Industry Still Waiting on Trump's Cyber Policy with Anxiety, Cautious Optimism

President Donald Tr, ... ]

President Donald Tr, ... ] Evan Vucci/AP

With few tea leaves to read on the new administration’s cyber policy, industry officials are both hopeful and deeply concerned.

Thousands of cybersecurity professionals gathered at the RSA conference in San Francisco last week amid high anxiety about cyber vulnerabilities in the nascent internet of things, massive growth in ransomware attacks and raging congressional battles over how to punish Russia for its cyber meddling in the 2016 presidential election.

The most important voice in tackling these questions, however, was missing in action.

One month after President Donald Trump took office, his administration’s policy on the most pressing cyber questions of the day remains largely a mystery even to the most plugged-in cyber experts.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Hundreds of questions were asked about executive branch cyber policy at RSA. The answer was a chorus of “who knows?,” “this is still early days” and “too soon to tell.” The reigning sense was confusion.

Unlike previous years when RSA hosted a bevy of political appointees from top cyber ranks at the White House, Homeland Security and Justice departments, executive branch attendees at this year’s event were all career employees. They mostly promoted ongoing programs such as updates to the National Institute of Standards and Technology’s cybersecurity framework and cyber research investments at DHS.

It’s not even clear who most of those top officials will be.

Most of the executives who will run the government’s day-to-day cyber operations under Trump have not yet been named. There was chatter at RSA about people asked to interview for the White House cyber coordinator position previously held by Michael Daniel, but no one was sure precisely how the powers of that role would shift under Trump.

Most cyber watchers believe Tom Bossert, Trump’s assistant to the president for homeland security and counterterrorism, is now managing White House cyber policy largely as a one-man show.

The president’s major cyber initiative—an executive order expected to assess cyber policy across federal civilian IT systems, the Defense Department and critical infrastructure—has yet to be released in final form.

In the absence of hard information about the administration’s cyber priorities, RSA attendees sifted tea leaves.

The first leaked draft of the prospective cyber executive order, which described a review of major cyber adversaries but did not include the FBI director among those leading the review, was a troubling sign, they said. The second leaked draft, which added more specifics and fell closer in line with Obama administration cyber priorities, was an improvement.

Chaos in the administration’s national security wing that may have delayed the executive order’s release—including the resignation of National Security Adviser Michael Flynn after reportedly lying to Vice President Mike Pence about his contacts with Russian officials—was deeply concerning.

Trump’s statement that he plans to “hold … cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organization[s]” is a good sign. Maybe.

Because like so many of the president’s statements on cybersecurity, both before and after his election, it lacks specifics.

For example, will those secretaries and agency heads be held accountable for breaches before or after their IT systems are fully modernized, RSA attendees asked, and does the president realize that will be a multiyear and perhaps multidecade process requiring a huge financial investment?

Will agency chief information officers and chief information security officers be held similarly accountable and will they be given the authority and funding to ensure their systems are protected, asked Rob Clyde, a board director for ISACA, an information security accreditation group, and managing director of Clyde Consulting.

And will security vendors be held similarly responsible when their controls fail to spot hackers, asked Malcolm Harkins, chief security and trust officer with the cybersecurity firm Cylance.

“I like the accountability piece. I think it’s critically important,” said Tony Cole, global government chief technology officer with the cyber firm FireEye. “But if you’re holding someone accountable, that has to mean they’ve actually been enabled to influence change across an environment and that’s not been solved in the past. That really needs to be focused on for every federal agency.”

At the root of these questions loomed a larger concern for many cyber industry leaders.

“I want to make sure [cybersecurity] is taken seriously, that it’s not just campaign fodder,” said Art Gilliland, CEO of Skyport Systems and a former cyber executive at Hewlett-Packard and Symantec.  

