As President Trump took office on Friday, the media headlines announced his vow to remake the nation with quotes like: “This American carnage stops right here.”
The Washington Post proclaimed that Trump’s inaugural speech marks a sharp break with the past — and his party. “Donald Trump began his presidency as he ran his campaign — with blunt, searing talk about a crippled nation in dire need of bold, immediate action. His inaugural address broke with those that came before it. This, he made clear in case anyone had not yet gotten it, will be a very different presidency.”
Our new president’s inaugural speech made international waves according to The Washington Times: “There were protests in London, Tokyo and Manila. There were celebrations in Moscow, and expressions of anger, joy and congratulations on social media across the world.”
As I watched the events of this week unfold, it was clear to me that we have entered a new era that transcends the traditional politics of the right and left. The unprecedented fact that our new president comes into office with no government or military taglines on his resume is a scary sign to the “inside the Beltway” established order, but a breath of fresh air to many more outside the D.C. Beltway.
The promise of a pragmatic businessman in power who will “get things done” probably seems like a hollow promise to the protestors around the world who seem to prefer the old ways of doing things better.
But regardless of your political viewpoint, there should be no dispute about the need for significant attention regarding new cyberspace policies, government actions and industry practices, since “carnage” accurately describes our current situation in cybersecurity. As one reads through the security predictions for 2017 from the top global security and technology companies, no one is optimistic.
Our Cybersecurity Emergency
If we want a different result, we need to stop doing the same things. Put simply, the public and private sectors are losing more cybersecurity battles every day, and there is a steady litany of bad news online, data breaches, stolen intellectual property, and even hacking to bring down critical infrastructure. While assessing these cyberproblems, add in the fog that surrounds possible Russians meddling in our election, recounts in the name of hacking and the overall media focus on these information security issues over the past few months.
Bottom line: Our ‘as is” global cybersituation fits in the “ugly” category.
At the same time, cybersecurity is now a top priority in defense, business, health, government (including state and local) and in almost every area of life. But while everyone agrees that we have enormous cyberchallenges, most people have very low expectations that progress can be made by the new administration. Global audiences have become numb to political speeches explaining data breaches, as government computers and political leaders seem to get hacked just as often as everyone else.
The silver lining: This cybersecurity situation opens up a huge opportunity for some quick wins and lasting progress for the new administration.
What Has President Trump Said and Done so Far on Cybersecurity?
Beyond the statements on cybersecurity at DonaldjTrump.com, a few comments on the importance of cybersecurity and some tweets on hacking from President-elect Trump, not very much is known about our new president’s plans for cybersecurity policy.
During the transition, the president-elect did select Tom Bossert, a former Bush administration cybersecurity aide, as his top counterterrorism adviser. He also selected Gen. John Kelly as Homeland Security Secretary, but his specific views on cybersecurity policy are not well known.
Still, up until this inauguration, the “industry consensus” viewpoint was not positive on President Trump’s plans regarding cybersecurity. Before the election, The Atlantic offered this piece about “Trump’s Incoherent Ideas About ‘The Cyber.’
More recently, there has been widespread ridicule over the selection of Rudy Giuliani as the President’s cybersecurity adviser.
Here’s an assortment of global articles condemning the choice of the former mayor of New York City to be the president’s cybersecurity adviser:
The Guardian (UK): Rudy Giuliani is an absurd choice to defend the US from hackers Reason.com: Giuliani as a Cybersecurity Advisor for Donald Trump Does Not Bode Well Engadget.com: Giuliani as Trump's cybersecurity adviser is an unfunny joke Things did not get any better when reports surfaced that Giuliani was among several new appointees who had had their passwords hacked before they even took office.
Not so Fast: an Impressive Adviser for Cyber?
Nevertheless, I think the choice of Rudy Giuliani as cybersecurity adviser is a strong, developmental move, and this presidential action signals a sea change for the cyberindustry. Security pros have long been seeking “a seat at the table with top executives,” and more overall respect, attention and resources. Well, you just got it.
As I wrote in support of Parry Aftab’s defense of Giuliani in this new cybersecurity adviser role, perhaps the top trait of any cybersecurity leader/liaison/adviser in government is that he/she is trusted by the top government leader (in this case President Trump). Access, priority and proper attention come first. When recommendations are made, are they followed through to completion? Are budget and resources allocated?
The importance of this initial choice is an important litmus test for success in my experience working on security and technology issues with Republican and Democratic administrations in Michigan Government, as well as with security leaders all over the world for the past two decades.
