Donald Trump’s effect on cybersecurity after he’s sworn in as president next month will likely be toward military uses of cyber weapons and stronger tools for law enforcement to crack encryption, but the impact is hard to predict due to the vagueness of his proposals so far.
The most detailed Trump cyber plan is just 175 words long and includes some initiatives that sound like what’s already in place.
On the campaign trail and during debates he occasionally hit the topic, but again with little detail and perhaps little understanding of how the internet works. For example, he called for Microsoft founder Bill Gates to find a way to shut off parts of the internet to ISIS as a way to halt its recruitment efforts.
Overall, he is dissatisfied with the status quo, saying to the New York Times that the U.S. is “obsolete in cyber … I don’t think we’re as advanced as other countries are… we move forward with cyber, but other countries are moving forward at a much more rapid pace.”
Here is what’s known about Trump’s thoughts on some aspects of cyber security:
Trump famously urged a boycott of Apple products when it refused to help the FBI crack into the encrypted cell phone used by terrorists who murdered 14 people and wounded 22 others in San Bernardino, Calif., last year. This seems to indicate he favors access to devices for criminal investigations over allowing unbreakable systems.
+ ALSO ON NETWORK WORLD A year after terrorist attacks, phone privacy laws unchanged – but watch out for Trump +
If that becomes policy, it will cause a host of challenges for government, industry and consumers. For example, the Department of Health and Human Services requires securing medical records with encryption. Weakening encryption weakens privacy of those records.
Corporations rely on encryption to protect proprietary technology. Security vendors required to weaken encryption would be at a disadvantage against competitors who make products in countries without such restrictions. Consumers use it to protect online transactions.
Trump doesn’t have authority to impose such a policy on his own, and Congress has been divided. No legislation on the issue has been filed despite a drumbeat for it from FBI Director James Comey.
Cyber retaliation for cyberattacks
This may or may not be a change from current U.S. policy.
After the U.S. accused Russia of trying to influence the U.S. presidential election with hacked documents earlier this year, Vice President Joe Biden said the U.S. would retaliate either with sanctions or with a covert retaliatory cyberattack. Since it would be covert, it’s hard to know whether the threat was carried out.
The consequences of this type of more or less open cyber skirmishes are unknown, but if they escalate they could be devastating to economies and critical infrastructure.
Trump also calls for “enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.” It’s unclear what he means by that or whether he is dissatisfied with the current road map for the command.
According to Congressional testimony by the deputy commander of Cyber Command Air Force Lt. Gen. James K. “Kevin” McLaughlin, it is working on a force of 133 teams that will initially total 4,684 people with the mission of applying “military capability at scale in cyberspace.”
The force will give the department “a means to apply military capability at scale in cyberspace,” he said. They include national teams for defending against cyberattacks, protection teams to defend Department of Defense networks, combat teams to support military operations, and support teams to help out the other teams.
Cyber security review team
Trump wants a broad group to look at cyber defenses and vulnerabilities including critical infrastructure. This sounds similar to the Obama Commission on Enhancing National Cybersecurity, which recently issued its final report, which can be found here.
The big difference is Trump wants his team to include military, law enforcement, and the private sector representatives. Obama’s team had a former national security adviser, the former head of the NSA and Cyber Command, and several business leaders, but no law enforcement representation.
Obama’s commission left recommendations for the new president, but Trump hasn’t said what he thinks of them.
Cyber awareness training for feds
Trump hasn’t fleshed out this item, which is one of the goals he set on his campaign cyber-policy site.
It may be there as a way to tweak his opponent, Hillary Clinton, whose use of a private email server for sending work-related emails while secretary of state was a big campaign issue for Trump. Much of her use of the server would be discouraged under rudimentary security rules, let alone what might seem appropriate for someone in her position.