Thousands of cybersecurity professionals gathered at the RSA conference in San Francisco last week amid high anxiety about cyber vulnerabilities in the nascent internet of things, massive growth in ransomware attacks and raging congressional battles over how to punish Russia for its cyber meddling in the 2016 presidential election.
The most important voice in tackling these questions, however, was missing in action.
One month after President Donald Trump took office, his administration’s policy on the most pressing cyber questions of the day remains largely a mystery even to the most plugged-in cyber experts.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Hundreds of questions were asked about executive branch cyber policy at RSA. The answer was a chorus of “who knows?,” “this is still early days” and “too soon to tell.” The reigning sense was confusion.
Unlike previous years when RSA hosted a bevy of political appointees from top cyber ranks at the White House, Homeland Security and Justice departments, executive branch attendees at this year’s event were all career employees. They mostly promoted ongoing programs such as updates to the National Institute of Standards and Technology’s cybersecurity framework and cyber research investments at DHS.
It’s not even clear who most of those top officials will be.
Most of the executives who will run the government’s day-to-day cyber operations under Trump have not yet been named. There was chatter at RSA about people asked to interview for the White House cyber coordinator position previously held by Michael Daniel, but no one was sure precisely how the powers of that role would shift under Trump.
Most cyber watchers believe Tom Bossert, Trump’s assistant to the president for homeland security and counterterrorism, is now managing White House cyber policy largely as a one-man show.
The president’s major cyber initiative—an executive order expected to assess cyber policy across federal civilian IT systems, the Defense Department and critical infrastructure—has yet to be released in final form.
In the absence of hard information about the administration’s cyber priorities, RSA attendees sifted tea leaves.
The first leaked draft of the prospective cyber executive order, which described a review of major cyber adversaries but did not include the FBI director among those leading the review, was a troubling sign, they said. The second leaked draft, which added more specifics and fell closer in line with Obama administration cyber priorities, was an improvement.
Chaos in the administration’s national security wing that may have delayed the executive order’s release—including the resignation of National Security Adviser Michael Flynn after reportedly lying to Vice President Mike Pence about his contacts with Russian officials—was deeply concerning.
Trump’s statement that he plans to “hold … cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organization[s]” is a good sign. Maybe.
Because like so many of the president’s statements on cybersecurity, both before and after his election, it lacks specifics.
For example, will those secretaries and agency heads be held accountable for breaches before or after their IT systems are fully modernized, RSA attendees asked, and does the president realize that will be a multiyear and perhaps multidecade process requiring a huge financial investment?
Will agency chief information officers and chief information security officers be held similarly accountable and will they be given the authority and funding to ensure their systems are protected, asked Rob Clyde, a board director for ISACA, an information security accreditation group, and managing director of Clyde Consulting.
And will security vendors be held similarly responsible when their controls fail to spot hackers, asked Malcolm Harkins, chief security and trust officer with the cybersecurity firm Cylance.
“I like the accountability piece. I think it’s critically important,” said Tony Cole, global government chief technology officer with the cyber firm FireEye. “But if you’re holding someone accountable, that has to mean they’ve actually been enabled to influence change across an environment and that’s not been solved in the past. That really needs to be focused on for every federal agency.”
At the root of these questions loomed a larger concern for many cyber industry leaders.
“I want to make sure [cybersecurity] is taken seriously, that it’s not just campaign fodder,” said Art Gilliland, CEO of Skyport Systems and a former cyber executive at Hewlett-Packard and Symantec.
“We need to make massive investments in technical infrastructure,” Gilliland said. “There needs to be a more systematic focus on how we stop cyber crime. … I have concerns about Trump’s response, because it’s primarily driven by ego, not by well-reasoned or thoughtful analyses of data.”
Some level of confusion is not uncommon early in a presidential administration and many industry officials at RSA took a cautiously optimistic approach to what little is known about Trump’s cyber plans, pointing to evidence of continuity between Obama and Trump administration priorities.
“The most recent [executive order draft] that leaked seemed OK, but caveat, it can still change” said Harley Geiger, public policy director for the security research firm Rapid7. “I liked the emphasis on modernizing federal IT and on agencies using the NIST [cybersecurity] framework. It shows that they’re building on a foundation that was laid in the Obama administration. They’re not reinventing the wheel.”
It’s also a positive signal cybersecurity is getting air time so early in the administration, FireEye’s Cole said, a sign it’s “going to be an important focus for the administration.”
“I think they’re going to put the right people in place,” he said. “I think they’re getting more in alignment with what the former administration did and [the Obama administration] made some great strides, but there are a lot more strides to be made.”
For others, however, Trump’s bombastic style, his sparring with minority communities and his unnuanced approach to complex security questions represented an insurmountable point of conflict between the president and the cyber and technology professionals he will have to woo to his side to protect U.S. networks in an ever more dangerous digital world.
The president’s executive actions restricting travel from several predominately Muslim nations and ordering a wall to be built on the U.S.-Mexico border are especially likely to alienate the technology and cybersecurity industries heavily dependent on highly skilled immigrants, said Kenneth Geers, a longtime cyber leader in the military and intelligence community and now senior research scientist with the firm Comodo.
“In tech companies, my guess is they’re overwhelmingly angry that this has happened to the world and they do not like Trump,” Geers said. “If you go to any tech office, there’s going to be a wide range of first and last names you can’t pronounce. Tech people like that, know that and are comfortable with that. Long story short, there’s going to be an unbridgeable gap between the two, unless Trump has some kind of transformation, which will not happen.”
There’s also widespread concern that even if Trump opts for continuity with Obama’s cyber policies, he’ll respond rashly when a cyber crisis hits such as a major nation state-backed cyberattack against government or industry or a tech-centric conflict that pits security concerns against privacy or civil liberties.
The president famously urged his supporters to boycott Apple when the tech company refused to help the FBI crack into an encrypted iPhone used by San Bernardino shooter Syed Farook while the Obama administration and Hillary Clinton campaign took a more measured approach to the encryption debate.
On encryption, in particular, the technology has, if anything, become more embedded and vital since the Apple-FBI dispute, and another government-industry showdown could damage what goodwill exists between industry officials and the administration, RSA attendees said.
“His rhetoric has been pretty big and brash and to act on that would be a mistake. It could take down networks,” said Ari Schwartz, who led cyber policy for Obama’s National Security Council and is now managing director of cybersecurity services for the law firm Venable.
Schwartz has otherwise been cheered by the seeming continuity with Obama priorities in the most recent executive order draft, he said.
“As you learn about the structure that’s in place, it’s there for a reason,” he said. “There’s been continuity in cyber since the mid-Bush administration, [but] government’s been slightly behind the whole way.”
Despite industry concerns, Trump does have a historic opportunity to shore up national cybersecurity, many RSA attendees noted.
A fully Republican-controlled Congress might be more willing to invest heavily in infrastructure and research than a Congress riven by partisan disputes, they noted. Democrats might also be eager to cooperate with Republicans on a relatively noncontroversial priority.
The question remains, however, whether the Trump team can bring in the right people and muster the energy and focus necessary for such a push.
“We need to get things done,” Gilliland said. “The thing he’s got going for him is, for at least two years, there’s a policy direction that can be executed. If he can focus long enough on things that matter around cybersecurity, we can get things done. Even if there’s a stake in the ground with some errors, at least it’s a start. Otherwise, we’re just still waiting.”