Security pros are bracing for changes the industry may face after the unexpected election of real-estate entrepreneur and reality television personality Donald J. Trump in a historic presidential race.
A flurry of contentious statements made by the President-elect during his successful bid for the White House have caused consternation among information security professionals. Some of his statements that industry professionals find troubling are his calls for “closing parts of the Internet, his support for mass surveillance, and demands that Apple should have helped the Federal Bureau of Investigation (FBI) break the encrypted communications of the San Bernardino shooter's iPhone 5C.
Given that Trump is an immensely nontraditional politician, industry pros are unsure of whether he will pursue policies consistent with some of his more outlandish statements about cybersecurity. Authentic8 co-founder and CEO Scott Petry told SC Media that there is “a huge amount of uncertainty” concerning Trump's approach. “It's not clear what his agenda is.”
Others pros are less ambiguous. IOActive director of advisory services Daniel Miessler wrote to SC that information security professionals are most concerned by Trump's support for large-scale surveillance programs, requiring companies to provide customer data to the government, and sanctioned hacking by other nations.
Trump's approach to surveillance and cybersecurity will, of course, depend largely on whether Trump appoints to his cabinet professionals who are knowledgeable of cybersecurity policy and its implications, or at very least, individuals who are reasonable and intelligent. His initial list of potential cabinet members did not signal that he was interested in this approach.
Security pros are concerned by the apparent lack of cybersecurity familiarity among those who have been floated for critical roles in the administration. “Who is Trump's cybersecurity advisor(s)? Not finding anyone that has any background in it mentioned or listed anywhere,” wrote information security professional Ben Heise.
Potential Secretary of Homeland Security nominees included New Jersey Governor's famously boisterous Chris Christie and Milwaukee County Sheriff David Clarke, who has called anti-Trump protestors “radical anarchists” whose tantrums “must be quelled.” A week earlier, he was calling for Trump supporters to protest with “pitchforks and torches.”
Rudolph Guliani has also reportedly expressed interest in joining the Trump administration as “the person that comes up with a solution to cybersecurity.”
Trump is not known as a defender of internet privacy, noted Michael Covington, vice president of product at Wandera. His proposed a re-authorisation of the Patriot Act and support for “reduced oversight and restraint in our nation's surveillance programs” is a concern, he wrote to SC. “His protectionist policies and focus on homeland security have many privacy advocates worried that he favours a sense of security over the protection of individual freedoms,” Covington said.
For years, privacy advocates have challenged government watchdog groups' assessments of the National Security Agency's (NSA) surveillance operations, often by arguing that the intelligence agency has mainly functioned with great discipline, but the structures that prevent abuse are internal structures that can be dismantled.
The U.S. has built an “enormous surveillance system which is not constrained by robust oversight against abuse,” Faiza Patel, co-director of the Brennan Center's Liberty & National Security Program, wrote to SC. The development of these extensive capabilities has ignored the “lessons of history,” he said, adding that the NSA's broad authorities will now be at Trump's disposal.
“This is why you need to be careful when building secretive, all-powerful surveillance tools,” wrote Miessler. “You never know who's going to get keys.”
The intelligence community has its own concerns about Trump. Trump's comments have normalised Russian espionage against the United States. Former Director of the Central Intelligence Agency (CIA) Michael Morell raised concerns that Trump possesses a “lack of respect for the rule of law,” in a New York Times op-ed.
Former CIA Director Michael Morell noted that Putin seemed to have recruited Trump “as an unwitting agent of the Russian Federation.”
Former Director of the National Security Agency (NSA) Michael Hayden made similar comments about Trump and Putin and this week said Trump doesn't fit “into the intelligence picture”.
Cozy Bear, a hacking group with ties to Russian intelligence, launched a new spear-phishing campaign against think tanks and non-government organisation hours after Trump's victory was announced, according to the cybersecurity firm Volexity. Russia's Parliament reportedly erupted into “thunderous applause” on hearing news of the presidential election results.
A Congressional aide told SC that any new interpretation of the Patriot Act, Section 402 of the Foreign Intelligence Surveillance Act (FISA) and National Security Letter requires declassification, although he added that if a President does not abide by the rule of law, then it is unclear how collection of Americans' data would be impacted.
The federal criminal procedure Rule 41, which is scheduled to grant broader surveillance powers to law enforcement agencies at the end of the month, requires a warrant, but the aide said the potential for abuse would be greater under new provisions.
As such, Fadi Albatal, senior vice president of Above Security, believes Trump should focus on legislation rather than capacity building or tools. “To address state-sponsored cyber threats, there is a need for allied coalitions and joint defence and attack capabilities to help deter state enemies,” he wrote in an email to SC.
Without a crystal ball – or maybe a predictive tweet engine – it's probably not worth speculating too much about the Trump's administration's cybersecurity compass.
Venafi Vice President of Security Strategy and Threat Intelligence Kevin Bocek wrote to SC that Trump's cabinet choices will “likely set the real direction.” If he is serious about protecting America, then information security professionals “may in fact be in for a surprise.”