Trump and Security: What to Expect in the New Administration
January 4, 2017 | Regulations & Legislation
By Daniel Maloof, IANS Managing Editor
Prepping for the New Trump Regime
We all know incoming U.S. President Donald Trump is focused on physical security and building the wall, but what about cybersecurity policy? If his recent comments are any indication, part of making America great again could mean “if you have something really important, write it out and have it delivered by courier, the old-fashioned way.” And, sure, while “don’t use computers” is certainly one way to look at cybersecurity, it’s not exactly realistic.
So for now, it’s difficult to pinpoint exactly what the new administration’s policies and proposals concerning cybersecurity will be for the next four years. But it’s still a fruitful exercise to look for clues in some of the president-elect’s many statements and actions during the campaign (and in the years prior).
In this report, a handful of IANS Faculty use those statements and actions to detail what they believe we should expect from the new Donald Trump administration in terms of digital privacy, consumer protections, the EU-U.S. Privacy Shield, the U.S. Cybersecurity Framework and more.
I have been tracking key statements President-Elect Donald Trump has made over the past couple of years related to technology, cybersecurity and privacy. There have been many. Here are just a few and a brief synopsis of just five likely impacts of a Trump presidency on the associated topics:
- Censorship: “We're losing a lot of people because of the Internet...maybe in certain areas, [we should be] closing that Internet up in some way. Somebody will say, 'Oh freedom of speech, freedom of speech.' These are foolish people. We have a lot of foolish people.”
Of course, we cannot close up parts of the internet; that is foolish thinking. Imagine what it would take. In the U.S., ISPs would need, among other activities, to turn off their cell towers and fiber networks, and restrict satellite access to people living in regions that someone, perhaps Trump himself, determined has populations that were inclined to terrorism. And shutting down access from other countries would be an exercise in futility. Hopefully, this idea will be abandoned if enlightened minds prevail.
- Net neutrality: "Net neutrality is the Fairness Doctrine. Will target conservative media."
No, of course net neutrality is nothing like the Fairness Doctrine. Trump clearly doesn’t understand what net neutrality actually means. Trump’s picks for the Federal Communications Commission are loudly anti-net-neutrality. With FCC Chairman Tom Wheeler’s recently announced resignation, there will now be few to uphold net neutrality. Look for it to be killed in 2017, despite strong and loud opposition.
- Encryption: In response to the San Bernardino terrorist attacks and subsequent efforts to gain access to the perpetrators’ phones: “To think that Apple won't allow us to get into [the attacker’s] cellphone? Who do they think they are? No, we have to open it,” and “I think a lot of people would be willing to give up some privacy in order to have more safety.”
Should the incoming Trump administration pursue this strategy, it would mark the second time in U.S. history lawmakers established an initiative to force tech companies to build backdoors into encryption to allow U.S. government access; they are certainly old enough to remember the Clipper Chip pushed in the 1990s, which was proven to be unsecure. Apparently, while tech memory is virtually unlimited, lawmakers’ memories last only as long as their constituents’ pockets are deep. Proposed Attorney General Sen. Jeff Sessions (R-AL), and Chairman of the Senate Intelligence Committee Richard Burr (R-NC), have both indicated their disdain for strong encryption and have long sought weak encryption with such backdoors. Expect to see the war on strong encryption ramp up more than ever before, as well as a growing number of technology and privacy experts defending encryption, throughout a Trump administration.
- Surveillance: Regarding the New York City Muslim surveillance program: “We had [a program] in New York City, as an example, probably the best in the nation...that was one of the best of all systems. We need intelligence gathering like never before.”
Early in his campaign, Trump said he supported creating an immigrant “database” for tracking Muslims. With growing numbers of technology experts and businesses expressing their refusal to cooperate with any such surveillance, the Trump administration will have a big challenge in accomplishing its goals. However, given Trump’s tendency to meet such challenges with dogged determination, look for new laws or presidential orders for compelled surveillance activities. There are already plans for increasing NSA, FBI and CIA surveillance activities. And new expanded federal government hacking capabilities took effect Dec. 1, 2016. The U.S. will be operating in more of a surveillance state than ever before during a Trump administration.
- Cybersecurity: Trump announced he is going to create his own cybersecurity plan to replace the existing Cybersecurity Framework. Consider this: In the past couple of years, at least 39 systems throughout numerous Trump hotels had been infiltrated by hackers, in large part because of lack of security, resulting in 70,000 individuals' credit card information being breached. The victims were not notified by the Trump hotels until many months later. If Trump doesn't put a priority on securing his own businesses, how can we expect him to prioritize national cybersecurity? The current indifference within Trump's own businesses demonstrates a lack of understanding of cybersecurity and the amount of information/data others can get from our technologies without strong security controls. Look for increased cybersecurity incidents while Trump is in office.
