Just three months into his first term, with the flourish of a pen, President Donald Trump signed an executive order ostensibly to lay the groundwork for future cybersecurity policy.
Now as Americans go to the polls in record numbers and Trump vies for re-election, his uneven cybersecurity policy offers a few clues into what he might prioritize during a second term. The greatest potential for progress, say some experts, may come from the expansion of some very distinct successes during his first term: the centralization of the security and resiliency within the Department of Homeland Security (DHS), and development of cybersecurity guidance for the Defense Department.
But before one can look ahead, he must look backwards. Having already done a close look at what a Biden-Harris administration might mean for cybersecurity policy, SC Media examines Trump's approach to cyber during his first term, for some insight into what could come from four more years.
An uneven record
The substance of that executive order three and a half years ago mirrored “the general approach to cybersecurity that started in the Bush administration and ran through the Obama administration,” as noted at the time by Michael Daniel, who served as special assistant and cybersecurity coordinator for the White House under President Barack Obama, and today is president and CEO of the Cyber Threat Alliance.
Another Trump term might be more of the same, with the potential to rise above the political fray.
“Cybersecurity policy has for more than a decade evolved at a rapid pace in a positive manner under both Republican and Democratic administrations, in part because it is such a technical field that requires professional technocratic input over and above partisan policy proposals,” says Jonathan Reiber, senior director for cybersecurity strategy and policy at AttackIQ and former chief strategist on cyber at the Defense Department during the Obama administration. “I expect that under either administration that trend will continue.”
Lauded at the time for embracing the NIST framework – which is the de facto guidance for organizations set on building a strong cybersecurity posture – the 2017 EO was in effect, as Daniel said then, “a plan for a plan" rather than an actual strategy.
And for that matter, expectations during the first month of his presidency were fairly low. One month in, a NetSkope survey of 100 IT security professionals attending RSA found that 32 percent believed cybersecurity would be worse than in past administrations. Only 12 percent saw a brighter future for cyber. More than a fifth of respondents, 21 percent, said that the administration’s proposed cyber policies put their data at greater risk and 68 percent believed the U.S. would see an uptick in nation-state actors as a result of the administration’s nationalistic rhetoric. By comparison, only 11 percent didn’t believe there would be an increase in attacks.
Those early concerns, as it turns out, weren’t completely unfounded. Attacks have most certainly continued to rise, though whether that is directly tied to administration policy is unclear.
What has emerged from the Trump administration approach to cybersecurity is a mixed bag that has seen support for the NIST framework and a crackdown on Huawei, along with an embrace of leaders in countries like Russia and North Korea, and even China, despite their well-documented cyberattacks on the U.S. and its interests.
Chloe Messdaghi, vice president of strategy at Point3 Security contends there's a lack of understanding of cybersecurity policy ramifications. She points to TikTok, which Trump saw as “a supposed threat, so he removed it from app stores.” Of course, that prevented consumers from installing updates, which has resulted in a constant churn of vulnerabilities and patches.
The lack of understanding "puts everyone at risk,” said Messdaghi, noting the importance of app updates to consumer device security.
In fairness, many presidents might lack the full scope of understanding needed to grasp trickle down impact of cyber policies. As the saying goes, that's why they have advisers. Unfortunately, significant loss of brain trust around cyber at the White House came during Trump's first term. As DHS grew and shape-shifted, much of the security expertise moved to the “outer boroughs,” without the ear of the president, Messdaghi said.
At the same time, the role of White House cybersecurity coordinator was eliminated by John Bolton, and former Secretary of State Rex Tillerson removed the State Department's Office of The Coordinator of Cyber Issues, which focused on U.S. diplomatic efforts.
While the hope is that cybersecurity will “stay pretty apolitical in the scheme of things,” over the next four years, according to Kiersten Todt, managing director at the Cyber Readiness Institute, it’s not immune to politics.
Initiatives like cyber moon shot, currently under the guidance of Vice President Mike Pence, will continue, says Tom Patterson, chief trust officer at Unisys and the co-lead of the President’s National Security Telecommunications Advisory Committee’s Cyber Moonshot Subcommittee.
Of more concern is how political jockeying may impact the way the U.S. deals with cyber threats from abroad. The president won praise for his crackdown on Huawei, but lifted sanctions on ZTE, which had prompted similar concerns to those raised by Huawei among members of Congress and the security community. Difficult to determine is whether those actions were based on security policy, or a desire influence trade negotiations with China.
Consider too how the president courted authoritarians like North Korea’s Kim Jong-un and Russian President Vladmir Putin. He removed the sanctions on Russia for interfering in the 2016 U.S. election, imposed by President Obama. On the point of that interference, the president has reserved judgement of Putin, who denies Russian meddling, and disputed findings of the U.S. intelligence community.
At the same time, U.S. isolation and cooling relations with allies has left a leadership void in the global fight against cybersecurity threats. And collaboration among countries, cybersecurity experts agree, is a must if cyberattacks are to be curbed. The U.S. must work with allies, says Todt to develop a three-pronged approach for dealing with nation-states: “how do we cooperate with them; how do we compete with them; how do we confront them.”
Trump past and potential successes
Among the key Trump administration cybersecurity wins: the launch of the Cybersecurity and Infrastructure Security Agency (CISA). The agency has thrived under the leadership of Christopher Krebs, who Reiber calls “an immensely talented individual.”
Other successes, Reiber says, include U.S. Cyber Command's “‘defend forward’ campaign to blunt and disrupt adversary operations on adversary networks before they can attack U.S. interests, an achievement in importance which cannot be overstated.”
The administration can also tout “a number of regulatory and legislative initiatives [that] have come to the fore that could positively impact U.S. cybersecurity," including the Defense Department’s Cybersecurity Maturity Model, Reiber said. He expects progress there to continue, whoever gains the White House after this election.
Within those successes lie the potential for future progress, should there be another Trump term. Todt would hope the president could build on his success with CISA, for example, applying similar discipline to the reimagining of DHS, which is in desperate need of a makeover.
“A re-examination of how DHS is organized: why it was created the way it was, why it doesn’t work, and how to make it as efficient as necessary,” she says.
“If [he] got CISA through two years ago,” she explains, the success can be repeated. “CISA needs to be DHS,” forming more of a foundation for the department.
Beyond that, clarity into Trump’s priorities going forward are best reflected in his budget proposals. And there, signals are not encouraging.
“Looking at the budget, President Trump zero’d out cybersecurity funding in 2018," Messdaghi said. "Cybersecurity costs money, and most Americans are just as concerned at this point about cyberattacks as nukes – the former being far more frequent, and the later of course uniquely terrifying.
"To determine the Administration’s priorities and its talk vs. action, follow the money," she continued. "Zero’d out is a clear compelling statement of priorities.”