Cybersecurity came to the fore in this presidential race like never before, but many question Donald Trump’s tech credentials going forward. Phil Muncaster investigates…
The United States electorate has engineered its very own ‘Brexit moment.’ Something many believed was impossible a year ago has happened and reality TV star and controversial businessman Donald Trump is heading for the White House. With the dust beginning to settle on one of the most controversial presidential election races ever fought, what are the implications for cybersecurity?
In many ways it was a schizophrenic election. On the one hand, it was dominated by Russian cyber-attacks, allegations of tampering with voting systems, predictions of mass DDoS attacks and the Clinton email debacle. Yet on the other, neither candidate seemed to have any idea how to tackle some of the biggest challenges ever to face the country: state-sponsored hacking, financially motivated cybercrime, and the balance between law enforcement and privacy.
Experts are hopeful of the future, but much of that hope rests on the belief that, once in power, Trump will be better advised than he has previously been on cybersecurity issues.
Back to the Election
The race to become the 45th president of the United States was fraught with incident – and much of it related to cyber controversies. The Democratic Party came under particular attack, with countless private emails released by ‘Guccifer 2.0’ in the run up to the election, causing the resignation of Democratic National Committee (DNC) chair Debbie Wasserman Schultz, and considerable embarrassment to the Clinton camp.
The Department of Homeland Security (DHS) and Office of the Director of National Intelligence on Election Security then took the unprecedented step of blaming the Kremlin. “We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities,” they said. The tension was ramped up even higher when the government revealed that several states had observed the “scanning and probing of their election-related systems.” This activity was never attributed to Russia, but it was widely believed that the Kremlin was attempting to undermine the very electoral system on which US democracy is based – thereby destabilizing whomever was elected on the world stage.
Hillary Clinton’s decision to use a private email server for state business while Secretary of State could undoubtedly have played a big part in her election loss. It was a constant theme of the Trump campaign – leading the property mogul and his followers to brand her “Crooked Hillary” and claim she would ultimately be thrown in jail for her transgression. Although the FBI eventually cleared her of wrongdoing – despite reopening and swiftly closing the investigation just days before the polls in what many saw as a cynical political move – the damage was done. It should be a cautionary tale for any public figure that it always pays to do things by the book. Here was arguably the most experienced politician ever to run for president, undone in part by technology and an error in judgement.
The irony is that, according to security researcher Kevin Beaumont, many of the businesses run by Donald Trump are a major cybersecurity risk. Beaumont scanned publicly available records to find that Trump email infrastructure was running the no-longer supported Windows Server 2003 and Internet Information Server (IIS) 6 – potentially exposing it to hackers.
Election Night
The US election system itself was never under any great threat. As FBI director James Comey said, it is so dispersed and “clunky as heck” that it would be difficult for hackers to have made any real difference to the outcome. However, attackers were definitely “poking about,” he claimed, and several security vendors warned of the possibility that DDoS attacks – potentially powered by IoT botnets – could take down sites run by NGOs and others that arrange transportation to polling stations and provide information to voters.
Rapid7 was one of those firms monitoring closely. A spokesman tells Infosecurity at the time of writing: “We have not observed any cybersecurity foul play related to the election to date.”
Dora Kingsley Vertenten, a professor at the USC Price School of Public Policy, agrees. “There were no major issues that were not handled internally on election day through the normal course of election day management,” she tells Infosecurity.
What Comes Next?
More important is what happens next. Can we trust a man who refers to “the cyber” and rambles about his 10-year-old son being “good with these computers” when asked in a presidential debate who is responsible for hacking American institutions? Those looking to his advisers to provide some much-needed wisdom and context will be disappointed that former chairman of the House Intelligence Committee, Mike Rogers, has apparently been ousted from the transition team.
So what can we expect from the property mogul? His campaign website outlines a ‘vision’ short on detail. It specifies an immediate review into all “US cyber defenses and vulnerabilities” by a Cyber Review Team. This team will then provide recommendations on where to plug those gaps and establish mandatory awareness training for federal employees. Trump says he will also order the defense secretary and chairman of the Joint Chiefs of Staff to provide recommendations for enhancing US Cyber Command. There’s also a sentence on the need to develop cyber offensive capabilities to deter state and non-state actors.
Washington-based think tank the Information Technology and Innovation Foundation (ITIF) has rounded up Trump’s previous statements on tech in a handy primer document. It makes for nervy reading, especially his uncompromising stance against Chinese IP theft, which could result in the US applying tariffs if China “fails to stop illegal activities.” The state-backed Global Times has already hit back, claiming Beijing will respond “tit-for-tat” to any such move, which could be disastrous for Apple, Microsoft and other US tech firms with major operations in the Middle Kingdom.
Civil Liberty, RIP?
More worrying still for Silicon Valley is that the next president of the United States is on record as supporting encryption backdoors and wants to restore the Patriot Act. In fact, when Apple refused to undermine iOS encryption to provide the FBI with access to the San Bernardino shooter’s phone, Trump called for users to boycott the company.
Neema Singh Guliani, legislative counsel at the American Civil Liberties Union (ACLU), tells Infosecurity that any efforts to mandate encryption backdoors or resurrect illegal NSA surveillance will be met by “fierce opposition” from the tech industry, national security experts and the public.
“Our hope is that the next administration categorically rejects proposals to mandate encryption backdoors and support reforming NSA authorities that have violated the rights of millions of Americans,” she adds. However, USC’s Vertenten thinks a showdown is inevitable.
"Donald Trump has railed against Apple, asking 'Who do they think they are?' and suggested the internet be 'taken back' and 'closed up’,” she explains.
“Ultimately, Congress will have to decide any new rules for engagement in technology policy, including rules to require companies to build backdoor encryption access, which will be supported by a president Trump. Silicon Valley has been courting speaker Paul Davis Ryan, the current Speaker of the U.S. House of Representatives, with fundraising to benefit Republican officeholders with just such a showdown in mind.”
Outgoing president Barack Obama may end up regretting his decision not to roll back more fully the fearsome surveillance apparatus put in place by the Bush administration.
The Job Queue
Despite the uncertainty and concern over what may happen during the next four years, a solid Cabinet and experienced backroom team could yet steady the ship for the Trump administration. At the time of writing, former New York mayor Rudolph Giuliani has said he would “love to become the person that comes up with a solution to cybersecurity.” He currently chairs a cybersecurity, privacy and crisis management practice, although he may be looking for an even more prominent position, like attorney general.
Elsewhere, Trump has offered the role of national security advisor to retired army lieutenant general Michael Flynn. Flynn has experience, but was sacked by Obama as head of the Defense Intelligence Agency (DIA) and his management style has been described as “chaotic.” Nevertheless, ITIF vice-president Daniel Castro believes he and figures such as Texas Republican Michael McCaul could lend valuable experience to the Trump camp.
“A Trump administration will likely make improving America's cyber offensive and defensive capabilities a priority. But it is not clear yet how cyber policy might affect the private sector,” he tells Infosecurity. “The tech community would be wise to make an early effort to educate the incoming administration about issues like encryption as these debates risk re-surfacing again.”
Much may already be clear by the time this piece goes to press, but it’s already evident that Silicon Valley lawyers and lobbyists are going to have their work cut out with the new regime.
The last word goes to the Electronic Frontier Foundation, which sent the following to Infosecurity:“Nobody knows whether things said on the campaign trail will translate into real policies, but we're watching closely.”
We are indeed.