The last entry on a list of 50 brief bullet points released from the Trump campaign Sunday reads as follows, in its entirety: “Build a Great Cybersecurity Defense System and Missile Defense System.”
If that seems a little more concise than it could be, it’s because building great cybersecurity defense systems needs more than half a bullet point to explain.
The Trump campaign has promised to expand on these and other ideas in the agenda during the convention and on the campaign trail. But in the meantime, what might the market expect when Trump does announces a detailed policy?
Here’s what will need to get hashed out.
Important to note is that the U.S. government treats federal, state, critical infrastructure and general business systems as different entities. State governments claim dominion over the cybersecurity of several key aspects of cybersecurity. Businesses and critical infrastructure is governed by a murky mix of laws, federal agencies, the SEC and industry groups, but when it comes to defense, are typically expected to fend for themselves from hackers at their doorstep. The Trump bullet point doesn’t explain which of these four would be a federal responsibility.
“A good policy agenda should lay out how the federal government intends to work with the key players in cyberspace,” said Michael Daniel, former cybersecurity coordinator for the Obama White house, and current president and CEO of the Cyber Threat Alliance, a cybersecurity industry group.
Democrats have traditionally been more inclined to support a central federal government role in regulating cybersecurity for businesses, and an increase in the role of the federal government in defending states and privately held infrastructure.
That doesn’t mean that the Trump administration has been absent from the defense of these sectors. The Obama administration enjoyed a unusually calm period for Chinese economic espionage – either owing to a successful pact between the administration and the Xi government to stop economic espionage, or to the massive restructuring of the Chinese espionage apparatus that caused a temporary lull in capacity. Either way, when economic espionage picked up again, Trump met it with a mixture of sanctions and increased prosecutions.
China looms large in the Trump administration. But it’s important to watch whether cybersecurity defense is viewed as an individual priority or part of a broader China strategy.
Trump has previously signaled willingness to treat even criminal justice matters as a bargaining chip in his China agenda. Reducing the temperature on the trade war might mean reducing or even trading away some of the focus on Chinese economic espionage.
Moreover, the focus on secure supply chains we saw in the ZTE and Huawei debates could either be a one-off component of the China issue or a continuing focus of the United States’ role in an international economy. Disincentivizing high-tech gear from China could have dramatic effects on pricing, the contours of the global manufacturing map and, if retaliations continue as they have, the viability of U.S. products and liberty of U.S. executives in China.
How we defend what we defend
The Trump administration has increased a “defend forward” posture toward cyberattacks – essentially fighting hackers on foreign servers, before they even get to the target. This could be of some concern to businesses; it’s often hacked business machines used as intermediary staging servers for global attacks. At any moment, U.S. may be fighting Russia in the computers of a German bank.
Trump has increased U.S. use of cyberattacks against enemies and provided Cyber Command more autonomy to determine when to use them.
That offensive approach has generally been seen as a positive by the national security community, who saw Obama’s more deliberative approach as a little stifling. But there are limits to what cyber can accomplish, and risks in encouraging in-kind counterattacks.
Regardless of how well we secure our computers, the U.S. will remain among the most vulnerable countries to cyberattack in the world, due to the fact that it has more internet-connected targets than Russia, North Korea or Iran. And many of those targets reside in the private sector.
How agencies interact
There are a lot of stakeholders within government whenever a cyber incident occurs, and not a lot of formal processes to make sure all of the equities are aligned. It’s important for Trump to consider if the gears all turn in the same direction. That may mean undoing some of the changes made during his first four years.
For example: when John Bolton took over as national security advisor during the Trump administration, he eliminated the cybersecurity coordinator position. That irked legislators from both parties, national security experts and even the business community.
Christopher Roberti, senior vice president for cyber, intelligence, and supply chain security policy at the U.S. Chamber of Commerce, said he would like to see the president strengthen the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and establish more executive branch coordination between critical infrastructure and intelligence agencies.
“The Chamber supports legislation that strengthens CISA’s role as the nation’s risk adviser,” he said. “The Chamber also supports legislation to establish the Office of the National Cyber Director within the Executive Office of the President and legislation that codifies a collaborative relationship between key critical infrastructure sectors and the intelligence community.“
Colloquially, privacy often gets lumped in with cybersecurity. That makes sense; improving one often improves the other. The United States has one of the least unified systems for privacy in the world. Privacy laws differ from industry to industry and state to state. Businesses often treat personal information as a resalable commodity – most nations say the right to distribute information stays with the person.
A few states, most notably California, have digital privacy laws. But business leaders fear that a state by state system will both create confusion and force anyone with a nationwide business to live up to the strictest state’s standards. Instead, they would prefer national privacy standard to supersede the state standards. This, at one time, was a priority of the Trump administration.
There’s an international shortage of trained cybersecurity workers both in the government and in private sector.
In the public sector, with its lower salaries, it’s often tougher to get necessary talent for the less glamorous agencies. That doesn’t make securing those agencies less important to the economies that count on them. For the National Park Service, for example, there’s a tourism ecosystem dependent on all systems working.
But businesses are facing the same crunch, especially if a push for cybersecurity requires new trained personnel.
There are several ways the government can help close the gaps, ranging from apprenticeships to investing in education, to increasing salaries.
And who will pay for any of it?
Just as unclear as the role of federal government in cybersecurity strategy for the states or businesses, is the matter of who should pay for necessary improvements. Trump has, in the past, said that states should invest in more secure voting infrastructure, for example. But states could only afford the kind of sustained push necessary with federal funding.
Cybersecurity costs money. Look for what Trump will budget, not just what he’ll advocate.