Things did not end well for the Trump’s administration’s cybersecurity efforts. After Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency (CISA), was fired by President Trump for releasing a statement claiming, “the November 3rd election was the most secure in American history,” Krebs immediately went on 60 Minutes and the Late Show with Stephen Colbert to take a victory lap after his agency’s solid performance in monitoring the election.
Donald Trump’s campaign lawyer, Joe di Genova countered with “that guy [Krebs] is a class A moron. He should be drawn and quartered. Taken out at dawn and shot.” This is but one example of the dangerous messaging that emerged from the White House following the election, contradicting election experts and evidence. President Trump’s legacy on cybersecurity will go down in a miasma of confusion and delay.
This December, President Trump decided one his final stands in government would be to demand under the threat of veto that the 2021 National Defense Authorization Act (NDAA), the annual bill that funds the defense establishment, should include a provision eliminating section 230 of the Communications Decency Act. Section 230 is the oft misunderstood and mythologized dispensation for internet platforms to avoid moderating content on their platforms. President Trump tweeted, “Section 230, which is a liability shield gift from the U.S. to ‘Big Tech’ (the only companies in America that have it – corporate welfare!), is a serious threat to our National Security & Election Integrity.”
Section 230 is clearly a debatable issue. What is not debatable, however, is that “230 has nothing to do with the military,” as Senator Jim Inhofe (R-OK), Republication chair of the Senate Armed Service Committee quickly remarked. With this act, President Trump ends 2020 and his term with continued disarray surrounding cybersecurity issues, consistent with an overall pattern of hubris and indifference that has positioned the country no safer than it was in 2016.
Things did not start off well with Rudy Giuliani named as President-Elect Trump’s cybersecurity advisor in January 2017, a position he still technically holds to this day. It was not until May 2017 that President Trump signed a long-awaited executive order mandating a series of risk management reports in the hundreds on cybersecurity issues across the federal system. These reports were largely delivered behind schedule with no response or action.
There has been no movement from the executive branch on election security, aside from a bill that makes hacking voting systems a federal crime. The confusion over the election and voting machines, with a tinge of a global plot lead by long-dead Venezuelan President Hugo Chavez, is a symptom of the lack of federal coordination on standards and regulations over electoral security.
In April 2018, U.S. Cyber Command released [PDF] their long-awaited strategy, now called a vision, that articulated persistent engagement as the defining orientation of U.S. cyber warriors in opposition to the Obama’s administration’s position of restraint in cyberspace. In September 2018, the Department of Defense (DOD) released their Cyber Strategy [PDF], which did not mention persistent engagement and instead was focused on the concept of defend forward.
Confusion of terminology ensued with no one quite sure how to rectify the two visions of U.S. cyber strategy from the same overall department (DOD). The issue was not really cleared up until 2019 when Commander of U.S. Cyber Command Paul Nakasone clarified [PDF] that persistent engagement was the operational implementation of the defend forward strategy.
There still remains confusion if persistent engagement is an aggressive and dangerous strategy, or a purely defensive strategy to secure the nation. With no metrics for evaluation, we could never know. A distinction of what was and wasn’t a persistent engagement operation was never clarified, and now nearly every operation—disrupting the Internet Research Agency, deploying Cyber National Mission Forces to Estonia, or sharing malware with the private sector—is labeled persistent engagement.
Behind closed doors, the Trump administration loosened authorities on offensive cyber operations through NSMP 13, or at least we think they did since the whole issue was classified even to Congress at the time. There were also reported secret orders to give more authorities to the CIA to launch offensive cyber operations.
Other areas where President Trump’s cyber legacy deserves low marks include the “Clean Network” initiative, bans on TikTok and WeChat, the elimination of the national cyber coordinator position, the gutting of the State Department’s cyber diplomats, and “covfefe.”
On December 13, news started to leak of a massive hack into U.S. systems through a vulnerability in the SolarWinds Orion IT monitoring service. The widespread attack has affected almost all aspects of the U.S. government and many companies, including Microsoft. Although Secretary of State Mike Pompeo stated that “we can say pretty clearly that it was the Russians that engaged in this activity,” President Trump nearly immediately contradicted him, writing in a Tweet, “Russia, Russia, Russia is the priority chant when anything happens because Lamestream [media] is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!).”
Through all this, there is a concern that the Trump administration will uncouple the NSA and U.S. Cyber Command, ending the dual-hatted role of its leader, General Paul Nakasone. While there is merit to the idea, completing the massive task on the way out the door, in the middle of the massive fallout from the SolarWinds incident, complicates the ability of President-Elect Biden to organize cybersecurity defenses.
Overall, the Trump administration will leave a legacy of confusion over cybersecurity issues with few positives. CISA, the wing of the Department of Homeland Security focused on cyber issues, became more powerful and established, leading some to wonder if it should be an independent agency. The crises between Iran and the United States during the Summer of 2019 after the downing of a U.S. Global Hawk drone actually deescalated due to cyber actions, providing a substitute for more aggressive military options.
The greatest positive of all could be that the Trump administration was unable to slow down the Cyberspace Solarium Commission’s efforts to reform cyber strategy. The commission articulated an evolution of U.S. cyber strategy through layered cyber deterrence, but more critically, it offered fifty-two legislative proposals, of which twenty-five made it into the 2021 NDAA [PDF], making it perhaps the most comprehensive piece of legislation on cybersecurity so far.
The Biden administration could enter to provide clarity in a domain that has lacked it since its inception. It is more likely that the United States will move forward with slow incremental change. Nonetheless, anything should be an improvement over the last four years, which have set the bar quite low.
Blog Post by Brandon Valeriano -cfr.org