President Donald Trump promised big changes on cybersecurity after his election.
During the Obama administration, the nation’s cybersecurity was “run by people that don’t know what they’re doing,” the president said during a post-election press conference. The Trump administration, he promised, would gather “some of the greatest computer minds anywhere in the world” and “put those minds together … to form a defense.”
Seven months into the president’s administration, however, analysts are wondering what’s so different.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
On most major cybersecurity issues, such as securing federal networks and critical infrastructure, Trump officials are in near lockstep with their Obama-era predecessors. Where they differ, there’s no clear Trump cybersecurity doctrine to explain the divergence.
In some cases, other administration priorities, such as slashing federal budgets, seem to be driving cyber policy rather than the other way around.
In other cases, the president’s cyber efforts have been stymied by his other policies and pronouncements. Cooperation with the tech industry has been hampered by Silicon Valley’s opposition to the president’s hardline immigration policy. Cooperation with broader industry took a nosedive following the president’s reaction to a violent protest in Charlottesville that seemed to place equal blame on white supremacists and those protesting them.
Most significantly, public faith in government as an arbiter of what’s real and phony in the shadowy world of cyberspace has been deeply damaged by the president’s on-again, off-again refusal to accept U.S. intelligence agencies’ conclusion that Russian government-linked hackers tampered in the election that secured his presidency, analysts said.
“It’s schizophrenic,” said Peter Singer, a cyber theorist and senior fellow at the New America Foundation. “That may be because of the absence of a strategy or it may be because the chaotic execution of that strategy undermines it.”
What Stayed the Same
By far the strongest theme to emerge from the Trump administration’s cyber policy is continuity.
The White House’s top cybersecurity officials, Homeland Security Adviser Tom Bossert and Cyber Coordinator Rob Joyce, have both stressed shoring up the security of federal networks, deterring foreign adversaries from targeting U.S. systems and promoting good behavior in international cyberspace as their top priorities. These ideas are straight from the Obama administration playbook.
A Trump cybersecurity executive order, released in May, orders federal agencies to follow an Obama-era set of cybersecurity best practices. It also orders up a series of studies about federal agency and critical infrastructure cybersecurity and about developing the cyber workforce, which were all main focus points for the Obama administration.
The administration’s largest cyber move to date—an order to begin elevating U.S. Cyber Command to a full unified combatant command—was already planned during the Obama years.
“The theme that runs through so much of how this administration talks about the world is: ‘not Obama,’ but this is one of not so many areas of continuity,” Singer said. “There were studies being asked of agencies under Obama; there are studies being asked now. Whether [Hillary] Clinton or Trump had won, it was extremely likely that Cyber Command was going to be raised and it has been.”
Trump has split in some ways from the Obama administration’s Trump’s cyber policy.
Most notably, Secretary of State Rex Tillerson announced Monday that he plans to shutter the State Department cyber coordinator’s office along with the offices of dozens of other special envoys, representatives and ambassadors.
The cyber coordinator’s office was launched under former Secretary of State Hillary Clinton in 2011 and took the lead on bilateral and multilateral negotiations over international rules of the road, or norms, in cyberspace.
Tillerson described the office’s shuttering as part of a larger effort to rein in the State Department’s sprawling bureaucracy and said cyber issues could be ably handled through State’s economics bureau. It also may help to reduce the department’s budget, which Tillerson wants to slash by 30 percent.
The move also arguably jibes with the Trump administration’s larger worldview, which has tended to favor tough talk and a go-it-alone attitude over careful diplomacy.
“They’re not big fans of norms and you can write that statement all across the board,” said Martin Libicki, chair of cybersecurity studies at the U.S. Naval Academy. “Part of getting into the norms process is you have to accept limits on what you do.”
A similar turn against global cyber norms was evident in a June speech in Tel Aviv by Trump Homeland Security Adviser Tom Bossert, shortly after a long-standing United Nations-led group of government cyber officials failed, for the first time, to reach consensus on even a basic statement about how international law applies in cyberspace. The group included representatives from the U.S., Russia and China and other nations.
In the future, Bossert said, the U.S. would pivot away from such broad efforts in cyberspace, working, instead, “with smaller groups of like-minded partners to call out bad behavior and impose costs on our adversaries,” and pursuing bilateral agreements when necessary.
