Though, unless he appoints Julian Assange as his Cybersecurity Czar, I doubt we’ll be seeing WikiLeaks coming to Trump’s rescue when he needs help with cyber-policy in the near future. But you never know.
And that’s where this insane ride, where any consideration of the human beings who will experience the consequences of their combined machinations is absent, is going: Mr. Trump is now going to be in control of America’s cybersecurity and cyber-warfare policies and plans. He has promised that what he called “the cyber” in his last debate will immediately become a priority, citing threats in the form of China and North Korea.
Mr. Trump openly advocates hacking back, a controversial and ill-advised strategy. He said in 2015, “America should counter attack and make public every action taken by China to steal or disrupt our operations, whether they be private or governmental.”
More recently he told press in October, “The United States must possess unquestioned capacity to launch crippling counter-cyberattacks. This is the warfare of the future… America’s dominance in this arena must be unquestioned and today, it’s totally questioned.”
These are the words of someone totally clueless about cyberwarfare, they are from someone who telegraphs every move, and disturbingly, these are words of war.
As you may remember (or might be repressing, like trauma), Mr. Trump foreshadowed his targeting of China for cyber infractions in his last debate with Hillary Clinton. When Ms. Clinton said that Russia was behind recent hacks against the United States, especially the DNC hacks that helped Trump win the election, he went on the defensive for Russia.
“I don’t think that anybody knows it was Russia that broke into the DNC,” he said. Trump unforgettably elaborated saying “It could also be China or it could also be lots of other people — it also could be somebody sitting on their bed that weighs 400 pounds.”
It actually took until October for Trump to realize that cybersecurity was a priority, at which point he published his vision for cybersecurity policy on his website. It was actually excerpts from a campaign speech he gave, so let’s not get too excited that we might have anything concrete to work with. But it gives us an idea of who he plans to make handle these issues for him — and of course promises to develop and deploy cyber weapons.
It states: “Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”
Trump’s cyber “vision,” as outlined on his website, shows that he intends to hand most of the work off to others. His first “vision” plan is to have a review done by a team of his choosing, the likes of which sound vague, uninformed, and somewhat impossible if interpreted literally. He wants to “Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector.”
The next step in Trump’s cyber plan is specifically for the U.S. Department of Justice “to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.” That will fall to the new attorney general, who in all likelihood will be Rudolph W. Giuliani.
Former New York City Mayor Rudy Giuliani has a lot on the record to let us know where he stands on “the cyber.” Giuliani has been interested in cybersecurity since he read an FBI report in 2003 predicting a hacking crimewave, and instantly decided he needed to build a business around it. That business was Giuliani Partners, a security consulting company whose pentesting arm was specifically comprised of ex-government and ex-military employees he said because even reformed hackers can’t be trusted.
After Giuliani Partners, he became the global chair of law firm Greenberg Traurig’s cybersecurity and crisis management practice in January 2016. Shortly after joining Greenberg Traurig, he did a press junket comparing hackers to Mafia and cybersecurity to cancer.
And that’s something the two men have in common: Giuliani and Trump hate hackers — unless hackers are doing the dirty work in their favor, of course. In regard to Edward Snowden, Trump has been clear that he believes the former government contractor should be executed. Maybe once he’s president, Trump will get his wish in the form of a congratulations gift from his BFF, Putin.
As we know, everything with Trump has to do with his likes and dislikes. And he likes surveillance, as evidenced in his personal phone-spying practices, and he likes the NSA’s spying. In fact, Trump is an outspoken supporter of government surveillance, and in his words, the NSA “should be given as much leeway as possible.”
He told The Daily Signal, “I support legislation which allows the NSA to hold the bulk metadata. For oversight, I propose that a court, which is available any time on any day, is created to issue individual rulings on when this metadata can be accessed.”
Mr. Trump didn’t like Apple refusing to unlock the San Bernardino shooter’s iPhone for the FBI this past year, and his reaction to the case is instructive. When it was brought to his attention, Trump said Apple should be forced to allow the FBI access to the phone’s contents. “I think it’s disgraceful that Apple is not helping on that. I think security first, and I feel — I always felt security first,” he said. “Apple should absolutely — we should force them to do it,” he said.
