Influencers: Trump won’t improve cybersecurity
Three-quarters of Passcode's pool of digital security and privacy experts say they do not believe cybersecurity will improve with the Republican in the Oval Office.
—President-elect Donald Trump has promised that protecting the country from cyberattacks will be a “major priority” for his administration, but three-quarters of Passcode’s pool of digital security and privacy experts say they do not believe cybersecurity will improve with the Republican in the Oval Office.
Passcode’s latest Influencers Poll, a regular survey of 160 current and former government and intelligence officials, and leaders from the private sector and advocacy community, revealed broad pessimism about country’s digital security over the next four years both because of Mr. Trump’s stated policies – and his own personal lack of tech knowledge.
“I voted no simply because the president elect himself has shown no interest in understanding the issue,” says Michael Hayden, a retired Air Force general and the former director of the CIA and National Security Agency.
Trump’s response to a question about how he would improve the country’s cybersecurity at a presidential debate this fall – in which he brought up his 10-year-old son’s “unbelievable” computer skills and referred to digital threats as “the cyber” – was largely panned by the security community as an indication he didn’t understand the complexity of digital threats facing the country. And many security experts were mystified by his refusal to blame Russia for the high-profile hacks on political organizations that took place during the campaign, a public break with the conclusions of the US intelligence community and prominent researchers who investigated the cyberattacks.
While Mr. Hayden, now a principal at global advisory firm The Chertoff Group, says “there may be some hope, however, that the government under him will continue to move albeit slowly in the right direction,” other experts are wondering if Trump’s campaign trail comments make it less likely top tech talent will choose to work in his administration over (typically) higher-paying jobs in the private sector.
“Set aside the lack of understanding (10-year-old sons excluded) and turning a blind eye to Russian role in an attack on American institutions, the real damage may be on the people side,” says Peter Singer, strategist and senior fellow at New America think tank. “It is hard enough for government to recruit and retain talent, especially in a field like cybersecurity. It just got bigly harder.”
Several security and privacy experts voiced concerns with Trump’s strong stance against encryption. During the campaign, he went so far as to call for a boycott of Apple as it pledged to fight a court’s ruling to help the FBI unlock the iPhone used by the shooter in the San Bernardino terror attack. Those who believe that strong encryption is essential for protecting consumers’ data from cyberattacks are alarmed at the prospects of Trump’s administration trying to mandate companies build in ways for the US government to access secure communications.
“To date, Trump’s stance on encryption, backdoors, and cybersecurity appears naive and contrary to our founding fathers’ vision and innovation,” says Nico Sell, cofounder of encrypted messaging app Wickr. “Everyone in the global information security community is now watching to see who Trump surrounds himself with. Security is a global critical challenge; my hope is that he brings his views up to date once briefed by intelligence experts. The world needs a strong role model on this very important issue that impacts us all.”
Cindy Cohn, executive director of the Electronic Frontier Foundation, is also calling for Trump to listen to security experts on encryption policy. “We desperately need leadership that recognizes that empowering users and companies to provide the strongest security and creating incentives for them to do so is the best way for us to actually be more secure,” she says. “That means supporting strong encryption and helping companies fix security problems rather than keeping them open and hoping no bad guys find them. While Mr. Trump could remedy his lack of knowledge with some reasonable appointments, there’s no indication yet that he will.”
However, 25 percent of Influencers said they believed cybersecurity would improve under Trump. “Yes, I think The Cyber will continue to enjoy more attention from both the executive and legislative branch under the new administration,” said one Influencer who chose to remain anonymous. “Cyber will be a priority issue for the Trump administration, and progress will continue, as it would had the election results been different,” another Influencer added. “It is a ‘must do,’ not a ‘nice to do’ issue.” Passcode allows Influencers to reply on the record or anonymously to preserve the candor of their responses.
The cybersecurity plan on Trump’s campaign website offers some ideas about how he might improve cybersecurity, including commissioning an “immediate review” of both the country’s defenses and security weaknesses, and creating task forces to respond to digital threats. Trump has also said he will seek recommendations on how to enhance the military’s Cyber Command with “a focus on both offense and defense.” He’s also already tapped retired Army lieutenant general Michael Flynn, a former director of the Defense Intelligence Agency, as his National Security Adviser.
“Could this be a Nixon to China moment? I hope so. Trump’s more aggressive rhetoric on cybersecurity gives him an obvious opportunity to set norms of restraint on certain kinds of destabilizing behaviors,” says Steve Weber, professor at the School of Information at the University of California - Berkeley. “A ‘no first use’ pledge around something like critical infrastructure would mean a lot coming from this new administration.”
Other Influencers were optimistic even if they didn’t think that the president-elect or his administration would be the ones to alleviate the cyberthreats. “If there is some major national hack, Congress will act instead,” one Influencer said.
And some privacy advocates said they thought Trump himself could be the reason people fortify their digital defenses – in opposition to his embrace of surveillance and government access to encrypted communications. “Trump’s pro-surveillance campaign statements,” says Elana Zeide, a privacy expert at Princeton University’s Center for Information Technology Policy, “give everyone more incentive to secure their communications.”
