Governance & Risk Management , Incident & Breach Response , Security Operations
Give President a Break on Missing Cyber Report DeadlineLike Healthcare and Tax Reform, Trump Is Discovering the Complexity of InfoSec
President Donald Trump's failure to meet his self-imposed, 90-day deadline to report on how the U.S. government will defend itself against cyberattacks such as those launched by Russia to influence the American presidential election is much ado about nothing, at least when put in context of overall cybersecurity.
See Also: Webinar | How the SASE Architecture Enables Remote Work
Trump, at a Jan. 11 press conference, grudgingly conceded the Russians hacked Democratic Party computers in an attempt to influence the U.S. presidential election (see Trump on Hack: 'I Think It Was Russia'). At that press conference, he pledged to issue a report in 90 days on "hacking defense." The 90th day after his Jan. 20 inauguration passed last Thursday, April 20.
"President Barack Obama's 60-day cyber policy review in 2009, led by National Security Council official Melissa Hathaway, took more than 100 days to complete."
It's unclear whether Trump meant a report on the Russian hacks or a comprehensive policy on how cybersecurity would be approached during his presidency. Two days later, on Friday, Jan. 13, between 6:06 and 6:16 a.m., Trump in three consecutive tweets on the Russian hacks posted:
"It now turns out that the phony allegations against me were put together by my political opponents and a failed spy afraid of being sued.... