Let’s Get Political: Trump, a hacker, and a ten year old

Now that the election has wrapped up and we have a president elect, it is vital that we understand what he has said about the future of cyber policy. Although it would be easy to focus on his bluster, the position stated on the GOP platform and on Trump’s website may actually turn into policy because of the Republican majority in the House and Senate. For this post, the focus will be on what Trump has laid out to be his priorities for cyber policy.

The Trump plan, which can be found here, is fairly straight forward. The first point of the plan is for a review of all US cyber defenses and vulnerabilities by a team made up of Military, Law Enforcement, and Industry. This on the surface level is hard to argue with. America has lots of weak points in our cyber defenses. Recent examples include the massive outage of service across the East Coast and the unsuccessful Iranian penetration of a New York dam. However, this review team falls into a familiar trap. Cyber policy-making has too many moving parts and the structure is too vague. Homeland Security is nominally in charge of protecting America from cyber threats but the DoD, NSA, FBI, Treasury, and a network of councils and working groups are also vying for authority and power in this arena. Grafting a new group onto this would not only further complicate this picture but it would be just another bureaucratic battleground for these players. A better avenue would be to reform an already existing group or to create a more sharply defined hierarchy of domestic cyber-security agencies to continually perform this type of assessment rather than a one-off task force.

Trump’s second point is about the creation of joint task forces to coordinate federal, state, and local responses to cyber-security related incidents. Again, on the surface, this seems like a great idea. However, cyber crime is no different than other types of crime. Where the crime happens matters. It is rare that a cyber incident is limited to one locality or state. This means that most cyber crimes are dealt with at the federal level rather than at the local level. So although coordination would be helpful it should not be the focus of the law enforcement side of cyberspace. Instead, Trump should focus on how to bring international hackers to justice and work with our allies to strengthen norms.

The third point in PEOTUS’ plan is to have the Secretary of Defense and the Chairman of the Joint Chiefs of Staff to give him recommendations for strengthening U.S. Cyber Command both offensively and defensively. This is the one point of the plan everyone can get behind. Although I am sure that these groups would have already provided Trump with their wish-list upon his arrival to the White House, it is good that he has shown interest in bolstering our capacity.

Finally, Trump’s last point reads “Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.” Vagueness on policy positions plagued Trump’s campaign and this point is no different. Due to the nature of cyber warfare, the United States is often evasive about what we can do on offense. This is because once tools are exposed they become useless. However, it is clear that America can deal out significant damage. The reason behind our restraint in this sphere revolves around deterrence. What Trump seems to want is that America will have a similar policy with cyber as we did with nuclear weapons in the Cold War. This would involve a showing of force or of weaponry that would be so strong that aggressors would be afraid to attack us. However, this is almost impossible to do in cyberspace. Not only because brandishing your weapons is counter-productive, as mentioned above, but deterrence is also difficult because of the attribution problem. In one of the Presidential Debates, Trump’s comments on the Russian interference in the election perfectly illustrate this:

“She’s saying Russia, Russia, Russia — I don’t, maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, okay?”

Although America has gotten better at this, even to the point of posting pictures and names of the suspected Hackers, it is not perfect. There is a chance that a foreign agent is spoofing. Spoofing is when an attacker makes it look like they are coming from somewhere else either technically or physically. So a hacker could log in at a cyber cafe in Germany but actually be a Syrian agent or a German hacker could write her code in Cyrillic text in an attempt to throw the victim off her trail.

Finally, a deterrent only works if the opponent is actually afraid of reprisals. Cyber-warfare currently has a body count of zero. A pure cyber response would only scare a state or non-state actor who has lots of information to lose. After the Sony hack, North Korea’s internet was taken offline. If this was a response by the US, it had very little impact because of how few people in that country actually interact with the internet. This is made even trickier with non-state actors who have no technological infrastructure that they are tied down to. This is why countries, including the US, deter cyber with hard military power. Russia has even gone so far as to claim it will take every cyber attack as it is a physical attack and respond accordingly. The US has said the military option is always on the table.

Trump’s cyber plan misses the mark. The four points, although on the surface seem to be reasonable, show a deep lack of understanding about the real threats facing the United States on the cyber front. The silver lining is that it appears that Trump does not seem to care deeply about this issue because it has basically not come up since the election. Next post will be looking at the GOP platform, seeing how it compares with Trump’s vision and evaluating the efficacy of their proposals.