Filter By:

Recent Blogs & Podcasts

Back to Insights

Trump and Security: What to Expect in the New Administration

January 4, 2017 | Regulations & Legislation
By Daniel Maloof, IANS Managing Editor,
     Dave Shackleford, IANS Faculty,
     Aaron Turner, IANS Faculty

Prepping for the New Trump Regime

We all know incoming U.S. President Donald Trump is focused on physical security and building the wall, but what about cybersecurity policy? If his recent comments are any indication, part of making America great again could mean “if you have something really important, write it out and have it delivered by courier, the old-fashioned way.” And, sure, while “don’t use computers” is certainly one way to look at cybersecurity, it’s not exactly realistic.

So for now, it’s difficult to pinpoint exactly what the new administration’s policies and proposals concerning cybersecurity will be for the next four years. But it’s still a fruitful exercise to look for clues in some of the president-elect’s many statements and actions during the campaign (and in the years prior).

In this report, a handful of IANS Faculty use those statements and actions to detail what they believe we should expect from the new Donald Trump administration in terms of digital privacy, consumer protections, the EU-U.S. Privacy Shield, the U.S. Cybersecurity Framework and more.

IANS Faculty Rebecca Herold

I have been tracking key statements President-Elect Donald Trump has made over the past couple of years related to technology, cybersecurity and privacy. There have been many. Here are just a few and a brief synopsis of just five likely impacts of a Trump presidency on the associated topics:

What is more disturbing is that Trump has not changed his viewpoints, despite increased exposure to technology, cybersecurity experts and reports since becoming the GOP candidate in early 2016. I say exposure because while the intelligence agencies were virtually begging him to listen to their reports, he has simply stated he is “a smart person” and basically already knows what he needs to know about security. In the same breath, he points out that his 10-year-old son knows all about computers, but that he thinks computer security is “very, very tough” and “hardly doable.” Even Michael Hayden, the former director of the CIA and National Security Agency, said “the president-elect himself has shown no interest in understanding the issue.”

Taking all these troubling statements and situations into consideration, I do not hold high hopes for strong support for cybersecurity, but I do foresee expanded surveillance and weakened privacy tools over the next four years.

IANS Faculty Mike PinchThere are few clear signals to key on when trying to predict the effect Trump as POTUS will have on cybersecurity. In examining the few clues we have, it does not appear we are moving toward any meaningful improvements; instead, we are likely to slide backward.

This is a complex question to examine, however, because the general topic of cybersecurity can mean so many things, including the privacy of our citizens, our governmental defense of key assets, our offensive measures against other countries, and support for private sector defense, as well as legal policy underscoring all of this.

I do have some specific observations: 

  • Trump’s cabinet picks lack experience. Trump has yet to pick anyone for his cabinet to focus on cybersecurity. The remainder of his cabinet picks have been, in aggregate, the least experienced cabinet in recent history. This gravitation toward lack of experience in filling roles does not bode well for the topic of cybersecurity.

  • Trump hotels have been hacked multiple times. While not uncommon nowadays, it does not show an outstanding amount of understanding for the importance of cybersecurity.

  • Trump publicly encouraged foreign hackers to target his opponents. His encouragement of such activities in public shows little understanding for the potential damage that can be caused by a cyberattack. When asked about his plans for cybersecurity, Trump referenced the amazing skills of his 10-year-old son and called it “the cyber.” This would tend to indicate he has no significant plan or understanding of cybersecurity.

In summary, I believe Trump will likely make little inroads at protecting the private sector through operations or policy, but he will likely be aggressive against those he sees as enemies – be they U.S. citizens, immigrants, foreign nations, etc. Certainly, the growth trends of jobs and demand for cybersecurity employees will continue.

If you read the official policy the Trump campaign has offered on cybersecurity, it sounds reasonable. He plans to order a review of our current security posture and defenses, aiming to provide recommendations on safeguards and establish new protocols for security awareness training for government employees. He also mentions creating task forces at several levels of government (federal, state and local) for law enforcement to implement response tactics.

He also wants to enhance U.S. Cyber Command, and increase both our offensive and defensive tools and capabilities to deter attacks and respond appropriately if warranted. Again, this all sounds reasonable. There are some gaps in the approach though, and the first is simply this -- it is all incredibly vague.

Why would someone who claims to be dedicated to improving cybersecurity tweet something like this (see image below). This does not sound like someone who has a clue at all about a) cybersecurity in general, and b) the actual capabilities of the U.S. defense and intelligence communities.

Judging Trump and his incoming administration on the basis of his current ignorance is likely shortsighted, though. What we should be worried about is the recent selection of Trump’s cabinet.

Trump’s choices for Attorney General, Sen. Jeff Sessions (R-Ala.), and CIA Director, Rep. Mike Pompeo (R-Kan.), have both publicly argued that the government needs more surveillance powers over U.S. citizens. Pompeo has actually called for mass collection of social media information and suggested that Edward Snowden be put to death. On the other hand, Trump’s choice for national security adviser, Lt. Gen. Michael Flynn, is keen to add offensive cybersecurity capabilities, which could be an indicator of some progress.

Many feel Trump is not prepared to understand the magnitude of today’s threats from nation state actors and real criminal organizations, instead focusing on monitoring the activities in and from the U.S. This could lead to a breakdown in U.S.-EU data privacy protection under the recently approved Privacy Shield framework. The EU has long had more stringent focus on consumer privacy, and it may balk at more monitoring in the U.S.; alongside this, U.S. citizens may seek to store their personal data in the EU to avoid the U.S.’ prying eyes.

