Cybersecurity staff and policy are slowly developing under the Trump administration. Will the new cyberarsenal match the tweeting rhetoric. Larry Jaffee enquires.
Less than three months into the Trump administration's topsy-turvy tenure, a cybersecurity staff is slowly taking shape. Besides a few high-profile appointments, including cybersecurity czar Rob Joyce, Joshua Steinman (one of Joyce's two principal deputies), and National Security Adviser H.R. McMaster, actual cyberwarfare or more general policy positions are not known.
The six cybersecurity wonks – five from beltway think tanks and one from an international organization with a vested interest – who spoke to SC are eagerly awaiting specifics beyond generalities.
“The draft executive order to my mind could have been written by President Obama, maybe not completely, but not with a lot of differences,” says Paul Rosenzweig, a visiting fellow with the conservative think tank, the Heritage Foundation, which has advised on much of the White House agenda but is not necessarily the lead adviser on cyber.
The EO was finally released on May 11. Much of the budget for cyber is classified budget for groups like the NSA,” says Rosenzweig, a former deputy assistant secretary for policy appointee in the Department of Homeland Security (DHS) under President George W. Bush, from 2005 until Jan. 20, 2009, when President Obama took office.
Rosenzweig's understanding that planned DHS expenditures for cyber within the National Preparedness and Protection Division, for example, are essentially “flat” at $700 million, the same level allocated by the Obama administration, but that's obviously one small piece of cyber expenditures made by the executive branch, with the Defense Department obviously commanding huge unknown sums for cyber.
Regarding staffing matters, to Rosenzweig's knowledge none of Heritage's cyber experts have gone to work for the administration. He also believes former New York City Mayor Rudolph Giuliani is still slated to chair a presidential commission on cybersecurity. (A call to confirm at Giuliani's law office in Manhattan wasn't returned.)
OUR EXPERTS: Policy
Daniel Castro, vice president, Information Technology and Innovation Foundation
What was surprising, the incoming administration did not take anyone among the political appointees on their offer to stay on board and try to be helpful, comments Michael Sulmeyer (right), cybersecurity project director of the Harvard Kennedy School. “So distrusting of the Obama staff were they that they figured it would be better to have no one,” he adds.
“We're waiting to see who they end up staffing up on cybersecurity issues, and to what extent such staff has influence outside of a national security angle,” says Daniel Castro, vice president of the Information Technology and Innovation Foundation, a Washington, D.C., think tank.
Castro's understanding is that the current executive branch didn't turn off cyber defenses, despite rolling back many other aspects of governing inherited from the previous administration.
“Will economic interests play a role or will it be driven purely by the military national security side, which seems to be dominating Trump's early appointees,” he asks, adding that was also a problem with the Obama administration.
Despite media reports to the contrary, civil servants working on cybersecurity – who were not political appointees – are not suffering from poor morale as the result of the new administration, according to James Scott, co-founder of the non-partisan think tank the Institute for Critical Infrastructure Technology (ICIT).
“I have not seen that at all from the senior intel people I talk with,” Scott says. “These guys are in the trenches working as hard as they did with the last administration,” he adds.
Now a political issue
In every administration, there are staffers whose jobs are political billets, points out Sulmeyer. “Their commission is not from the civil service; it's from the White House,” he explains, adding that all of those people are inclined to resign right before inauguration.
“A few are asked to stay on to keep the trains running until the new administration arrives and appoint new political individuals,” says Sulmeyer, noting campaign staffers and patronage friends typically get such positions.
After Trump assumed the Oval Office, Sulmeyer notes a massive exodus did not occur at Cyber Command, which reports to the U.S. Defense Department. Trump's hiring freeze across all federal agencies exempted the DoD's cybersecurity office.
Sulmeyer points out that decision shouldn't be credited to the Trump team, but rather Deputy Secretary of Defense Robert Work, a holdover from the Obama administration, Sulmeyer adds.
“This early it's difficult to tell what kind of influence cyber personnel will have,” adds Castro (left), noting the Obama administration “wisely kept on” Melissa Hathaway, who headed Bush's cybersecurity policy initiative, in the early months of the transition.
Hathaway, now president of her own consulting firm and also associated with Harvard University, informed SC that she believes “it is a bit early to discuss what is going to happen with the president's plans, as we don't even have the Executive Order out.“ [Editor's noter: The EO was released on May 11]
Sulmeyer agrees that Obama keeping Hathaway on was a good way to handle cybersecurity in a nonpartisan manner. “They saw there was someone serious who was working on this, coordinating efforts across the government, and they had the poise to say it doesn't matter she's been working for the previous guys. This is important work,” Sulmeyer points out.
The Obama team pursued a deliberate process that brought in stakeholders, developed plans, and brought in “the right people to execute those plans,” Castro notes. “We haven't seen that type of approach from Trump's team yet, a clearly defined ‘this is the kind of cybersecurity policy we'll be working on,'” he adds.
However, Castro praised the selection of Joyce and McMaster for their “well-regarded minds.” He believes they will look beyond Trump's tweets and “do what's right for the country.”
The presence of McMaster and Joyce will make it harder for Trump “to radically effect policy by tweet,” says Sulmeyer. “You have actual professionals who are competent and steeped in the issues. They can shape life ahead of the tweet and impact after a tweet.”
Scott believes the president's tweets are “reckless.” It'll take extremely negative impact from such a tweet that could trigger a major cyber incident for Trump to finally realize the damage he can cause in 140 characters, he adds.
