What's the White House's BYOD policy? That's the first thing I thought when I saw photos of Donald Trump and Japanese Prime Minister Shinzō Abe huddled together in the dining room of Mar-a-Lago discussing North Korea's missile test and illuminating relevant documents with cell phone flashlights.
Followed in quick succession by: Who in the administration understands the security challenges and threats posed by the Internet of Things (IoT)? How secure is the “Winter White House”? Is the president still using an unsecured Android?
Which is pretty much what Rep. Jason Chaffetz, R-Utah, chairman of the House Oversight Committee, also wants to know. In a letter sent after the incident to White House Chief of Staff Reince Priebus, Chaffetz voiced his concerns over security during the public summit in Florida and asked for additional information and clarification. Wandering the floor at RSA this month, it was clear that security pros had similar questions.
Prior to what some members of the press have referred to as Trump's “open air situation room,” a business acquaintance predicted that this year's RSA, the first major industry show after the presidential election, would be abuzz about the new administration, with more chatter than usual on policy, regulatory and legislative issues and the like. It was. Oh, that's not to say it was the most important issue or even the most prevalent – there was plenty of talk about AI, the maturation of cloud, ransomware, IoT and more sophisticated phishing – but to what extent the new administration will advocate for cybersecurity, data protection and privacy was a frequent topic.
Exactly where the White House comes down on cybersecurity is hard to peg, especially with so many issues currently vying for space on the presidential plate. The signals from the White House certainly have been decidedly mixed. On the one hand, the president has promised a Cybersecurity Executive Order that prioritizes cyber. On the other hand, he hasn't signed it. Yet. While a flurry of executive orders have been pushed through quickly, the cybersecurity EO has languished. He's also promised to be tough on terrorists and is a fan of government surveillance to rout them out, but seems ambivalent to findings by the intelligence community that Russian hackers mucked around in the presidential election.
Then there's the fact that during the campaign, the president pounded on Former Secretary of State Hillary Clinton for using a private email server, but his own cyber hygiene is troublesome – rumor has it that he still uses an unsecured Android for his storied late-night tweets.
Of course, government policy and personal hygiene are two different things. Government always grapples with cybersecurity and how best to build policy around it – Congress spent years trying to define a data breach and only a few of its members have any background in computer science or tech.
And Trump is operating without a full Cabinet and cyber team, so policy might coalesce after he fills key slots, including a replacement for White House CISO Cory Louie, who was fired in early February.
Cybersecurity may also get a boost from a more energized Congress – after nearly a decade of inertia, lawmakers seem more willing to act. The House recently moved law enforcement one step closer to having to obtain warrants to search information, including email, that has been stored with third parties for more than six months, by giving the thumbs-up to the Email Privacy Act (EPA) and sending it on to the Senate. In addition, Sen. Orrin Hatch, R-Utah, unveiled a comprehensive tech agenda while Rep. Ted Lieu (D-Calif.) and Sen. Joe Wilson (R-S.C.) took aim at privacy and cybersecurity standards for vehicles.
Rumblings from the White House also indicate the president is interested in continuing the Obama administration's push for public-private collaboration. After all, he named former New York City Mayor Rudy Giuliani as a cyber adviser to facilitate those relationships.
At the very least, the administration has helped bring cybersecurity to the forefront of political discussion, John Bambenek, threat systems manager at Fidelis, told me, raising awareness (either wittingly or inadvertently as a byproduct of political posturing). All that talk about private email servers and Russian hackers brought cybersecurity right into the living rooms of everyday Americans. Which makes organizations tasked with boosting awareness and facilitating collaboration among all stakeholders – like SC Awards Editor's Choice winner, the National Cyber Security Alliance – even more important.
While it is too early to tell just how cybersecurity will fare under Trump – and foolish to give too much weight to anecdotal information no matter how abundant – someone should tell the White House to at least establish a BYOD policy...and make it snappy.