There is little doubt that Rudy Giuliani has earned that trust from President Trump. I agree with Aftab’s point that Giuliani will surround himself cyberexperts with experience and good ideas. But perhaps more important, he will have the ear of the president. He will not be ignored. Regardless of your political viewpoint, you must admit that this is a milestone for cybersecurity in America (and the world). A widely recognized, top political name has the title "Cybersecurity Advisor/Liaison." And the president of the USA will certainly be listening to what Rudy Giuliani will say. Too many cybercommissions and recommendations (full of experts) have been ignored. Sadly, it took a lot of hacking and data breaches to reach this point, but this is a new day for cybersecurity attention in government.
There were a few others worth reading who publicly support Giuliani in his new role, such as this opinion piece from Jonathon Hauenschild, the director of the American Legislative Exchange Council’s Task Force on Communications and Technology.
In my government cyber-roles in Michigan, I have known and worked with most of the past White House Cybersecurity advisers/coordinators like Richard A. Clark, Michael Daniel and Howard Schmidt. They are all very smart people. While they likely had more technical knowledge on cybersecurity than Giuliani, they did not have more clout or executive experience. Going forward, expect even more attention regarding executive roles for senior cyberprofessionals in government and the private sector.
Where Next for a Presidential Cyberplan?
President Trump has announced that he will form an external industry advisory council on cybersecurity that will meet with him regularly to assess how best practices can be implemented. This pragmatic approach is certain to be popular with industry leaders. This is a great move.
Further, in a press conference during the transition, the president announced a major report on hacking defense: “Trump told reporters that within 90 days of taking office, his CIA director and director of national intelligence (DNI) will be producing a report on the state of America's cybersecurity. ‘Within 90 days, we will be coming up with a major report on hacking defense, how do we stop this new phenomena — fairly new phenomena — because the United States is hacked by everybody,’ Trump said. The announcement falls in line with his campaign pledge to develop the cyber offense and defense needed to protect U.S. assets. …”
There is plenty of work that has already been done to kickoff this review effort. The Center for Strategic & International Studies (CSIS) Cyber Policy Task Force issued a report on Jan. 5, 2017 that has many recommendations, including:
Accelerate efforts to secure critical infrastructures and services and improve “cyberhygiene.” Use incentives, but if they don’t work, don’t be afraid to regulate. As part of this, the U.S. needs to improve authentication of identity and secure government agencies using managed services and service. Incentivize companies to make cybersecurity and data protection a priority for boards and C-suites. Identify what resource issues, such as research or workforce development, need federal action and which are best left to the private sector. Strengthen government cybersecurity by streamlining White House bureaucracy, creating a special GAO office dedicated to federal cybersecurity, and clarify the roles of DOD and other agencies. A stronger DHS is crucial, and the new administration must either strengthen DHS with more resources and a clear cybersecurity mission or create a new cybersecurity agency. Revise the international strategy to emphasize partnerships with like-minded nations against common foes and improve the ability to deter attackers by developing a full range of response and countermeasures that go beyond the threat of military action. Significantly increase senior-level attention to cybercrime, and build international cooperation to fight botnets and sophisticated financial crime, and creating penalties for countries that won’t cooperate. An executive summary of the CSIS report can be found here.
I think the cyberhygiene aspects of this report as well as the great work being done by the National Cyber Security Alliance at staysafeonline.org should get immediate attention by the president’s new cyberteam. The Stop.Think.Connect campaign is a huge vendor-agnostic solution that can help all Americans see what their role needs to be in protecting their corner of cyberspace.
Expect to see similar pragmatic actions on most of the CSIS items above, with low-hanging fruit announced first.
I know the Obama administration took cybersecurity very seriously. They accomplished several goals. And yet, largely because our enemies are increasing and improving faster than we are online, our overall cybersituation is now worse than where we were eight years ago. I think many of Trump’s words from his inaugural speech are also true about online activities and cybersecurity.
Yes — we are seeing a lot of carnage in our digital world. Will it stop? Our future innovation as a nation is at stake.
Back in November 2016, I asked the question: Will President-Elect Trump Surprise On Cybersecurity? I ended this way: Trump will likely surprise us (in a positive way) on cybersecurity. In a year of surprises in other areas, President-elect Trump is not to be underestimated.
Let’s start with a hopeful outlook ...
“America's best days are yet to come. Our proudest moments are yet to be. Our most glorious achievements are just ahead.” Who said that? Ronald Reagan in 1992.
I remain optimistic 10 weeks later. But even if the bad guys keep winning more battles in cyberspace (as seems likely), the new administration has a reset opportunity, with a new cyberapproach, led by a new business-minded president, and a well-known global adviser who helped NYC manage through 9/11.
One thing is certain, we’ll still be talking about cybersecurity heading into the 2020 election. President Trump understands this.
Time to get to work.