Many are also worried Trump’s administration won’t put enough emphasis on protecting critical infrastructure like telecommunications, energy and finance, but it is likely too early to tell. The only thing we can be sure of right now is that things are more uncertain than ever before.

If Nigel Farage and the U.K. Independence Party’s Brexit victory was the canary in the coal mine of U.S.-Anglo politics, giving us the forecast of a President-Elect Trump, then should we view U.K. cyber policy initiatives as another leading indicator for what’s heading our way in the U.S. under Trump? Based on the latest technology-focused legislation just passed in the U.K., that forecast is not a pleasant one for many U.S. technology companies and enterprises with large IT infrastructures.

The U.K.’s Investigatory Powers Act, which was signed into law in November, includes language that could be interpreted by bureaucrats to give them powers that require encryption and surveillance backdoors in technologies. Section 217 of that law outlines that the U.K. government be informed of any new technologies being deployed in the country and allows the government to demand technical changes to software and systems to enable full encryption compromise and surveillance of users. I never thought I would see the day where the U.K. and the People’s Republic of China have similar technology regulations, but with Section 217, we see many similarities with China’s Office of State Commercial Cryptography Administration (OSCCA).

Should similar policy strategies be undertaken in the U.S., it would nearly guarantee that most technology companies would move offshore to cryptographic safe havens and only sell their technologies through “unlicensed resellers” to avoid having to backdoor their systems before release to the U.S. market.

More Surveillance

Looking at the trajectory of where the U.K. is heading from a cyber policy perspective and combining it with past statements made by key Trump appointees, we face significant risks to the integrity of personal and business communications and a future where the U.S. government’s surveillance capabilities are expanded. Trump has appointed Rep. Mike Pompeo (R-Kan.) as head of the CIA and Gen. Michael Flynn as his national security advisor. Neither one of those appointees indicate a policy strategy that would result in a reduction in the surveillance state or an assurance of confidentiality of personal or business information.

About 40 years ago, a congressional committee headed by Sen. Frank Church (D-Idaho) published a report summarizing the risks the U.S. faces in the event that its intelligence and surveillance powers are not properly checked. It’s probably time for people to read the Church Committee Report and take a long look at where things are heading, not just from the perspective of individual information privacy rights, but also what business are required to do to assist state surveillance activities.

For example, ever since the Communications Assistance for Law Enforcement Act (CALEA) was passed in 1994, more companies have been brought under the jurisdiction of that law to serve as data preservation and digital wiretap agents for the U.S. government. On our current policy trajectory, it is not outside the realm of possibility that any company could be forced to serve as a data collection and wiretap agent against its employees or customers. If such policies were to be enacted, they would result in significant IT business process impacts from both a staffing perspective, as well as in the technologies that would have to be deployed to comply with such requests.

The secession activists in California after the election have made me think there may be some interesting cyber policy activity at the state level, compared to what the Trump administration will pursue at the federal level. We’ve already seen California enact privacy legislation for information breaches. What if it decides to take a states-rights approach to surveillance, banning the federal government from surveilling its citizens? I think it could be possible for California to separate itself from the rest of the country on a cyber policy basis. With the animosity that exists between the Trump administration and most nearly everyone who lives in California, such a cyber policy conflict is a real possibility.

Less Data Integrity, Privacy

When it comes to information assurance/infosec policies for the government, I am not encouraged by the Obama administration’s departing efforts around improving the integrity of federal information systems. While some progress was made to declassify threat intelligence and share it with the private sector, the federal government’s complete failure to protect its own systems doesn’t give me great confidence that it can help the private sector protect its cyber infrastructure. We may be well past the point of no return for the integrity of those federal systems. We’ve seen so many ransomware attacks against civilian government agencies that perhaps all of the good information has already been stolen and the only way for attackers to monetize the data now is to hold it hostage from legitimate users.

On the privacy policy front, I sincerely hope U.S. policymakers do not follow the EU’s lead in this space. As is typical with all European policy initiatives I’ve been involved with, the EU Data Protection Directive is a great idea, but very poorly implemented and very difficult to actually comply with. On a recent project, we had to work with three separate law firms and 13 different regulators just to get a compliance ruling on the retention of one portion of the data we wanted to capture for a wireless security system.

Bottom line, it is still too early to tell exactly which direction the Trump administration is going to follow on many of these points, but we should pay close attention to how things are moving forward in the coming months. It is my hope that technology and industry leaders can help shape a cyber policy strategy that is realistic and pragmatic in its approach, but also adheres to the ideological tenets outlined in the constitution. 

A Level of Uncertainty

With a little over two weeks remaining until Inauguration Day, we’re still very much in wait-and-see mode when it comes to President-Elect Donald Trump’s cybersecurity policies. While he has certainly said (and, of course, tweeted) a number of alarming and inflammatory things, it remains to be seen just how much his actions in office will reflect these statements.

Ultimately, one can only hope President-Elect Trump will rely heavily on the wisdom and advice of the information security community as he and his team craft their cybersecurity policies. Otherwise, while the Doomsday scenario some have predicted remains exaggerated, everything from a potential assault on our current expectations of privacy to an increase in censorship remains in play.


Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.

Related Research

1/2/2018 | Ask-an-Expert
Create a Workable Acceptable Use Policy for Social Media

12/28/2017 | Ask-an-Expert
Benchmark Your Privacy Program Maturity

11/28/2017 | Ask-an-Expert
Balance Remote Worker Security and Privacy

11/13/2017 | Ask-an-Expert
Security vs. Privacy: Who Does What?