There’s another very serious way in which Mr. Trump will impact the worlds of hacking any cybersecurity that few are thinking about at this very weird moment in time. Trump’s intents and desired policy changes with immigration and jobs will actually take all the problems we have with domestic cybersecurity in this country and crank them up to eleven. It’s not advanced math: We have a epic cybersecurity hiring crisis, and much of our talent pipeline relies on foreigners holding jobs here, or emigrating to the United States.
These problems start in Trump’s plan for his first 100 days in office called “Donald Trump’s Contract With The American Voter,” released at the end of October.
That plan has three primary intents. These are: to enact Trump’s “naughty or nice” list in Washington; do what he feels is necessary to protect American workers; and to restore rule of law. This is all in addition to all the other lovely things he plans, like repealing the Affordable Care Act — something that will also negatively impact infosec, specifically independent hacking and security contractors.
Hiring is cyber’s biggest pain point. There is a severe shortage of information security professionals, in both government and public sector companies, and leading industry experts say it’s only getting worse. For an area whose growth is incomprehensibly fast to outsiders, its escalating hiring crisis seems counterintuitive — though when you start to see the numbers, calling it a crisis is an understatement. James Gosler a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department, has argued that the United States government itself “needs some 30,000 technical cybersecurity workers, essentially hackers.”
Mr. Gosler can’t be thrilled to hear that Mr. Trump’s Contract plans to enforce “a hiring freeze on all federal employees to reduce federal workforce through attrition (exempting military, public safety, and public health.”
Meanwhile, the International Information Systems Security Certification Consortium has calculated that over 300,000 cyber-security professionals are needed to maintain and manage business structures.
Many believe that a big part of the domestic problem are the bureaucratic roadblocks to hiring talent outside borders, because the need within the US is so large, it simply can’t be filled by domestic talent. Unfortunately for that urgent need, Mr. Trump’s first “Contract With America” point is to “renegotiate NAFTA or withdraw from the deal under Article 2205.” The problem is, NAFTA isn’t just about manufacturing; it helps facilitate low-friction ways for firms to hire cybersecurity talent.
Companies like Google and and others who’ve brought in security talent from other countries will want to hurry up and get that Green Card process underway so they can keep those workers. Because according to the Contract he wants to “begin removing the more than 2 million criminal illegal immigrants from the country and cancel visas to foreign countries that won’t take them back” and “suspend immigration from terror-prone regions where vetting cannot safely occur.”
With the loss of cybersecurity talent pipelines and deportation of foreign hacking talent, the security crisis — all the breaches, IoT botnet and security issues, our ransomware epidemic, and the medical cybercrisis — will worsen.
Threat monitoring will weaken in companies and organizations, patches will slide, needed security trainings won’t happen due to staffing issues (so phishing will continue its damage), internal security overhauls can’t happen without enough workers.
It is the end of an era for many things now, but for cybersecurity, it was supposed to be the beginning.
We had made progress, even if rough, in getting the government to listen to hackers and consumers about security. President Obama understood tech’s hiring issues and how they hinge on foreign workers right now. We’d pushed back on things like export controls and the stupid concept of “cyber bombs,” and some people were starting to listen.
So it wasn’t supposed to turn out this way. The Justice Department wasn’t going to be run by a corrupt wacko who thinks hackers are forever evil, and who actually, quite crazily believes he can solve cybersecurity. Nor the White House run by an emotional, vengeful child who thinks cyberwar — a war with real consequences, which would cost lives — as his first and best option.
It’s clear that the new White House will exist in a self-fulfilling bubble, where it believes cyber is just another thing a couple of selfish, egotistical, bigoted men can manipulate for its own ends.
Men who embrace unbridled surveillance of innocent citizens and remove healthcare from those who need it most because their ways of relating to ordinary human beings have been severed in a way that facilitate a blatant disregard for the sanctity of other people’s lives.
Cybersecurity, our own experiences of it, and those most at risk, will suffer as a result of this election. Because what’s most foretelling of individual suffering, ultimately, is not the surveillance, the lying, or the messing with our heads, but the indifference of those in control.
Images: AP Photo/Evan Vucci (Trump); AP Photo/Arnulfo Franco (Giuliani); REUTERS/Hyungwon Kang (Cyber security), AP Photo/Evan Vucci (Obama)