“We need to make massive investments in technical infrastructure,” Gilliland said. “There needs to be a more systematic focus on how we stop cyber crime. … I have concerns about Trump’s response, because it’s primarily driven by ego, not by well-reasoned or thoughtful analyses of data.”

Some level of confusion is not uncommon early in a presidential administration and many industry officials at RSA took a cautiously optimistic approach to what little is known about Trump’s cyber plans, pointing to evidence of continuity between Obama and Trump administration priorities.

“The most recent [executive order draft] that leaked seemed OK, but caveat, it can still change” said Harley Geiger, public policy director for the security research firm Rapid7. “I liked the emphasis on modernizing federal IT and on agencies using the NIST [cybersecurity] framework. It shows that they’re building on a foundation that was laid in the Obama administration. They’re not reinventing the wheel.”

It’s also a positive signal cybersecurity is getting air time so early in the administration, FireEye’s Cole said, a sign it’s “going to be an important focus for the administration.”

“I think they’re going to put the right people in place,” he said. “I think they’re getting more in alignment with what the former administration did and [the Obama administration] made some great strides, but there are a lot more strides to be made.”

For others, however, Trump’s bombastic style, his sparring with minority communities and his unnuanced approach to complex security questions represented an insurmountable point of conflict between the president and the cyber and technology professionals he will have to woo to his side to protect U.S. networks in an ever more dangerous digital world.

The president’s executive actions restricting travel from several predominately Muslim nations and ordering a wall to be built on the U.S.-Mexico border are especially likely to alienate the technology and cybersecurity industries heavily dependent on highly skilled immigrants, said Kenneth Geers, a longtime cyber leader in the military and intelligence community and now senior research scientist with the firm Comodo.

“In tech companies, my guess is they’re overwhelmingly angry that this has happened to the world and they do not like Trump,” Geers said. “If you go to any tech office, there’s going to be a wide range of first and last names you can’t pronounce. Tech people like that, know that and are comfortable with that. Long story short, there’s going to be an unbridgeable gap between the two, unless Trump has some kind of transformation, which will not happen.”

There’s also widespread concern that even if Trump opts for continuity with Obama’s cyber policies, he’ll respond rashly when a cyber crisis hits such as a major nation state-backed cyberattack against government or industry or a tech-centric conflict that pits security concerns against privacy or civil liberties.

The president famously urged his supporters to boycott Apple when the tech company refused to help the FBI crack into an encrypted iPhone used by San Bernardino shooter Syed Farook while the Obama administration and Hillary Clinton campaign took a more measured approach to the encryption debate.

On encryption, in particular, the technology has, if anything, become more embedded and vital since the Apple-FBI dispute, and another government-industry showdown could damage what goodwill exists between industry officials and the administration, RSA attendees said.

“His rhetoric has been pretty big and brash and to act on that would be a mistake. It could take down networks,” said Ari Schwartz, who led cyber policy for Obama’s National Security Council and is now managing director of cybersecurity services for the law firm Venable.

Schwartz has otherwise been cheered by the seeming continuity with Obama priorities in the most recent executive order draft, he said.

“As you learn about the structure that’s in place, it’s there for a reason,” he said. “There’s been continuity in cyber since the mid-Bush administration, [but] government’s been slightly behind the whole way.”

Despite industry concerns, Trump does have a historic opportunity to shore up national cybersecurity, many RSA attendees noted.

A fully Republican-controlled Congress might be more willing to invest heavily in infrastructure and research than a Congress riven by partisan disputes, they noted. Democrats might also be eager to cooperate with Republicans on a relatively noncontroversial priority.

The question remains, however, whether the Trump team can bring in the right people and muster the energy and focus necessary for such a push.

“We need to get things done,” Gilliland said. “The thing he’s got going for him is, for at least two years, there’s a policy direction that can be executed. If he can focus long enough on things that matter around cybersecurity, we can get things done. Even if there’s a stake in the ground with some errors, at least it’s a start. Otherwise, we’re just still waiting.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.