This article was updated after publication to clarify Elana Zeide's comments.
Jack Detsch contributed to this article.
What do you think? VOTE in the readers' version of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our interactive masthead here.
“With change in administrations there is opportunity, but in the near term they will be learning how to govern. While cybersecurity played out as a backdrop to the election it was not focal to Trump’s campaign. Immigration, trade, infrastructure, and Obamacare reform will suck all the oxygen out of the room and leave little room for the (civilian) security community to make gains.” - Jeff Moss, founder of Black Hat and DEF CON
“Data security and security of IoT is a major concern for consumers. My biggest concern is the next administration mandating broad exceptional access mandates which would undermine the security of IoT.” - Terrell McSweeny, Federal Trade Commissioner
“The current mix of incentives and disincentives in the US is not driving improvements and the Trump stated goals for information sharing are unlikely to improve the situation. Hopefully his focus on more efficient and effective government causes reform of acquisition and procurement, which would have a net positive effect within government.” - Influencer
“The answer of course depends on who the advisors to the president are and on the final policy decisions that are made and enacted, but initial indications are not favorable overall with respect to cybersecurity policy. Based on his prior comments (essentially anti-Apple/anti-encryption), the president-elect is likely to favor less security in exchange for more government access, which would weaken our security overall. Further, with a closely divided Senate, the current glacial rate of policy developments on cybersecurity will not likely accelerate, placing us further ‘behind the curve’ relative to worldwide developments and needs in cyberspace over time. One outstanding issue that could improve under the Trump administration is the Wassenaar Agreement, more specifically its language on ‘intrusion software’ to which cybersecurity technology firms and legitimate cybersecurity are strongly opposed. As this ongoing debate will run into the next presidential term, the Trump Administration has an opportunity (and presumably an interest) in ‘rebooting’ the conversation, hopefully aiding in bringing it to a more acceptable conclusion. With proper industry expertise being applied to the renegotiation of this problematic contract, cybersecurity companies can confidently take a more active role in stopping cybercrime and cyberespionage without running the risk of prosecution or other negative impacts to their business or freedom.” - Influencer
“My assessment is based on the initial challenges I believe the Trump administration will face in retaining and attracting the best technical talent and the most strategic policy and law thinkers. I believe we will continue to maintain a robust cybersecurity technical and tactical capacity, but I worry that episodic interference from President Trump’s senior political advisors, or unconventional geopolitical decisions by President Trump himself, may complicate a coherent approach. This challenge may, ironically, lead to more public discussion, debate, white papers, recommendations, etc. from the establishment cyber-warrior class and perhaps have more influence of time on the global cybersecurity strategy of a Trump administration over time.” - Influencer
“Nothing suggests Trump - or anyone on his staff - understands even the basics of why we need to improve the nation’s defenses. - Chris Finan, CEO of Manifold Security
“It is too early to tell, and not enough is known about their concrete policy objectives to speak with authority on whether they will take actions that improve or weaken cybersecurity. I am open to working to educate the administration about the Internet, and others should be as well.” - Christian Dawson, executive director and cofounder of the Internet Infrastructure Coalition (i2Coalition)
“[What’s on Trump’s website] is extremely vague and contains no meaningful indication that Trump would improve the current state of cybersecurity. - Yan Zhu, engineer at Brave
“Trump has advocated an ‘America first’ foreign policy, but this type of isolationism will not work for cybersecurity. Improving cybersecurity will require US leadership and global partnerships as this is not a problem that the US can solve on its own.” - Influencer
“Our most capable adversaries will exploit the gaps created by a change in leaders and capabilities. State sponsored activity is frequent, and taking fewer steps to disguise the activity.” - Jenny Durkan, global chair of the Cyber Law and Privacy Group at Quinn Emanuel law firm
“One tries to be hopeful. In reality there’s no way to predict.” - Influencer
“Trump will not regulate the IoT makers or the software makers for fear of hurting their growth and jobs. Cybersecurity under Trump will be more of the same current reactive ‘cyber smoke alarm and cyber fire station’ approach which has proven in the physical world not to prevent cities from burning down. It’s not until we have the fortitude to mandate the equivalent of brick firewalls between buildings and sprinkler systems will things change. Expect to see plenty of offense from our cyber glass house.” - Chris Wysopal, cofounder at Veracode
“I haven’t seen any urgency on this matter during his campaign, nor do I think his base is particularly concerned with matters of cybersecurity.” - Jeffrey Carr, president and CEO of Taia Global, Inc.
