Trump unlikely to follow Obama ‘roadmap’ on cybersecurity

First published by MLex 6 December 2016. By Mike Swift

Donald Trump got elected to the US presidency through strong talk about taking down the legacies of his predecessor. But in the fading hours of Barack Obama’s administration, the outgoing president and his surrogates are publicly urging Trump to build on the current administration’s cybersecurity work.

There is little to no clarity yet about whether their appeal will succeed. But in a report released late Friday by the White House Commission on Enhancing National Cybersecurity and in a letter by the chairman of the Federal Communications Commission released this week, the Obama administration and its allies tried to make the case to the incoming Trump administration that the nation does not just face a cybersecurity problem. It faces a cybersecurity crisis.

The White House report identified “Internet of Things,” or IoT, devices and their role in distributed denial-of-service (DDoS) attacks like the one that brought down Twitter, Netflix, Airbnb and Amazon.com for much of the day on Oct. 21 as a critical focus. The commission urged Trump, within his first 100 days in office, to convene a summit of leaders from government, business and education to launch a “new national cybersecurity awareness and engagement campaign.”

The commission’s 100-page report, the result of nine months’ of work, urged the president-elect to launch an effort train 100,000 new cybersecurity practitioners by 2020. It recommended that the US Federal Trade Commission work with consumer groups to develop a “cybersecurity bill of rights and responsibilities” for consumers, and said the Department of Commerce should lead a multi-stakeholder process focused on blunting the impact of botnets and denial-of-service attacks.

To aid the security of purchasing decisions by consumers using connected devices, the commission said an independent rating organization “should develop the equivalent of a cybersecurity ‘nutritional label’ for technology products and services.”

“Our digital economy and society will achieve full potential only if Americans trust these systems to protect their safety, security, and privacy,” said the bipartisan commission created by Obama in 2015. “A wave of highly publicized incidents over the past several years has brought the importance of cybersecurity into focus for policy makers, private-sector leaders, and the American people.”

In a letter released Monday by Senator Mark Warner, a Virginia Democrat, Federal Communications Commission Chairman Tom Wheeler said that the “Open Internet Order” that the FCC issued in 2015 to protect the principle of “net neutrality” not only permits Internet service providers, or ISPs, to take strong steps to ensure cybersecurity, it means ISPs “have the responsibility to do so.”

The October DDoS attack highlighted that security vulnerabilities “induced by or inherent in devices now can have large-scale impacts on network services connecting those devices.” Market forces alone are insufficient, without regulation, to protect Americans’ cybersecurity, Wheeler said.

“Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively,” wrote Wheeler, who will be replaced by a Trump appointee as Republicans become the majority on the five-member FCC.

The implication of Wheeler’s letter was clear enough: If Trump moves to undermine the FCC’s net neutrality order, as he is widely expected to do based on his statements as a candidate, he would be undermining the nation’s cybersecurity as well.

Some influential Republicans in Congress see no need for additional cybersecurity laws. The IoT industry has called for national standards, not new regulations, to counter botnet hacks.

Trump has been so hostile to new government regulations on business that it’s unlikely the president-elect will adopt a heavily regulatory approach. In a video posted on YouTube Nov. 22 about his plans for his first 100 days in office, Trump said that for every one new government regulation created, “two old regulations must be eliminated — so important.”

But otherwise, Trump remains an enigma on cybersecurity. After one debate against Democratic candidate Hillary Clinton, the Republican was widely lampooned, especially in Silicon Valley, for referring to “cybersecurity” as “the cyber,” before saying there was no proof it was Russia or China that had hacked the computers of the Democratic National Committee in a widely publicized security breach earlier this year.

“It also could be somebody sitting on their bed that weighs 400 pounds, OK?” Trump added, in one of the more indelible quotes of the election campaign.

In the same Nov. 22 YouTube video, Trump said he would direct the Department of Defense to develop “a comprehensive plan” for the nation’s cyber defense during his first 100 days in office. He offered no other details about what that plan might include.

The cybersecurity commission signaled it is prepared to advocate for its proposals going forward, saying its plan represents “a roadmap” for how the private sector and the new administration should collaborate in the future. Obama weighed in after the cybersecurity report was released, saying it would take “additional bold action” to protect the nation from cybersecurity threats.

“Now it is time for the next administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change — both in the United States and around the world,” the outgoing president said.

Whether Trump will decide to embrace that charge and follow the roadmap laid out by his predecessor, however, is anything but certain.