab, a tech and policy incubator that focuses on aiding Internet freedom and privacy, went a step further.
“The lack of a coherent and logical cybersecurity strategy … means that Ms. Nielsen's departure will not meaningfully affect national cybersecurity,” Meinrath said. “And since DHS has focused on a number of fool's errands regarding cybersecurity, whether her departure impacts DHS's efforts is largely irrelevant to the integrity of U.S. communications and data systems.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
— More responses to The Network survey question on whether Nielsen's departure will damage DHS cybersecurity efforts:
- YES: “It will probably be a long time before we have a future DHS Secretary that has the cybersecurity credentials of Kirstjen Nielsen. It seems like a missed opportunity that more progress wasn't made under her tenure.’’ — Chris Wysopal, a longtime cybersecurity researcher and Veracode founder
- NO: “It seems logical to conclude that the changes at DHS signal the president's focus on and prioritization of border security and immigration policy at DHS. Whether this will practically impact CISA's work and mission remains to be seen.” — Niloofar Razi Howe, Recorded Future board member and former RSA chief strategy officer
- NO: “Secretary Nielsen was a significant advocate for quality cyber relationships between industry and government — but businesses are accustomed to change in any administration. Much operational experience and leadership continue to reside at the Cybersecurity and Infrastructure Security Agency (CISA).” — Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce
- YES: “CISA has strong, competent leadership, and it will continue on as before, but Secretary Nielsen's personal interest and background in cybersecurity meant that CISA's leaders had well-informed top cover for new initiatives.” — Stewart Baker, former DHS assistant secretary for policy and former general counsel for the National Security Agency
- NO: “This isn't about people; it's about priorities. As long as dated concepts of border security dominate the DHS agenda, it matters much less who sits in what office.” — Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley
- NO: “A change in DHS leadership does not hurt, necessarily, the department's cybersecurity efforts. The real issue the department has to face is the priority it accords cybersecurity.” — Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center, managed by the Mitre Corporation.
PINGED: The wild story of Yujing Zhang, the Chinese citizen arrested at President Trump’s Mar-a-Lago resort allegedly carrying a malware-infected thumb drive got even more outlandish Monday when an assistant U.S. attorney revealed that thumb drive might not have had malware on it after all.
Here’s the story from my colleagues Lori Rozsa and Mark Berman: “While officials have said that Zhang was arrested carrying a thumb drive with malicious software, [government attorney Rolando Garcia] said Monday that appeared to be a ‘false positive.’ ”
“At a hearing last week, Secret Service agent Samuel Ivanovich had testified that when agents inserted the thumb drive into a computer, ‘a file immediately began to install itself.’ But on Monday, Garcia said officials could not replicate the malware problem on a second computer.”
During that hearing, U.S. Magistrate Judge William Matthewman denied Zhang’s request to be released on bail citing the risk she'd flee to China, Lori and Mark reported. It seemed that “Ms. Zhang was up to something nefarious,” when she entered Mar-a-Lago, Matthewman said. He called the fact she was caught with numerous other electronic devices in addition to the thumb drive "especially troubling."
The U.S. attorney’s office for the Southern District of Florida and the Secret Service both declined to give me comment on Garcia’s testimony. The Secret Service previously defended its investigation of the alleged malware, saying it followed appropriate procedures and never exposed the device to Secret Service networks.
PATCHED: U.S. officials will take a new, “softer” approach to urging allies to restrict Huawei from their 5G networks at a meeting in Prague next month, Reuters reporters Christopher Bing and Jack Stubbs report.
“U.S. proposals for the Prague meeting urge governments and operators to consider the legal environment in a vendor’s country, how much state support a company receives, transparency of corporate structure, and trustworthiness of equipment,” Bing and Stubbs report. “It also calls on partners to prioritize security and work together on investigations into cyberattacks aimed at 5G architecture.”
Officials from more than 30 countries will attend the Prague meeting May 2-3 “to agree on security principles for next-generation telecoms networks,” but Russia and China won’t be among them, according to Reuters.
The U.S. proposal doesn’t mention Huawei by name, “but U.S. officials said they hoped it would provide the ‘intellectual framework’ needed for other countries to effectively bar Chinese vendors” that U.S. officials fear will spy for Beijing.
PWNED: Prosecutors released a detailed affidavit Monday in their case against WikiLeaks founder Julian Assange -- but there's no evidence in the affidavit "beyond chat logs first used to convict [Chelsea] Manning of espionage and other crimes in 2013," as my collegue Rachel Weiner reported.
The biggest reveal is that the government doesn’t know whether Assange succeeded in the act that’s at the center of government charges against him — helping Manning crack an encrypted password that would allow her greater access to military secrets.
Here’s cybersecurity researcher Robert Graham on why Assange probably wasn’t successful at cracking the password:
1/ BTW, we are pretty sure Assange could not crack the password. It's been public for 8 years and we, the entire community, haven't been able to crack it. https://t.co/ky0TwNCCoM— Robᵇᵉᵗᵒ Graham (@ErrataRob) April 15, 2019
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: