with Tonya Riley

President Trump took the nation in the wrong direction on cybersecurity, according to a solid majority of experts polled by The Cybersecurity 202. 

During four years in office, Trump failed to hold adversaries including Russia accountable for hacking U.S. targets, removed experienced cyber-defenders from their posts for petty reasons and undermined much of the good work being done on cybersecurity within federal agencies, according to 71 percent of respondents to The Network, a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey.

The survey concluded before news broke about probably the most significant breach of the Trump administration — a hack linked to the Russian Foreign Intelligence Service, or SVR, that infected at least five federal agencies  — the Commerce, Treasury, Homeland Security and State departments as well as the National Institutes of Health — and probably several others, as well as foreign governments and companies across the globe. 

Yet, the respondents’ comments reflect widespread concern Trump is disinterested in the damage that hack has done to national security, unwilling to take Russia to task and preoccupied instead with his own efforts to sow baseless doubts about his election loss. 

“Much of the work done [during the Trump administration] was weakened by a president who didn’t prioritize cyber-issues and who, in many cases, actively undercut any actions or messaging against our adversaries,” said Chris Painter, the State Department cyber-coordinator under President Obama who also served for several months under Trump until his post was eliminated.

Ari Schwartz, an Obama-era White House cybersecurity official bemoaned that “federal cybersecurity leadership is in total disorder” at the close of Trump’s term. 

Cindy Cohn, executive director of the Electronic Frontier Foundation, warned that any cybersecurity successes during the Trump administration “seemed to occur despite the repeated attempted politicization of the work, not because of any Trump administration leadership or initiatives.”

Jay Kaplan, chief executive of the cybersecurity firm Synack, described the administration’s response to cyberattacks as “rife with confusion, inaction, and plain ignorance.”

Some of the experts’ sharpest criticism was aimed at Trump’s decision to fire Christopher Krebs, who led the government’s election security efforts. 

Trump fired Krebs by tweet after his agency, the Cybersecurity and Infrastructure Security Agency, signed on to a statement vouching for the integrity of the 2020 election, despite Trump’s baseless claims it was riddled with fraud. Krebs also launched a CISA “Rumor Control” page that knocked back phony election fraud claims, including some propagated by the president. 

“Krebs was one of those individuals that was widely trusted outside the government. His firing is likely to reduce the trust shown by the private sector to the government regarding cybersecurity,” said Jake Williams, a former National Security Agency hacker and the founder of Rendition Infosec.

Firing a universally respected infosec leader and making spurious claims about the integrity of election systems couldn’t be more wrong,” said Chris Finan, an Obama-era cybersecurity official who is co-founder and chief executive of Manifold Technology.

That was one of several Trump administration moves that thinned the government's top ranks of cybersecurity experts. Other respondents cited the loss of a White House cyber-coordinator role. 

That job was filled by longtime NSA official Rob Joyce until it was eliminated in 2018 by Trump’s national security adviser at the time, John Bolton.

“Eliminating the White House cyber-coordinator role was a step in the wrong direction,” said Debora Plunkett, a former top NSA official who is now a senior fellow at Harvard University’s Belfer Center.

“From a cybersecurity policy and operations standpoint, firing Chris Krebs, Tom Bossert, and Rob Joyce have put our nation in peril at a time when we need cyber-protection the most,” former NSA official Steve Ryan said, looping in the former homeland security adviser, Bossert, who left his post soon after Bolton took office. Ryan is founder and chief executive of Trinity Cyber where Bossert is now president.

Congress mandated creating an even more powerful White House cyber-director position that will be confirmed by the Senate in a recent defense policy bill, but Trump has threatened to veto the bill because of his objections to that post, among other reasons.

That veto threat “speaks volumes about White House priorities,” said Mark Weatherford, a former DHS cybersecurity official and chief strategy officer at the National Cybersecurity Center.

Some experts criticized the Trump administration for largely ignoring cybersecurity within its top ranks and leaving major work to lower-level officials.

“The general downgrading of the topic in its importance, allowing central coordination mechanisms to atrophy, weakening the State Department’s cybersecurity capabilities, and erratic coordination with allies all headed in the wrong direction,” said Michael Daniel, Obama's White House cybersecurity coordinator who now runs the Cyber Threat Alliance. 

“This administration didn’t understand the importance of cohesion across key government components that make up America’s cyber-defenses,” Luta Security founder Katie Moussouris said.

“Many government agencies, like DHS and the FBI, did great work in advancing election security and other critical infrastructure security over the past four years,” said John Pescatore, director of emerging security trends at the SANS Institute. “But as far as direction from the top, there really was none — no direction is in the wrong direction.”

Other experts warned Trump's own defects fatally undermined his government’s cybersecurity work. 

That included frequent false claims about election security and his unwillingness to criticize Russia or consistently acknowledge intelligence agencies’ conclusions the Kremlin interfered in the 2016 election. 

“The Trump White House’s own cybersecurity practices were notoriously bad, and its unwillingness to acknowledge Russia’s hostile cyberoperations sent a terrible message to U.S. states, localities, and citizens,” said Ashley Deeks, a former State Department official and professor at the University of Virginia Law School.

“Whatever progress someone can point to on any individual cyberpolicy area, the cold hard fact is that, due to Trump, a significant part of the American body politic now believes a repeatedly proven false conspiracy theory. For years to come, it will haunt not just election security efforts, but our broader democracy,” said Peter Singer, a fellow at the New America think tank who has written extensively about information warfare.

To improve digital security takes radical truth-telling,” said Steve Weber, director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “The cultural norm of the Trump administration was the opposite.”

About 29 percent of experts said the Trump administration took the nation in the right direction on cybersecurity.  

But most of them focused their praise on the government’s cybersecurity leaders, including Krebs, Joyce and NSA leader Gen. Paul Nakasone, rather than on Trump. 

The administration took the nation in the right direction, despite the weak leader at the very top,” said Riana Pfefferkorn, a research scholar at Stanford University’s Internet Observatory. 

Suzanne Spaulding, who led DHS cybersecurity efforts during the Obama administration noted that she “barely” came down on the “right direction” side of the question.

Individual departments and agencies continue to mature their capabilities and effectiveness, but the lack of leadership and coordination from the White House has prevented real movement in the right direction,” she said. “The cyber-successes, such as working with state and local election officials on securing the election, do not appear to be attributable to strong leadership from the White House.”

Megan Stifel, an Obama White House cybersecurity official praised CISA for “building trust and capacity with the election community,” and praised the FBI and Pentagon for other developments during the past four years. But she noted that “credit should rest with the heads of the organizational entities.” Stifel is now an executive director at the Global Cyber Alliance. 

Stewart Baker, a former NSA general counsel, gave a more full-throated endorsement of Trump’s cybersecurity record. 

“While the press couldn’t get enough of President Trump’s reluctance to criticize Russia for 2016 election interference and his questioning of the 2020 vote,” he said, “the Trump administration has a good record on cybersecurity compared to its predecessors, turning CISA into a real cybersecurity agency with an effective role in protecting the 2020 election and imposing significant new sanctions on Russia.”

The network

More responses to The Network survey on whether the Trump administration took the nation in the right or wrong direction on cybersecurity: 

  • WRONG DIRECTION: “Most successes in cybersecurity over the past four years were not done by the ‘Trump administration’ but by government officials working against or despite that administration.” — Jason Healey, a former White House cybersecurity official who’s now a senior research scholar at Columbia University’s School for International and Public Affairs
  • RIGHT DIRECTION: “The Trump administration made significant advancements in cybersecurity in areas such as the creation of the Cybersecurity and Infrastructure Security Agency (CISA) and relaxing restrictions on U.S. Cyber Command. However, there were also setbacks such as the elimination of the role of White House cybersecurity coordinator and the termination of CISA Director Christopher Krebs.” — Steve Grobman, chief technology officer at McAfee
  • WRONG DIRECTION: “Instead of a unity of effort we got less cyber-coordination at the State Department and White House, and an absence of U.S. participation on global norms of acceptable behavior.” — Jeff Moss, founder and chief executive of DEF CON Communications
  • RIGHT DIRECTION: “The government employees made good, albeit limited, progress on many cybersecurity issues — e.g. CyberCom’s “persistent engagement” and CISA’s support of election security. They did so despite the resistance of Trump himself and the wrongheaded decision of Trump/Bolton to de-emphasize cybersecurity at the NSC level.” — Paul Rosenzweig, a top DHS official during the George W. Bush administration who now runs Red Branch Consulting
  • WRONG DIRECTION: “Cybersecurity was never a priority for this administration and so many lost opportunities came and went over the past four years.” — Joseph Hall, senior vice president for a strong Internet at the Internet Society
  • RIGHT DIRECTION: “Trump himself deserves little credit, but during his time good things have happened.” — Bobby Chesney, director of the Center for International and Security Law at the University of Texas at Austin
  • WRONG DIRECTION: “Probably Trump’s biggest impact in cybersecurity efforts across the country is through his claim of election fraud via unproven hacked voting systems that have helped tear this country in half.” — Tony Cole, chief technology officer at Attivo Networks

The keys

Attorney General William P. Barr is leaving the White House after he declined to support Trump’s election fraud claims.

Barr backed Trump’s attacks against voting by mail before the election, spreading false claims the process could be manipulated by foreign governments. But Trump turned on Barr after the election, when he declared the Justice Department found no evidence of fraud despite the president’s baseless claims to the contrary. 

Trump announced the departure in a tweet Monday, Matt Zapotosky reported. Barr will leave before Christmas.

The outgoing attorney general also reignited the debate between law enforcement and tech companies over encrypted communications

He pushed for tech companies to weaken encryption so law enforcement with warrants would be assured access to the communications of criminals, sparking an outcry from privacy advocates. He also slammed Apple for its alleged refusal to help unlock the devices of a Saudi air force student who opened fire last year at a U.S. military base in Pensacola, Fla. (Apple denied that they refused to assist law enforcement.) And he waged war against Facebook’s plans to expand fully encrypted messaging across its services.

Biden called for an end to Trump's baseless election fraud claims after the electoral college made his victory official. 
President-elect Joe Biden attacked Republicans for making baseless claims about the legitimacy of the election on Dec. 14 in Wilmington, Del. (The Washington Post)

The president-elect slammed efforts by Trump and Republicans to delegitimize the win in his acceptance speech, Chelsea Janes reports.

He called a recent lawsuit filed by 17 Republican attorneys general and 126 Republican members of Congress asking the Supreme Court to throw out results in several states an unprecedented assault on our democracy. That suit was rejected by the Supreme Court. He also condemned threats of violence against election workers and praised former CISA Krebs, who he quoted saying November's election was “the most secure in history.”

Six of the states in which the Trump campaign has contested defeat cast their votes for Biden. California’s 55 votes pushed Biden over the required 270 to win, Felicia Sonmez reports

The tally will now go to Congress to be certified on Jan. 6. So far, only one member of the Republican Party, Rep. Mo Brooks (Ala.) has suggested he would try to overturn the results. 

The voting company Smartmatic is demanding Fox News retract allegedly false statements about its voting machines. 

The company issued legal notices and demands for retractions of dozens of factually inaccurate statements made by Fox News, Newsmax and One America News, the company announced in a news release.

Smartmatic and rival Dominion Voting Systems have been the subject of debunked conspiracy theories spread by Trump and his allies to discredit the election results. The letters include more than 12 pages of allegedly false statements, including claims that Smartmatic owns Dominion. Smartmatic may pursue defamation and disparagement claims, the company said.

“They have no evidence to support their attacks on Smartmatic because there is no evidence,” said Antonio Mugica, chief executive of Smartmatic. “This campaign was designed to defame Smartmatic and undermine legitimately conducted elections.

Newsmax says that it has only provided a public forum for guests who have raised questions about the company and its software. “Newsmax itself has never made a claim of impropriety about Smartmatic, its ownership or software,” Newsmax said in a company statement.  

The Cybersecurity 202 could not reach Fox News and OAN for comment.

Government scan

The Federal Trade Commission is launching an investigation into the data-collection practices of major tech firms.

The agency confirmed Monday that it is requesting Amazon, TikTok owner ByteDance, YouTube, Facebook and a slew of other companies share information about how they collect and use data. The news was first reported by Axios.

The study will emphasize how the companies’ data practices affect children and teenagers. The companies will have 45 days to respond to the agency’s requests.

More cybersecurity news:

Chat room

Journalist Kim Zetter asks: Is it an “attack” or an intrusion?

The question sparked a lot of debate. Infosec lawyer Whitney Merrill:

Contextly CEO Ryan Singel:

Journalists also weighed in. Shashank Joshi, defense editor at the Economist:

The New York Times’s Nicole Perlroth:

Daybook

  • The Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled, “Examining Irregularities in the 2020 Election” on Wednesday at 10 a.m.

Secure log off