WASHINGTON — The incoming Trump administration wants to audit the security of the federal government’s computer systems — a massive undertaking — and strengthen the hacking division of the U.S. military.
President-elect Donald Trump unveiled his four-part cybersecurity strategy last month.
It’s getting mixed reactions.
Cybersecurity experts say it has some good ideas.
“It sounds like a fairly rational, high-level playbook … but much of this is already being done to a certain extent,” said Jared DeMott, chief technology officer at Binary Defense Systems. He previously worked at the National Security Agency, where he spotted hacking vulnerabilities in computer equipment.
Point 1: A massive audit
Trump plans to “order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure.” He plans to use a team of auditors made up of military, law enforcement and private sector experts.
All federal agencies already do that on their own. As a result, the level of security differs at different departments.
Hackers have an extremely difficult time sneaking into the computers at the CIA, NSA and the Defense Intelligence Agency because their technology teams hold themselves to a higher standard, former government employees say.
But there’s a much more relaxed atmosphere at civilian agencies — as evidenced by 2015’s massive theft of 21 million employee records at the Office of Personnel Management.
Trump wants a single team to examine it all.
“It’s a pretty tall order. Every department, every division. Typically these things get done best on a smaller scale. But it might not be all bad for some review team to have a cohesive look across the government,” DeMott said.
The process could take years, warned Joseph Loomis, CEO of defense contractor CyberSponse. He suggests that Trump’s auditor should establish a national cybersecurity standard at government agencies — and enforce it.
Protecting critical infrastructure, like the energy grid, is a job that already belongs to the Department of Homeland Security. Congress has spent years figuring that out during the Bush administration, said former DHS deputy assistant secretary James Norton.
Point 2: More cyber police
Trump is calling for the Justice Department to create “joint task forces” across the country, teaming up federal, state and local police, to combat hackers.
Except the DOJ already does that.
The FBI runs “cyber task forces” in each one of its 56 field offices in the United States and Puerto Rico, according to Austin Berglas, a consultant at K-2 Intelligence. He previously led all hacking investigations at the FBI’s largest cyber branch, New York City.
“Is there room for improvement? Yes. But a lot of this stuff is already happening,” Berglas said.
Point 3: Improve America’s cyber army
Trump also wants top military officials to “provide recommendations for enhancing U.S. Cyber Command,” the agency in charge of America’s offensive computer attacks.
This one has cybersecurity experts scratching their heads.
The United States government has some of the world’s top hackers constantly breaking into foreign governments’ computer systems to monitor communications and steal secrets. It’s not a matter of technical prowess.
But experts say Trump’s administration could boost the actual numbers of fighters on the digital battlefield by boosting their government salaries to attract` talent away from Silicon Valley.
Point 4: Develop better cyberweapons
Trump wants to “develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”
The U.S. government is credited with having some of the most dangerous hacking tools on the planet. It famously managed to slow down Iran’s nuclear weapons development by hacking computers that weren’t even connected to the internet by using a cyberweapon called Stuxnet — something the government has never formally acknowledged but is widely discussed in the cybersecurity profession.
Yet these weapons haven’t deterred Russia from hacking into the Democratic National Committee, or China from hacking into American companies, or Iran from hacking into an American casino.
“It’s not just about who has the biggest cyber bomb,” said Greg Martin, a former technical adviser to the FBI and Secret Service.
What’s missing in Trump’s cybersecurity strategy is having the U.S. government draw some clear red lines in the digital realm, experts say. Companies and governments need clear rules on when a hack counts as acceptable espionage or an act of aggression — or an act of war.
“At some point in the near future, we are going to have to define cyberwar. At what point should we engage? At what point do we launch a counteroffensive?” asked Michael Borohovski, cofounder of Tinfoil Security. “It has to be answered soon. We’re on the eve of this.”