Cybersecurity issues could offer a rare opportunity for President-elect Donald Trump to build on the work of President Obama, experts told E&E News, while cautioning it’s too early to say how Trump will act once in office.
In speeches and a brief policy paper, Trump has pledged to take a hard line against hackers while sharpening U.S. cyber offensive capabilities. He has proposed setting up a "Cyber Review Team" to search for gaps in the nation’s computer defenses, including critical infrastructure such as oil pipelines and power utilities.
Rather than starting fresh, that team could complement the findings of a capstone effort by the Obama administration, according to Betsy Cooper, executive director of the Berkeley Center for Long-Term Cybersecurity at the University of California, Berkeley . President Obama’s 12-member Commission on Enhancing National Cybersecurity is scheduled to compile and report a cyber to-do list for the next administration this December.
"Hopefully the new [Trump] administration will see the benefit in having all that expertise brought to bear as they enter this transition period," Cooper said. Her organization hosted several members of the presidential commission for a meeting in June, though she is not directly involved with their work.
Cybersecurity "provides an excellent opportunity for the Trump administration to show its willingness to work with people on both sides, to try to find some of these creative solutions," she said. "I think that’s a good thing in a time when so many other issues are so polarized."
The commission came together under the auspices of the Commerce Department, which did not respond to a request last week to interview the group’s executive director, Kiersten Todt. The expert recommendations from the commission will serve as a coda for Obama’s other efforts in cyberspace, including the development of a voluntary Framework for Improving Critical Infrastructure Cybersecurity and the establishment of a new executive post, the federal chief information security officer, following an enormous breach of government employee data at the Office of Personnel Management.
On the campaign trail, Trump said he considered cybersecurity to be a "big" issue, while not yet detailing how he would distinguish his approach from that of Obama. He told NBC’s Lester Holt during the first presidential debate with his Democratic rival Hillary Clinton that "we have so many things that we have to do better, and certainly cyber is one of them."
However, experts aren’t sure Trump’s team will be eager to roll back Obama-era cybersecurity measures such as February’s Cybersecurity National Action Plan, which set up the Commission on Enhancing National Cybersecurity.
"The approaches to how we move the cyber dilemma forward might vary some, but out of necessity it might be a bipartisan" effort, said Emma Garrison-Alexander, who holds a Ph.D. in IT management and is vice dean of the Cybersecurity and Information Assurance Department at the University of Maryland University College. "From a political perspective, cyberthreats and cyber vulnerabilities are treated as equal opportunities, regardless of political affiliation, regardless of party, regardless of political views, the cyberthreat does not distinguish between any of that."
Which Trump will show up?
Computer hackers have at turns threatened, disrupted and upstaged the presidential campaign this year, offering a stark reminder of the challenges that will continue to beguile policymakers under Trump’s administration. The U.S. intelligence community accused Russian hackers of breaking into the networks of key political groups during the race, with the aim of influencing the outcome of the election. Separately, cybersecurity concerns were central to the controversy over Hillary Clinton’s use of a private email server during her tenure as U.S. secretary of State.
Beyond email security, Trump’s appointees will confront threats to key computer systems such as those that keep the power grid running.
Some of the leaders named to his presidential transition team last week have voiced concerns over the state of U.S. cyberdefenses.
Rep. Devin Nunes (R-Calif.), chairman of the House Permanent Select Committee on Intelligence, has sponsored and supported cyberthreat information-sharing legislation in the past, once writing in an op-ed that "the task of protecting our economy, our private information and our critical infrastructure from cyberattacks simply cannot wait."
Another newly announced Trump confidant, Rep. Marsha Blackburn (R-Tenn.), has in past statements decried "top-down regulations" in the cyber arena, while stating that "the private sector and government should also be working together to share information about threats."
SkyBridge Capital founder Anthony Scaramucci, another pick for Trump’s transition team, has said on Twitter that "we better be awake to" the cyberthreat posed by so-called distributed denial-of-service attacks, which channel spare computing power from hacked devices into floods of traffic that can drown out individual websites or even key parts of the internet’s infrastructure (EnergyWire, Oct. 25).
Sources in the critical infrastructure cybersecurity community have painted Trump as an as-yet-inscrutable "wild card." Will his transition team picks and political appointees pass muster with the skeptical, technical hacking community? Would Trump’s joking invitation for Russia to hack Clinton’s emails, or his attributing cyberattacks to "somebody sitting on their bed that weighs 400 pounds," have a chilling effect on his ability to recruit or retain cyber talent? How will Trump respond to the first cyber crisis of his administration, something observers say is not a matter of if but when? Will a new slate of political appointees impact threat information sharing between the government and private-sector utilities (EnergyWire, Nov. 14)?
"It’s just too early. Let’s see what the [president-elect] comes up with and what it means," noted Ralph Langner, co-founder and managing principal of the Langner Group, an industrial control system-focused cybersecurity consultancy. Langer added in an email that "I think it won’t be difficult to do better than Obama when it comes to protecting critical infrastructure against cyber threats."
Langner dissected one of the first pieces of malicious software known to have had a real-world, physical impact on Iranian nuclear centrifuges. The Stuxnet worm was reportedly unleashed on Iran as a joint Israeli-U.S. intelligence effort during President Obama’s first term in office.
Trump has promised to renegotiate many U.S. agreements, including the deal struck among Obama, Iran and several world leaders to curb Iran’s nuclear program in exchange for sanctions relief. But it’s also not yet clear what changes he will bring to cybersecurity policy on the international stage.
"When we look at cybersecurity, we have to understand it has many dimensions: You have your policy, legal and your management side of things that have to be addressed, but you also have the technology piece and the international piece," said Garrison-Alexander, a former cybersecurity official in the Department of Homeland Security’s Transportation Security Administration. "It’s a very complex environment, so we need various entities to be able to focus on these areas, but also to pull them together in a cohesive manner."
Garrison-Alexander said she will watch for how forcefully Trump pursues recommendations laid out in the Cybersecurity National Action Plan, and by the related Commission on Enhancing National Cybersecurity. She said she does not expect partisan politics to interfere with cybersecurity professionals’ willingness to defend the nation under Trump.
"Whether it’s our critical infrastructure, in our personal lives, or in our businesses — they understand the serious nature of this, and I don’t see any cybersecurity professionals being swayed by politics," she said.
Cooper of the Berkeley Center for Long-Term Cybersecurity said she would be on the lookout for all early announcements from Trump, whether they come in the form of legislation, executive orders or speeches that address cybersecurity. She said such developments will give her "a better sense of the approach that he might take as a policymaker rather than as a candidate — which may potentially be two different things."