While we wait for Robert Mueller to wrap up his investigation into President Trump’s pre-election dealings with Russians, let’s remember how we got here. The Russian Government compromised the emails of U.S. political organizations and used the information to damage the Clinton campaign. Punishing any potential violations of U.S. law that enabled this effort is important, so why is the Trump administration doing so little to beef up our nation’s ability to investigate and apprehend cybercriminals?
Cybercriminals, including nation-state hackers, are — for the most part — rational beings. Before attacking the U.S., they conduct a risk-reward analysis. Is the risk of getting caught and being held responsible greater than the reward of disrupting services, damaging U.S. infrastructure, or even interfering in our democratic processes? The answer, so far, has been a resounding no. And despite Mr. Trump’s promises to shore up the nation’s cybersecurity, the risk-reward analysis remains in the attacker’s favor. We must change this equation by adding resources to cyber law enforcement.
Throughout the 2016 presidential campaign, then President-elect Trump expressed concern over the state of the nation’s cybersecurity. “We have to get very tough on cyber and cyberwarfare. It is a huge problem,” Mr. Trump said. “The security aspect of cyber is very, very tough and maybe it’s it’s hardly doable.”
Mr. Trump also criticized the cybersecurity efforts of the Obama administration and made a number of promises to beef up the U.S. response to cyber threats. “We have no defense. We’re run by people that don’t know what they’re doing,” he said.
The Obama administration’s efforts did indeed come up short in doing enough to stop attacks and reduce exposure. That administration was too cautious in its steps to create a real deterrent and put too much focus on information sharing as a countermeasure.
Mr. Trump promised to turn things around, starting with a 90-day cybersecurity review. “We have some of the greatest computer minds anywhere in the world that we’ve assembled,” he said. “We’re going to put those minds together and we’re going to form a defense.”
But all that talk appears to be just that. In the early part of the Trump administration, we saw some of the president’s thinking in a draft cybersecurity policy. This included a leading role for the U.S. military and a new approach to confronting cyberthreats. Under the order, the Department of Defense would have 60 days to review national security systems for vulnerabilities, and the Department of Homeland Security would have 60 days to review the protection of critical infrastructure.
More notable, however, is what was left out of the draft: This is no mention of the FBI. That was one thing the Obama administration addressed early on. The FBI played an important role in cybersecurity.
After much criticism, Mr. Trump’s early draft policy gave way to a watered-down version issued in the form of an executive order in May of 2017. Unfortunately, the executive order wasn’t much better than the draft policy, and it sounded very familiar. The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is largely based on the policies and procedures established under the Obama administration.
At the time of the signing, Ben Flatgard, former National Security Council Director for Cybersecurity Policy, told Ars Technica, “[The order] is directionally sound in many regards. It gives you incremental improvements and progress and some consolidation of stuff we’ve already put in place.”
But he added: “[F]or a new administration, this doesn’t represent big, ambitious plans to really leap forward in terms of how we address cyber threats.”
The people best positioned to advise Mr. Trump on cybersecurity appeared to agree. In August 2017, the administration lost a number of cybersecurity advisors, as a quarter of the members of the National Infrastructure Advisory Council resigned from their posts, citing in their resignation letter, “specific shortfalls in the administration’s approach to cybersecurity,” among other things.
What the administration failed to do in the executive order must be addressed. The U.S. needs:
•Legislation to streamline information-sharing and cooperation with friendly foreign governments.
•More resources for the FBI and other federal law enforcement agencies to go after cyber spies and cybercriminals.
•A consolidated central repository for both state and federal law enforcement on cyber crime.
Until the administration addresses the need for law enforcement resources to improve cyber deterrence, our country remains in a precarious position. Nation-state cyberattackers know that there is little or no risk involved in attacking the U.S., and until that changes the U.S. will continue to have a big target looming over it.
• Leo Taddeo is Chief Information Security Office at Cyxtera, where he is responsible for oversight of Cyxtera’s global security operations, investigations and intelligence programs, crisis management, and business continuity processes. He provides deep domain insight into the techniques, tactics and procedures used by cybercriminals to help Cyxtera continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches. Mr. Taddeo, a decorated Gulf War Marine veteran, is also former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office.