Furthermore, there's concern that the president's personal mobile phone, from which he tweets, contains sensitive information that might not be secure,” Scott notes. “Hot-miking and activating a camera in a mobile is very easy to do,” he adds.
As with the Obama administration, it appears cybersecurity policy, initially at least, will be dominated by national security, Castro notes, but it's important to look at matters beyond intelligence gathering and capabilities, such as information sharing with the private sector.
Things appear to be adrift at the White House, Scott says. “They're just embroiled in so much controversy,” he adds, citing the lingering Russian investigation.
By denying the Russians hacking and manipulating the presidential election, the Trump administration made cybersecurity strategy political when it should remain nonpartisan, says Sulmeyer.
“It's hard to push forward a cybersecurity program if you're not going to take a tough stance on Russia,” Castro says.
While there hasn't been any major cybersecurity events that forced the Trump administration to take a position, “we're sort of in a holding pattern to see what the administration will do,” says Castro, noting the White House cultivates “unpredictability” to all matters, especially when dealing with the media, just adding to the overall uncertainty.
“If there was an immediate threat that the U.S. needed to respond to, you want people in the room who have already thought through these issues, and have formulated what the administration's policy will be. It's very easy to get this wrong,” Castro notes. For example, responding to an attack without proper evidence, or escalating an attack, “there are just so many things that can go wrong. You want an administration that has plans on the books of what to do.”
Scenarios involving low-to-mid-level attacks still might not warrant a response, or be critical enough to show your hand. However, addressing a major nation-state cyberattack amid uncertainty appears to be a recipe for disaster.
It's not necessarily a bad thing taking time in formulating a policy position, believes Sulmeyer, “as opposed to firing one out there after no consultation.”
Continuing animosity and mistrust between the president and the intelligence community – whether information being fed is correct and not politically motivated – doesn't instill cooperation among parties that generally need to be on the same page to be adequately prepared for a crisis.
“I think Congress will probably play a greater role in this space, there's oversight,” Castro says. “Congress has been engaged on these issues, and are able to get those intelligence briefings and communicate on the validity of responses.”
Apart from waiting for the White House's lead, Scott notes federal agencies are more focused than ever sharing cyberthreat information.
Furthermore, such cooperation within not only the government but also the private sector is necessary in today's attack-ridden climate to protect national interests, such as the power grid.
However, Trump's “America First” motto should lead to “a visceral reaction that we should keep to ourselves anything that gives the U.S. an advantage,” as opposed to forging alliances, anticipates Castro.
The North Atlantic Treaty Organization (NATO) is concerned how the tough talk out of the White House can shape cyber policy, according to Kenneth Geers, senior research scientist at Comodo, and ambassador, NATO Cyber Centre. Everybody at NATO, he says, is still in shock at the advent of Trump. He's also concerned about recent examples showing incompetence in State Department matters, for example.
Scott says the cyber professionals who his organization, ICIT, deals with at NATO, EU and U.K., are “cautiously optimistic,” hoping for the best from a policy perspective.
Heritage Foundation cyber research associate Riley Walters says anticipates potential legislation on increased cooperation with international partners, such as Great Britain, Japan and South Korea. “Maybe something with NATO, perhaps,” Walters adds.
Regarding any Trump policy surrounding cyberwarfare, Walters notes, “It's always good to make sure you have the best cyber capabilities in your arsenal,” notes Walters. “Whether we're actually using them, hopefully not, but you should not restrict yourself, I suppose.”
Geers, editor of the books Cyber War in Perspective and The Virtual Battlefield, points out cyberattacks today will precede any kind of military strike of significance. His point jibes with New York Times reporter David Sanger recently talking to NPR about the Obama administration quietly waging an “active cyber war” with North Korea to ward off its nuclear weapon capability.
“A tank, a plane or a ship, especially in a military context, is vulnerable to a wide range of attacks, sometimes even more so because they're bristling with communications,” notes Geers, who's also a senior fellow at the Atlantic Council.
Cyber plays a large role not only in intelligence gathering, but in turning off censors on their side and re-routing traffic, points out Geers. A cyberattack can not only destroy a piece of equipment, it can tell the owners of that equipment that it's working fine, meanwhile it's lying on the floor in pieces, he adds.
“Russia is big in the conversation right now regarding the cyberwarfare side of things,” notes Scott.
That political distraction notwithstanding, “Cybersecurity is an international problem that requires an international solution, and that's why the best place to seek progress is the EU and NATO,” says Geers, citing the president's banter against both organizations. “You can strike back, but you need allies in cyberspace,” he adds. n
All the President's Men
• Rob Joyce, cybersecurity coordinator, former NSA: “Another good sign of bringing disciplined and experienced professionals to the top table in government,” Michael Sulmeyer says, adding that Joyce's “years of experience both offense and defense” makes him “a really good pick.”
• Tom Bossert, a former national security aide to President George W. Bush, is currently homeland security adviser in the White House. Bossert “has a handle on the complexity of homeland security, counterterrorism, and cybersecurity challenges,” Trump said in a statement about the appointment. Bossert helped draft the federal government's first cybersecurity strategy.
• Lt. Gen. H.R. McMaster, national security adviser: “A very good sign of potential greater discipline,” Sulmeyer says.
• Joshua Steinman, possibly headed for the National Security Council under Joyce, he formerly worked at a Pentagon office in Silicon Valley.
• Former New York City Mayor Rudolph Giuliani is still expected to chair a presidential commission on cybersecurity.
• Reed Cordish, assistant to the president for intragovernmental and technology initiatives, previously a real estate developer close to Trump.