28 January 2017

The Knowns and Unknowns of Trump’s Cyber Plan

BY JOSEPH MARKSSENIOR CORRESPONDENT,

Donald Trump will be sworn in as the nation’s 45th president today with cybersecurity looming larger than it has for any of his predecessors—and with many unknowns about how he’ll tackle the issue.

Here’s a rundown of what we know and what we don’t.
‘Review on Hacking’

Trump has promised a “major review on hacking” within his first 90 days in office, declaring, “we have no defense” and “we’re run by people that don’t know what they’re doing.”

It’s not clear, however, who will lead that review or where it will focus.

Trump first floated the idea of a major cyber assessment during his campaign, when he pledged an “immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement and the private sector.”

After the election, Trump seemed to shift course and said he’d ask the Defense Department and the chairman of the Joint Chiefs of Staff “to develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks and all other forms of attacks.” 

That would be a significant shift from the current situation in which the Homeland Security Department manages relations between government and the private sector when it comes to cybersecurity. Expanding DOD’s domestic role would also likely require action by Congress.

“Vital infrastructure” also has no fixed meaning in government-ese, unlike “critical infrastructure,” a term DHS uses to describe 17 industries, including the transportation, energy and chemical sectors, considered vital to national security.

Trump later suggested, during a January press conference, that the intelligence community would play a role in the review.

The Giuliani Factor

The day after that press conference, Trump announced former New York City Mayor and Trump campaign supporter Rudy Giuliani would advise him on cybersecurity and help convene a rotating panel of private-sector leaders to discuss the issue.

It’s unclear, however, what role that private-sector group will play in the 90-day review.

The Trump transition team described Giuliani’s role in a press release as “sharing his expertise and insight as a trusted friend concerning private sector cybersecurity problems and emerging solutions developing in the private sector.” 

Giuliani described one of his top priorities to reporters as “mak[ing] sure that the government has available to it everything that’s going on in the private sector.” He also made clear he’ll be working without pay and not resigning from any of his current roles, which includes running a consulting firm and serving as chair of the Greenberg Traurig law firm’s cybersecurity practice.

Who’s on First?

It’s also unclear if Trump will seek to rejigger the current governmental structure for cyber responsibilities and cyber incident response.

Those roles are currently defined largely by executive orders and presidential directives Trump could easily reverse or modify.

The president-elect has yet to fill top cyber roles at the White House and DHS and it’s unclear if he’ll maintain roles created by the Obama administration, such as White House cybersecurity coordinator and chief information security officer.

An Energized Cabinet but Few Details

Trump’s cabinet nominees have pledged to make cybersecurity a priority if confirmed, though they’ve made no hard promises and none have extensive backgrounds in the field.

Retired Gen. John Kelly, who’s slated to lead DHS, pledged to “get deep into it,” if confirmed. Kelly also spoke positively about a plan to elevate DHS’ cyber mission that failed to win congressional approval last year, though he stopped short of endorsing the plan.

Other nominees have been less descriptive about their cyber priorities.

“I promise you, we’re on it,” billionaire investor Wilbur Ross, Trump’s pick to lead the Commerce Department, told lawmakers during his confirmation hearing.

Trump’s pick to lead the Pentagon, retired Gen. James Mattis, urged a comprehensive cyber doctrine that would deter adversary nations from launching major cyberattacks against the U.S., but offered few specifics. Obama administration officials have endorsed a similar deterrence doctrine but were not successful in warding off numerous attacks.

Another wrinkle: Trump and his nominees have not yet endorsed a slate of congressional sanctions against Russia for its cyber meddling in the 2016 election and Trump could reverse a handful of punishments outgoing President Barack Obama already imposed. Trump has consistently downplayed the importance of the Russian government-backed breaches at Democratic political organizations, though he did acknowledge for the first time during his January press conference Russia was the culprit.

If the Trump team steps back from those sanctions, it could send a signal to other nations America’s red lines in cyberspace are not so firmly drawn.

An Attentive Congress

Whatever moves Trump and the executive branch make on cybersecurity, it’s clear Congress will be paying close attention and the battle over Russian sanctions will only be the starting line.

Senate Armed Services Chairman John McCain, R-Ariz., created a new cybersecurity subcommittee this month led by Sen. Mike Rounds, R-S.D., who listed “deterring attacks on civilian critical infrastructure” as a major priority.

The Senate Intelligence Committee has also announced plans to investigate the intelligence community’s conclusions about Russian hacking while House Homeland Security Chairman Michael McCaul, R-Texas, has pledged a renewed effort to elevate DHS’ cyber mission.
Joseph Marks covers cybersecurity for Nex.

No comments: