Trying to predict the shape of cybersecurity under President Trump is a frustrating exercise for industry professionals. But given what’s at stake, we asked some to give it a try anyway, or at least offer the president-elect some advice.
It’s not that Trump doesn’t have a plan – he does. But he’s demonstrated a knack for changing stances on everything from healthcare to immigration reform since the election. To some, he’s demonstrated a general lack of understanding when it comes to the intricacies of policy, whatever the subject.
His flexibility could be good for internet security. Or, it could be a disaster.
“As with many policy issues, it’s really difficult to predict what President-Elect Trump might do with regards to cybersecurity,” said Michael Schearer, a Baltimore-based security practitioner specializing in legal matters. “I believe that Trump is focused more on pragmatism and less on specific policy outcomes.”
For now, all we have are words gleaned from Trump’s campaign stump speeches. He ran on an isolationist-protectionist platform, vowing to put Americans first and shred trade deals and regulations he deems unfair to blue-collar workers.
Among other things, Trump vows to roll back regulations, making a rule that for every new regulation, two older ones must be eliminated.
For many a security practitioner, this has sparked uncertainty over the future of data protection regulations they’ve labored to abide by over the last 15 years.
In the UK, concern abounds over what Trump’s policies will mean for the General Data Protection Regulation (GDPR), which will require any company that does business in the European Union to more securely collect, store, and use personal information by 2018.
The future of that mandate was already clouded by last year’s demise of a “Safe Harbor” agreement between the European Union and United States. Safe Harbor allowed firms to transfer massive amounts of data to their servers in the US and streamlined the complicated process companies had to go through to comply with European regulations. The UK’s Brexit vote in June further complicated things.
For now, experts have advised staying the course with current compliance programs, noting that any step toward deregulation would be a long and difficult process. As for what the regulatory landscape will look like in five years, all bets are off.
Privacy in peril
A Trump presidency also raises questions about the future of privacy. Houston-based security practitioner Michael Farnum is among those concerned about potential privacy rollbacks.
“I really worry about how aggressive he is going to be with cybersecurity in relation to civil rights,” said Farnum, a founder of the Houston Security Conference (HouSecCon). “I base my concern partly on his comments about the iPhone backdoor issue. He did his typical thing of jumping into the fray without knowing what he was talking about. I’m not sure that education about the issue will really change his mind because of his general tendency towards authoritarianism.”
Earlier this year, Apple fought an FBI court order to give investigators a backdoor into the iPhone used by a shooter in the December 2015 terrorist attack at a facility in San Bernardino, California. At the time, Trump slammed Apple, saying the company should obey the courts and “open it up”.
The question is if he’ll proceed with the authoritarian approach Farnum worries about or changes course as he has on other issues.
Advice for Trump
In the face of uncertainty, experts have some advice for Trump.
“From a cybersecurity defense standpoint, my advice to him would be to do a TON of research and put in place some non-DC-type cybersecurity advisors,” Farnum said. “I would also advise him NOT to take a proactive cybersecurity attack stance towards other countries. Wars in the future will have cyber components, so having weapons makes sense in a lot of ways. But we don’t need another “Mission Accomplished” scenario in the cyber world.”
Schearer believes the current White House cyberdeterrence policy has failed and Trump should study and understand what has and hasn’t worked before adopting a more concrete strategy.
“The current White House approach – built on a two-element strategy of deterrence by denial; and deterrence through cost imposition (sanctions against state actors, for example) has failed,” he said. “Cyberdeterrence as a communicative strategy should be jettisoned. The United States should continue to focus on shoring up its network defenses and pursue multiple strategies to impose costs – not for the sake of deterrence, but as part of a larger effort to combat cyberattacks on a more aggressive front.”
In terms of American cyberdeterrence, he said, fear has failed. It’s time to acknowledge that and move on.
Schearer covers those issued in broader detail in a paper he wrote for the Social Science Research Network (SSRN).
Stephen Bryen, a noted technologist and policy strategist, suggested in a blog post that Trump remove cybersecurity policy from NSA control and hand it over to a new, autonomous agency.
“Cyber policy is made by NSA and that is a big problem,” he wrote. “NSA cannot be the guarantor of security and insecurity at the same time. If Donald Trump wants to take one important, indeed, vital step he will create a well-funded new Cyber Security Agency that is free of NSA and other deeply compromised interests.”
Will any of these ideas make it into actual policy in a Trump administration? Those interviewed aren’t holding their breath. But given Trump’s recent change of heart on other matters, there’s always hope.