What is more disturbing is that Trump has not changed his viewpoints, despite increased exposure to technology, cybersecurity experts and reports since becoming the GOP candidate in early 2016. I say exposure because while the intelligence agencies were virtually begging him to listen to their reports, he has simply stated he is “a smart person” and basically already knows what he needs to know about security. In the same breath, he points out that his 10-year-old son knows all about computers, but that he thinks computer security is “very, very tough” and “hardly doable.” Even Michael Hayden, the former director of the CIA and National Security Agency, said “the president-elect himself has shown no interest in understanding the issue.”
Taking all these troubling statements and situations into consideration, I do not hold high hopes for strong support for cybersecurity, but I do foresee expanded surveillance and weakened privacy tools over the next four years.
There are few clear signals to key on when trying to predict the effect Trump as POTUS will have on cybersecurity. In examining the few clues we have, it does not appear we are moving toward any meaningful improvements; instead, we are likely to slide backward.
This is a complex question to examine, however, because the general topic of cybersecurity can mean so many things, including the privacy of our citizens, our governmental defense of key assets, our offensive measures against other countries, and support for private sector defense, as well as legal policy underscoring all of this.
I do have some specific observations:
- Trump’s cabinet picks lack experience. Trump has yet to pick anyone for his cabinet to focus on cybersecurity. The remainder of his cabinet picks have been, in aggregate, the least experienced cabinet in recent history. This gravitation toward lack of experience in filling roles does not bode well for the topic of cybersecurity.
- Trump hotels have been hacked multiple times. While not uncommon nowadays, it does not show an outstanding amount of understanding for the importance of cybersecurity.
- Trump publicly encouraged foreign hackers to target his opponents. His encouragement of such activities in public shows little understanding for the potential damage that can be caused by a cyberattack. When asked about his plans for cybersecurity, Trump referenced the amazing skills of his 10-year-old son and called it “the cyber.” This would tend to indicate he has no significant plan or understanding of cybersecurity.
In summary, I believe Trump will likely make little inroads at protecting the private sector through operations or policy, but he will likely be aggressive against those he sees as enemies – be they U.S. citizens, immigrants, foreign nations, etc. Certainly, the growth trends of jobs and demand for cybersecurity employees will continue.
If you read the official policy the Trump campaign has offered on cybersecurity, it sounds reasonable. He plans to order a review of our current security posture and defenses, aiming to provide recommendations on safeguards and establish new protocols for security awareness training for government employees. He also mentions creating task forces at several levels of government (federal, state and local) for law enforcement to implement response tactics.
He also wants to enhance U.S. Cyber Command, and increase both our offensive and defensive tools and capabilities to deter attacks and respond appropriately if warranted. Again, this all sounds reasonable. There are some gaps in the approach though, and the first is simply this -- it is all incredibly vague.
Why would someone who claims to be dedicated to improving cybersecurity tweet something like this (see image below). This does not sound like someone who has a clue at all about a) cybersecurity in general, and b) the actual capabilities of the U.S. defense and intelligence communities.
Judging Trump and his incoming administration on the basis of his current ignorance is likely shortsighted, though. What we should be worried about is the recent selection of Trump’s cabinet.
Trump’s choices for Attorney General, Sen. Jeff Sessions (R-Ala.), and CIA Director, Rep. Mike Pompeo (R-Kan.), have both publicly argued that the government needs more surveillance powers over U.S. citizens. Pompeo has actually called for mass collection of social media information and suggested that Edward Snowden be put to death. On the other hand, Trump’s choice for national security adviser, Lt. Gen. Michael Flynn, is keen to add offensive cybersecurity capabilities, which could be an indicator of some progress.
Many feel Trump is not prepared to understand the magnitude of today’s threats from nation state actors and real criminal organizations, instead focusing on monitoring the activities in and from the U.S. This could lead to a breakdown in U.S.-EU data privacy protection under the recently approved Privacy Shield framework. The EU has long had more stringent focus on consumer privacy, and it may balk at more monitoring in the U.S.; alongside this, U.S. citizens may seek to store their personal data in the EU to avoid the U.S.’ prying eyes.
Many are also worried Trump’s administration won’t put enough emphasis on protecting critical infrastructure like telecommunications, energy and finance, but it is likely too early to tell. The only thing we can be sure of right now is that things are more uncertain than ever before.
