The Pluses and Perils of Trump's Cyber Strategy

Susan Walsh/AP

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Joseph Marks By Joseph Marks,
Senior Correspondent

By Joseph Marks

|

Continuity on most cyber policies masks a growing erosion of global cyber norms.

Is Donald Trump’s cybersecurity policy humming along at the 10-month mark of his administration, a rare space of continuity amid myriad shifts and realignments? Or is Trump blazing a new path that could set dangerous precedents in cyberspace and leave the internet more ungovernable in the future?

The answer, according to cyber analysts and former officials in Republican and Democratic administrations, might be both.

When it comes to basic management of the government’s cybersecurity responsibilities, they say, it might be difficult to distinguish Trump’s cybersecurity program from his predecessor’s.

When it comes to shaping and enforcing international rules of the road in cyberspace, however, the Trump administration may be taking a step back from the U.S.’s historic role, a move experts worry could cede ground to an anti-Democratic model for the internet championed by U.S. adversaries such as Russia and China.

Here’s the good part.

The top officials leading Trump’s cyber policy—including Tom Bossert and Rob Joyce at the White House and Jeanette Manfra at the Homeland Security Department—are seasoned professionals with lengthy government resumes and are highly respected by their peers.

Their policies—including a May executive order and a series of Homeland Security Department directives—are uncontroversial and largely in lockstep with government cybersecurity priorities that stretch back into the Obama administration or even earlier, former officials say.

In general, the administration has focused on shoring up federal agencies’ cybersecurity, creating consequences for digital lapses and improving the security of critical infrastructure, such as hospitals, banks and airports.

The Trump team has even broken new ground on these fronts. It won praise from industry when Homeland Security banned Russian anti-virus software made by Kaspersky Lab from government systems. Transparency advocates cheered when it offered an updated policy for how the government decides whether to hoard or disclose newfound software bugs.  

The administration also could close policy loops that the Obama administration never did, such as developing a rigorous cyber deterrence policy that outlines clear consequences for criminals and adversary nations that commit cyber crimes against the U.S., said Frank Cilluffo, director of George Washington University’s Center for Cyber and Homeland Security and a Bush administration cyber adviser.

These policies aren’t perfect, the experts say, but cybersecurity isn’t about perfection. It’s about marginal improvements and balancing risk. Compared with analysts’ fears about Trump’s bellicose language when he first took office—including a signal he might shift responsibility for domestic cybersecurity to the military—we’re in a pretty good place, they say.  

“If you think about executive orders and the like, there’s not that ‘holy crap, who wrote that?’ moment like with immigration,” said Peter Singer, a senior fellow who leads the cybersecurity program at the New America think tank. “Generally, I’m thinking: ‘This is reasonable; this is sensible.’”

The Divergence

When the focus shifts from the government’s day-to-day cyber protections to the U.S. role in global cyberspace, however, the Trump administration’s record suggests a much greater divergence.

To begin with, there’s the State Department cyber coordinator’s office, which former Secretary Hillary Clinton established in 2011. The office represents the U.S. at bilateral and multilateral cyber negotiations and advocates cyber best practices to allies and developing nations belatedly entering the digital age.

Current Secretary of State Rex Tillerson shuttered that office in August as part of a larger budget and bureaucracy trimming exercise.

There’s also the United Nations’ Group of Governmental Experts in cybersecurity, a group of 20-some nations, including the U.S., China and Russia, that meets periodically to iron out how international law and other rules of the road, known colloquially as “norms,” apply in cyberspace.

When that group’s most recent round of meetings ended without any meaningful progress earlier this year, Bossert, the White House Homeland Security Adviser, announced the U.S. would shift to a more coalition of the willing model to pursue cyber norms.

Finally, there’s the elephant in the room: Trump’s continuing caginess about acknowledging Russia’s role in a hacking campaign and influence operation aimed at sowing chaos during the 2016 presidential election.

Taken together, these shifts could undermine U.S. leadership in cyberspace and fundamentally change what the digital world looks like a decade from now, former officials said.

