Obama officials: There's hope for cybersecurity under Trump

At the Beat the Breach event during the RSA Conference in San Francisco this week, current and former US government officials expressed optimism about the state of cybersecurity under President Trump.

Worried about the future of US cybersecurity under President Trump? Don't panic, say current and former government officials. 

Although Mr. Trump hasn't offered policy specifics, some former Obama administration officials said a draft executive order on cybersecurity, which has circulated in Washington, could offer welcome improvements on the technology front.

In fact, according to former White House Homeland Security Adviser Lisa Monaco, much of what the Trump administration has floated appears to borrow directly from the Obama playbook on cybersecurity.

"You could basically lift that entire paragraph out of Obama's cyberstrategy," said Ms. Monaco, referring to provisions in the draft executive order to protect critical infrastructure and manage digital risk.

Monaco spoke during Beat the Breach on Tuesday, an event cohosted by Passcode and the cybersecurity firm Invincea that coincided with the RSA Conference, a massive industry gathering that brought thousands of executives, technologists, experts, and government officials here this week.

Much of the conversation at Beat the Breach, as well as during the RSA Conference, centered around how Trump might address cybersecurity in the aftermath of an election in which concerns about Russian hackers, and their role in the presidential campaign, became front page news.

Monaco, one of President Obama's closest cybersecurity advisers in his second term, said she spoke with her successor, Tom Bossert, for a dozen hours. In those conversations, Monaco says she emphasized continuity on critical digital security policies, such as work on enhancing the federal government's cybersecurity and legacy systems, beefing up the norms of state behavior in cyberspace.

Mr. Bossert earned bipartisan plaudits serving as a White House homeland security official under the second President Bush, leading work on a 2008 presidential directive boosting cybersecurity infrastructure inside the US government. He'll also inherit efforts to work with Silicon Valley companies to kick the Islamic State off of social media platforms such as Twitter and Facebook. Monaco described that effort as "one of the hardest policy problems" she dealt with in the Obama White House.

"We're not going to delete our way out of this problem," she said of Twitter's suspension of hundreds of thousands of accounts linked to IS and other violent extremist groups. "How can we work together to make sure that these platforms aren't being abused?"  

Prior to Election Day, the FBI warned that unidentified hackers had broken into state election boards in Illinois and Arizona. In the wake of those incidents, the draft order directs US government agencies such as the Justice and Defense Departments to help Homeland Security beef up protections for critical infrastructure. 

Gregory Touhill, a retired Air Force general hired as the federal government's first chief information security officer last year, said the strength of the draft order reflected a successful handoff of US digital defenses. 

Despite Trump's tweets blasting Obama's efforts to assist in the transition, Mr. Touhill said the departing administration had "left behind a really good flight plan" on cybersecurity. But Touhill, who left his post just weeks ago, still called for improvements in training, education, and replacing legacy technology systems in the US government. 

"Hygiene across private and public sectors is not up to snuff," said Mr. Touhill, who left his post just days into the Trump administration. "From my perch as chief information security officer, I’m looking at the architecture and I’m saying, 'Holy crap, this is built on a 1980s organization chart.'"

The US government could be spending upwards of 80 percent of its information technology budget on legacy systems. That became a key focus for Tony Scott, who served as Obama's chief information officer, and it became a focus of a bill from Rep. Will Hurd (R) of Texas that passed the house last year. 

Creating stronger standards for technology could be an area of collaboration between Washington and Silicon Valley. That relationship still faces strain under the Trump administration, especially if the issue of encryption resurfaces, an area where the commander-in-chief threatened to boycott Apple products during the FBI's dispute with the company over a US court order to create password-busting software for the San Bernardino, Calif., shooter's iPhone.

But the US government has more tools in its arsenal than ever to defend those systems against the increased spate of digital attacks coming from nation-state actors, such as sanctions, indictments, and expelling diplomats. 

"Using all of the tools at our disposal as a government, we need to continue to hold these bad actors accountable," Monaco said, referencing Iranian breaches of US systems and the suspected Russian digital interference campaign ahead of November's elections. "We're not going to tolerate this behavior."

"We're also looking for sanctions," said Adam Hickey, a deputy assistant Attorney General at the Justice Department. "I don't know why we would take that tool off the table."

In recent years, Washington has pushed harder to attribute more state-sponsored digital attacks, using sanctions and indictments to target foreign hackers. In 2014, the Justice Department charged five hackers associated with China's People's Liberation Army for allegedly breaching US companies. Later that year, the FBI blamed North Korea for a costly intrusion into Sony Pictures – which led to US sanctions.

But in responding to the spate of digital attacks facing US government systems, Mr. Hickey said the prospect of digital retaliation against hackers who have intruded on private networks presents serious legal questions – and that it may not be a tool that network defenders want themselves.

The government can play a critical role in shaping the cybersecurity simply by creating rules of the road, said Rich Barger, director for security research at Splunk.

"There are laws and norms in place," said Mr. Barger. "You shape the domain in which they operate and you don't have to get into something else."

Correction: This article was updated after publication to correct a quote from Gregory Touhill, the federal government's first chief information security officer. He said the federal government's IT infrastructure was based around a 1980s organizational chart, stressing the need to redesign its systems.