If Nigel Farage and the U.K. Independence Party’s Brexit victory was the canary in the coal mine of U.S.-Anglo politics, giving us the forecast of a President-Elect Trump, then should we view U.K. cyber policy initiatives as another leading indicator for what’s heading our way in the U.S. under Trump? Based on the latest technology-focused legislation just passed in the U.K., that forecast is not a pleasant one for many U.S. technology companies and enterprises with large IT infrastructures.
The U.K.’s Investigatory Powers Act, which was signed into law in November, includes language that could be interpreted by bureaucrats to give them powers that require encryption and surveillance backdoors in technologies. Section 217 of that law outlines that the U.K. government be informed of any new technologies being deployed in the country and allows the government to demand technical changes to software and systems to enable full encryption compromise and surveillance of users. I never thought I would see the day where the U.K. and the People’s Republic of China have similar technology regulations, but with Section 217, we see many similarities with China’s Office of State Commercial Cryptography Administration (OSCCA).
Should similar policy strategies be undertaken in the U.S., it would nearly guarantee that most technology companies would move offshore to cryptographic safe havens and only sell their technologies through “unlicensed resellers” to avoid having to backdoor their systems before release to the U.S. market.
Looking at the trajectory of where the U.K. is heading from a cyber policy perspective and combining it with past statements made by key Trump appointees, we face significant risks to the integrity of personal and business communications and a future where the U.S. government’s surveillance capabilities are expanded. Trump has appointed Rep. Mike Pompeo (R-Kan.) as head of the CIA and Gen. Michael Flynn as his national security advisor. Neither one of those appointees indicate a policy strategy that would result in a reduction in the surveillance state or an assurance of confidentiality of personal or business information.
About 40 years ago, a congressional committee headed by Sen. Frank Church (D-Idaho) published a report summarizing the risks the U.S. faces in the event that its intelligence and surveillance powers are not properly checked. It’s probably time for people to read the Church Committee Report and take a long look at where things are heading, not just from the perspective of individual information privacy rights, but also what business are required to do to assist state surveillance activities.
For example, ever since the Communications Assistance for Law Enforcement Act (CALEA) was passed in 1994, more companies have been brought under the jurisdiction of that law to serve as data preservation and digital wiretap agents for the U.S. government. On our current policy trajectory, it is not outside the realm of possibility that any company could be forced to serve as a data collection and wiretap agent against its employees or customers. If such policies were to be enacted, they would result in significant IT business process impacts from both a staffing perspective, as well as in the technologies that would have to be deployed to comply with such requests.
The secession activists in California after the election have made me think there may be some interesting cyber policy activity at the state level, compared to what the Trump administration will pursue at the federal level. We’ve already seen California enact privacy legislation for information breaches. What if it decides to take a states-rights approach to surveillance, banning the federal government from surveilling its citizens? I think it could be possible for California to separate itself from the rest of the country on a cyber policy basis. With the animosity that exists between the Trump administration and most nearly everyone who lives in California, such a cyber policy conflict is a real possibility.
When it comes to information assurance/infosec policies for the government, I am not encouraged by the Obama administration’s departing efforts around improving the integrity of federal information systems. While some progress was made to declassify threat intelligence and share it with the private sector, the federal government’s complete failure to protect its own systems doesn’t give me great confidence that it can help the private sector protect its cyber infrastructure. We may be well past the point of no return for the integrity of those federal systems. We’ve seen so many ransomware attacks against civilian government agencies that perhaps all of the good information has already been stolen and the only way for attackers to monetize the data now is to hold it hostage from legitimate users.
Bottom line, it is still too early to tell exactly which direction the Trump administration is going to follow on many of these points, but we should pay close attention to how things are moving forward in the coming months. It is my hope that technology and industry leaders can help shape a cyber policy strategy that is realistic and pragmatic in its approach, but also adheres to the ideological tenets outlined in the constitution.
With a little over two weeks remaining until Inauguration Day, we’re still very much in wait-and-see mode when it comes to President-Elect Donald Trump’s cybersecurity policies. While he has certainly said (and, of course, tweeted) a number of alarming and inflammatory things, it remains to be seen just how much his actions in office will reflect these statements.
Ultimately, one can only hope President-Elect Trump will rely heavily on the wisdom and advice of the information security community as he and his team craft their cybersecurity policies. Otherwise, while the Doomsday scenario some have predicted remains exaggerated, everything from a potential assault on our current expectations of privacy to an increase in censorship remains in play.
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.
| Written AAE
Understanding the Australian Regulation’s ‘Two-Person Rule’ Requirement
| Written AAE
Protecting Data Transferred From Canada
| Faculty Report
International Security, Privacy and Compliance Laws: Q4 2016 Update
| Faculty Report
International Security, Privacy and Compliance Laws: Q3 2016 Update