A Brief History of Global Cyber Norms

The argument during the Obama administration went something like this:

Nations will use the internet to spy on each other and that can’t be stopped. But, nations should also agree that this meddling in the internet should not extend to undermining businesses, damaging critical infrastructure like nuclear and energy plants, or putting citizens and their information at risk.

When nations fail to honor these cyber norms, the U.S. argued, other nations should ensure they suffer consequences. That could mean a retaliatory cyber strike, but more often means economic sanctions, legal indictments or military action.

Trump officials, including Bossert and Joyce, have embraced that broad argument, using phrases nearly identical to their Obama administration predecessors. But the structure itself is undermined by the administration’s actions, former officials say.

Without the State Department cyber coordinator’s office, for example, there’s no organization in government that’s solely responsible for advocating the U.S. view of what cyberspace should look like.

That leadership void leaves emerging and non-aligned nations more vulnerable to Chinese and Russian notions of the internet. Those include strong government control over what internet content their citizens see and rules that bar foreign companies from providing some internet services or force them to disclose their source code.   

What’s more, when the State Department first launched the coordinator’s office it was the first of its kind in the world. Now, six years later, roughly 20 nations have launched similar offices in their foreign ministries following the U.S. lead.

“The office itself has become a global norm and now it’s not there,” New America’s Singer said. “Those other 20 offices are like: ‘Are we now the voice of the free world on this issue?’”

Deputy Secretary of State John Sullivan told the House Foreign Affairs Committee in September that State ultimately plans to elevate its cyber mission despite closing the coordinator’s office, but he did not provide details or a timeline. State has not made any public moves on the cyber front since that hearing.

Seemingly unconvinced by Sullivan, Foreign Affairs Committee Chairman Ed Royce, R-Calif., and ranking member Eliot Engel, D-N.Y., introduced a bill that requires the cyber office to be re-installed with greater authority. That bill passed the committee this month without a formal vote.

Bush administration cyber adviser Frank Cilluffo largely supports the Trump administration’s cyber efforts thus far and says he supports more aggressive bilateral cyber negotiations, though he doesn’t believe the administration should abandon multilateral efforts, such as the Group of Governmental Experts.

He acknowledged, however, that the State Department has not communicated clearly enough about its cyber plans.

“If the actual intent is simply to eliminate [the cyber coordinator’s] position and not build something as robust in its place, then I deeply oppose that,” Cilluffo said.  

The Cozy Bear in the Room

It’s Trump’s unwillingness to consistently acknowledge Russia’s culpability for meddling in the 2016 election, however, that does the most damage by far to American efforts to impose rules upon global cyberspace, former officials of both parties said.

Failing to consistently advocate for good behavior in cyberspace is one thing, they said. Failing to impose consequences for bad behavior is another.

Russia’s behavior, both during the 2016 election and since then—including meddling in European elections and breaching previously off-limits targets such as energy and nuclear plants—is the most egregious flouting of global cyber norms to date, they said. And, because there can’t be presidential buy-in, there have been, so far, few consequences.

Even Russian sanctions that Congress passed over the president’s disapproval have yet to be fully implemented.  

“We would like our allies and partners and as much of the international community as possible to see that responding to cyber threats is legitimate and, in order to make that case, you can’t fail to respond to what is clearly the number one cybersecurity challenge of the day,” said Jim Miller, a former undersecretary of defense for cyber policy during the Obama administration and president of the consultancy Adaptive Strategies.

The result of this is two-fold. In the short term, it signals to Russia that it can continue to play fast and loose with pro-democratic cyber norms that the U.S. and other western nations have tried to establish. Second, it signals to other nations and non-state actors that similar cyber mischief will go unpunished.

“It’s not just Russia,” New America’s Singer said. “It’s every other state and non-state group out there thinking: ‘Hey, I could do this and get away with it.’ My fear is that we’re trading the short term for the long term. I give credit to all the staffers and to the cyber governance things that are happening in certain areas. But there’s a larger contradiction here that sets us up poorly for the long term.”

NEXT STORY: Russia Will Build Its Own Internet Directory, Citing US Information Warfare

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.