Two months into his presidency, we still don’t know what Donald Trump’s promise to put America first will mean in cyberspace, where hackers have repeatedly exposed the nation as vulnerable.
Last week, the president’s assistant for homeland security and counterterrorism, Tom Bossert, made his first extensive public remarks since taking the job. He promised that Trump’s much-anticipated cybersecurity executive order would be out in the “coming weeks or months.” He hinted that the administration would first focus on securing federal networks, reducing botnets, and “deterring our adversaries.”
No matter what is in the document, though, it won’t fix the nation’s cybersecurity issues. Achieving that will require coöperation from Congress, the public, and most importantly the private sector, which owns and operates the lion’s share of U.S. cyberspace.
The situation is dire. James Clapper, whose term as director of national intelligence ended in January, ranked the cyber threat as the number one global threat the nation faces—ahead of traditional terrorism. The nation has failed to adapt to modern cyberwar. It is struggling not only to defend itself, but also to respond once an attack has occurred, Richard Ledgett, deputy director of the National Security Agency, said last week at the FT Cybersecurity Summit in Washington, D.C.
To fix the problem, said Ledgett, “we need a national desire” that “we have not currently demonstrated that we have.”
Perhaps this is because we are not looking at the problem correctly. In 2012, then U.S. defense secretary Leon Panetta warned that unless the U.S. improved the security of its networks, it could be in for a “cyber Pearl Harbor” that would cause “physical destruction and the loss of life.” In 2017, cyberwar against the U.S. does not entail destroying physical property and killing people. Commonly, it entails stealing valuable information, and even using it as a weapon. In that sense, the Pearl Harbor-like wake-up call has happened already—several times.
In 2014, an attack by North Korea on Sony was the most destructive state-sponsored cyberattack ever seen on American soil. Just last week, we learned that Russian spies were allegedly involved in a heist of data from 500 million Yahoo accounts. State-sponsored Russian hackers are believed to have perpetrated attacks on the Democratic National Committee and others during the 2016 presidential campaign. These events raise a particularly thorny question for the administration and the government: how should it respond to state-sponsored or terrorist cyberattacks on networks it does not own?
The executive order will emphasize improving the security of the government’s own networks, according to Bossert. Officials are still picking up the pieces after the 2015 discovery of a massive breach of the federal Office of Personnel Management, in which the personal information of 21.5 million people was compromised. Instead of treating each federal agency’s network and cybersecurity practices as separate, the Trump team will “hold the entire federal network as an enterprise and view it as something that needs to be defended as such,” Bossert said.
The president will also call for a “voluntary effort” involving Internet service providers, social media companies, and search companies, to reduce networks of hacked devices called botnets, said Bossert. The danger of weaponized botnets (see “10 Breakthrough Technologies: Botnets of Things”)— like the one that crippled much of the U.S. Internet for several hours last October—grows along with the proliferation of insecure connected devices including camcorders, webcams, and baby monitors.
Part of the administration’s challenge is that the role of the private sector is inherently different in cyberwar than it is for conventional conflict. Critical infrastructure companies are on the “front lines” and “our cybersecurity companies collectively have even more capabilities to defeat these threats than our military,” Jason Healey, senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, said earlier this month in testimony before the House Armed Forces Committee.
Healey, testifying in a hearing entitled “Cyber Warfare in the 21st Century,” said the government should focus on using its own strengths to support companies, instead of trying to “force their compliance or deputize them to act out orders.” For instance, it can alert companies when it discovers vulnerabilities in their products. It can also try to deter future attacks by imposing sanctions, making arrests, or handing down indictments like it did last week.
The U.S. has been successful at deterring deadly, physically destructive cyberattacks, noted Healey. Below the “threshold of death and destruction”—where most of the action has happened—the nation has been failing at deterrence for many years, he said. Perhaps “we don’t understand the dynamics of cyber conflict as much as we think.”