“US cybersecurity will continue to grow in relevance and attention regardless of who the president is, and companies will have to dedicate more resources and time to making good and secure decisions about how to protect data. Now, whether US *government* cybersecurity will improve - for that we’ll have to wait until a cybersecurity chief is named to begin to guess.” - Influencer
“Trump and his advisors have demonstrated no understanding of cybersecurity, nor any comprehension of its importance. Moreover, the recent purge of any qualified cybersecurity experts such as Mike Rogers from his team - in favor of hacks from Breitbart and Jeff Sessions’ office - makes clear that they are more interested in absolute power than any constructive accomplishments.” - Influencer
“Trump lacks the discipline and vision to implement a coherent and effective approach to cybersecurity.” - Tor Ekeland, managing partner of Tor Ekeland, P.C. law firm
“My biggest fear is Trump’s implied support for extension of law enforcement powers to include forcing vendors to break their end-to-end security in order to accommodate search warrants. The FBI’s analogy is a bank’s safety deposit box; I believe data to be fundamentally different though, and without precedent. A lot of damage can be done between now and when a relevant Supreme Court decision on this is made.” - Nick Selby, cofounder and chief executive officer of StreetCred Software
“It is *WAY* too soon to say cybersecurity will get better or worse under a Trump Presidency, or whether the Presidency will have any influence on the state of cybersecurity. We have zero track record on what his administration will or will not champion and what his administration will or will not mandate.” - Influencer
“There are not enough 400 pound hackers.” - Influencer
“US cybersecurity will improve during the Trump administration. But any improvements will have more to do with overcoming an era of cyber inertia than with anything stemming from a Trump presidency.” - Influencer
“Cybersecurity defenses are always getting better and the next four years will not be an exception (in large part because most improvements in cybersecurity arise from the private sector with its own motives). Unfortunately, cybersecurity offenses are always getting better too. Finally attack surfaces are growing, as an increasing number of Internet of Things stories reminds us. So, a broad answer has to balance three very different trends. Then there’s the question: improved relative to what? Will science advance in a Trump administration? Undoubtedly, because science never goes backwards and that would be true if science funding were cut to zero. But, with cybersecurity as with science, the question is one of comparison. If cybersecurity would have advanced more in a hypothetical Clinton administration than in a Trump administration is the answer to your question still ‘yes’? And of course, we have no clue who Trump is going to appoint – and, otherwise, I really cannot tell what Trump’s cybersecurity policies are going to be.” - Martin Libicki, senior management scientist at RAND
“Fresh eyes.” - Mark Weatherford, principal at The Chertoff Group
“While Trump in his campaign program gave little or no indication of a concrete plan to improve cybersecurity in the US, the reality is so dire that improvements in cybersecurity will be a must.” - Influencer
“Yes, contingent on him walking the talk regarding regulation accelerating the protection of the .gov morass. He needs to support the transformation at NSA and rethink the role of government.” - Influencer
“I really don’t see how he can make it worse so any changes at all will likely be improvements no matter how small. Obama couldn’t get stuff through Congress and so had to make his changes through executive proclamation. Barring some major national hack I don’t see Trump doing that. If there is some major national hack, Congress will act instead. So really I don’t see much improvement under Trump other than incremental changes. Anything like CFAA reform or changes to DMCA are pretty much off the table now I am sure. We may see a new ‘cyber’ bill get passed but it will be about as effective as CISA, in other words sound real good and have ‘cyber’ in the title but not really make a whole hell of a lot of difference.” - Influencer
“President-elect Trump has been more specific about the need to improve cybersecurity than about most defense issues. At a minimum, he’s likely to continue initiatives from the Obama administration to strengthen cybersecurity.” - Influencer
“Previous presidents have so far been unsuccessful in constructing cohesive and well informed cybersecurity policies or installing multi-disciplinary leadership. As the International cyber threats have increased in sophistication and scope, we’re rapidly approaching an inflection point where if something isn’t done, it will be done to us via external entities. Just as hacking, cybersecurity, and email breaches have been core to the election process, they will continue to grow and affect Trump’s new government. Hence, in Trumps presidency, the US government and agencies are having their hands forced in to dealing with this invasive hacking epidemic. - Günter Ollmann is chief security officer at Vectra
“In October, the US Chamber wrote an open letter to the 45th president to recommend that the incoming administration prioritize three cybersecurity issues: First, we need to build on the momentum behind the joint industry-National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, which business leaders and policymakers see as a key pillar for managing cyber risks at home and internationally. Closely linked, we urge the incoming Trump administration to harmonize existing regulations with the cyber framework. Cutting cyber red tape will serve the cause of bolstering security. Second, the Trump team starts in a strong position with the enactment of the Cybersecurity Information Sharing Act (CISA). By working as an ally with industry, the next administration can lead a culture shift to bring businesses off the sidelines to engage in effective threat information-sharing. Third, Washington’s policies ought to encourage greater adherence to international norms of acceptable behavior and deterrence in cyberspace. The pros and cons of cyber deterrence deserve more careful scrutiny than they have received to date.” - Matthew Eggers, executive director for cybersecurity policy in the National Security and Emergency Preparedness Department at the US Chamber of Commerce
“The reason for ‘Yes’ is that, in cybersecurity, offense has permanent structural advantage. AI applied to offense will result in Mexican standoff, which will be called ‘peace.’ - Dan Geer chief information security officer for In-Q-Tel
“It is not possible at this point to predict this. Trump changes his mind all the time and the direction is most likely to be determined by top advisors who as yet remain unnamed.” - Influencer