In other cases, however, it’s tougher to draw a straight line between the president’s pronouncements about cybersecurity and his administration’s actions.
The president promised to “get very, very tough on cyber and cyber warfare” while on the campaign trail and he predicted a surge in U.S. cybersecurity capabilities as recently as Monday during a joint press conference with the president of Finland.
Indeed, the president’s 2018 budget proposal raised overall funding for cyber protections in the Defense and Homeland Security departments. But the budget also significantly cut funding for the government’s two main civilian cybersecurity research and development units—necessary components for surging cyber capability—in the Homeland Security and Commerce departments.
In other cases, presidential appointee positions that would focus on securing the government against cyberattacks and implementing the administration’s cyber policies, such as the federal chief information security officer and agency chief information officers, have been left vacant or are filled on an acting basis by career civil servants.
Trump has said many empty positions are being left intentionally vacant to starve the beast of government bureaucracy, but he has not addressed cyber and tech positions specifically nor squared those vacancies with the constant cyber threats facing the government.
The president also pledged to plumb the private sector for cybersecurity guidance, which was also a priority for the Obama administration. But, an outside cybersecurity advisory group headed by former New York Mayor Rudy Giuliani has not been heard from publicly since the inauguration.
More than one-fourth of an advisory group focused on cyber and physical infrastructure security also resigned en masse this month, citing the president’s lax approach to election cyber vulnerabilities and his equivocating response to the violence in Charlottesville.
A government-centric tech panel that takes private sector input, the American Technology Council, released a plan to upgrade government information technology Wednesday that includes sharing more cybersecurity services between agencies and improving top security staff’s ability to continuously monitor the state of network security across government.
No Easy Doctrines
This is not to suggest that Obama’s cyber doctrine was crystal clear and capable of being scrawled on the back of a cocktail napkin.
The Obama administration’s cyber policy was sketched out in more than a dozen executive orders, guidance documents and lengthy policy manifestos over the course of two terms, not to mention constructed on the fly in the wake of major breaches at Sony Pictures Entertainment, the Office of Personnel Management and the Democratic National Committee.
Even despite that pile of papers, congressional cyber hawks including Sen. John McCain, R-Ariz., complained with more than a modicum of justification that Obama’s cyber policy was weak, wobbly and failed to deter Russia and other adversaries.
Obama also frequently declined to put muscle behind his cyber pronouncements because cybersecurity took a backseat to more important diplomatic or policy considerations. For example, Obama did not publicly accuse the Chinese government of complicity in the OPM breach or the Russian government after breaches at the State Department and White House.
The diplomatic and policy chessboard has grown even more complex during the Trump administration because of substantial changes in the U.S. relationships with the four nations intelligence agencies have regularly described as our major cyber adversaries: Russia, China, Iran and North Korea.
North Korean nuclear saber rattling, uncertainty about the future of Obama’s Iranian nuclear deal and tensions with China over trade and North Korea could all affect how the Trump administration considers those nations’ cyber threats and where cyber ranks in the list of concerns each nation presents.
The Cozy Bear in the Room
In the case of Russia, the president’s unwillingness to criticize President Vladimir Putin’s regime or, frequently, to acknowledge Russia’s digital meddling in the 2016 election, represents the greatest strategic shift in the cyber landscape, analysts said.
It also undermines whatever other clarity there might be in the Trump cyber doctrine, they said, because it gives the lie to the administration’s larger argument that nations must respect rules in cyberspace or face consequences.
“The U.S. has consistently been arguing over the last five years that we’re getting better at cyber attribution, that we can attribute a cyberattack, and the president’s statements undermine that,” said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.
“It’s the cozy bear in the room,” New America’s Singer said, referencing a cybersecurity community nickname for one of the Russian government-linked hacking groups that penetrated the Democratic National Committee and Hillary Clinton’s presidential campaign.
“It’s the cloud that hangs over not just the administration, but everything in cybersecurity,” Singer said. “How do you talk about cyber deterrence in the military when you have a commander in chief who won’t acknowledge an attack even happened? How do you engage with states on election security if you have the president and a part of the body politic saying ‘but maybe it didn’t happen?’”