Modern field guide to security and privacy

Obama officials: There's hope for cybersecurity under Trump

At the Beat the Breach event during the RSA Conference in San Francisco this week, current and former US government officials expressed optimism about the state of cybersecurity under President Trump.

Photo by Paul Brigner for The Christian Science Monitor
Lisa Monaco, former Homeland Security Adviser for President Obama, spoke at the Beat the Breach on Tuesday event during the RSA Conference in San Francisco.

Worried about the future of US cybersecurity under President Trump? Don't panic, say current and former government officials. 

Although Mr. Trump hasn't offered policy specifics, some former Obama administration officials said a draft executive order on cybersecurity, which has circulated in Washington, could offer welcome improvements on the technology front.

In fact, according to former White House Homeland Security Adviser Lisa Monaco, much of what the Trump administration has floated appears to borrow directly from the Obama playbook on cybersecurity.

"You could basically lift that entire paragraph out of Obama's cyberstrategy," said Ms. Monaco, referring to provisions in the draft executive order to protect critical infrastructure and manage digital risk.

Monaco spoke during Beat the Breach on Tuesday, an event cohosted by Passcode and the cybersecurity firm Invincea that coincided with the RSA Conference, a massive industry gathering that brought thousands of executives, technologists, experts, and government officials here this week.

Much of the conversation at Beat the Breach, as well as during the RSA Conference, centered around how Trump might address cybersecurity in the aftermath of an election in which concerns about Russian hackers, and their role in the presidential campaign, became front page news.

Monaco, one of President Obama's closest cybersecurity advisers in his second term, said she spoke with her successor, Tom Bossert, for a dozen hours. In those conversations, Monaco says she emphasized continuity on critical digital security policies, such as work on enhancing the federal government's cybersecurity and legacy systems, beefing up the norms of state behavior in cyberspace.

Mr. Bossert earned bipartisan plaudits serving as a White House homeland security official under the second President Bush, leading work on a 2008 presidential directive boosting cybersecurity infrastructure inside the US government. He'll also inherit efforts to work with Silicon Valley companies to kick the Islamic State off of social media platforms such as Twitter and Facebook. Monaco described that effort as "one of the hardest policy problems" she dealt with in the Obama White House.

"We're not going to delete our way out of this problem," she said of Twitter's suspension of hundreds of thousands of accounts linked to IS and other violent extremist groups. "How can we work together to make sure that these platforms aren't being abused?"  

Prior to Election Day, the FBI warned that unidentified hackers had broken into state election boards in Illinois and Arizona. In the wake of those incidents, the draft order directs US government agencies such as the Justice and Defense Departments to help Homeland Security beef up protections for critical infrastructure. 

Paul Brigner for The Christian Science Monitor
Greg Touhill, a retired Air Force general, served as the first federal chief information security officer under the Obama administration. He spoke at the Beat the Breach event during the RSA Conference in San Francisco this week.

Gregory Touhill, a retired Air Force general hired as the federal government's first chief information security officer last year, said the strength of the draft order reflected a successful handoff of US digital defenses. 

Despite Trump's tweets blasting Obama's efforts to assist in the transition, Mr. Touhill said the departing administration had "left behind a really good flight plan" on cybersecurity. But Touhill, who left his post just weeks ago, still called for improvements in training, education, and replacing legacy technology systems in the US government. 

"Hygiene across private and public sectors is not up to snuff," said Mr. Touhill, who left his post just days into the Trump administration. "From my perch as chief information security officer, I’m looking at the architecture and I’m saying, 'Holy crap, this is built on a 1980s organization chart.'"

The US government could be spending upwards of 80 percent of its information technology budget on legacy systems. That became a key focus for Tony Scott, who served as Obama's chief information officer, and it became a focus of a bill from Rep. Will Hurd (R) of Texas that passed the house last year. 

Creating stronger standards for technology could be an area of collaboration between Washington and Silicon Valley. That relationship still faces strain under the Trump administration, especially if the issue of encryption resurfaces, an area where the commander-in-chief threatened to boycott Apple products during the FBI's dispute with the company over a US court order to create password-busting software for the San Bernardino, Calif., shooter's iPhone.

But the US government has more tools in its arsenal than ever to defend those systems against the increased spate of digital attacks coming from nation-state actors, such as sanctions, indictments, and expelling diplomats. 

"Using all of the tools at our disposal as a government, we need to continue to hold these bad actors accountable," Monaco said, referencing Iranian breaches of US systems and the suspected Russian digital interference campaign ahead of November's elections. "We're not going to tolerate this behavior."

Paul Brigner for The Christian Science Monitor
Deputy Assistant Attorney General for the National Security Division, Department of Justice, Adam Hickey spoke at Beat the Breach this week in San Francisco during the RSA Conference.

"We're also looking for sanctions," said Adam Hickey, a deputy assistant Attorney General at the Justice Department. "I don't know why we would take that tool off the table."

In recent years, Washington has pushed harder to attribute more state-sponsored digital attacks, using sanctions and indictments to target foreign hackers. In 2014, the Justice Department charged five hackers associated with China's People's Liberation Army for allegedly breaching US companies. Later that year, the FBI blamed North Korea for a costly intrusion into Sony Pictures – which led to US sanctions.

But in responding to the spate of digital attacks facing US government systems, Mr. Hickey said the prospect of digital retaliation against hackers who have intruded on private networks presents serious legal questions – and that it may not be a tool that network defenders want themselves.

The government can play a critical role in shaping the cybersecurity simply by creating rules of the road, said Rich Barger, director for security research at Splunk.

"There are laws and norms in place," said Mr. Barger. "You shape the domain in which they operate and you don't have to get into something else."

Paul Brigner for The Christian Science Monitor
Rich Barger, director of security research for the firm Splunk, spoke at Beat the Breach this week during the RSA Conference in San Francisco.

Correction: This article was updated after publication to correct a quote from Gregory Touhill, the federal government's first chief information security officer. He said the federal government's IT infrastructure was based around a 1980s organizational chart, stressing the need to redesign its systems.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.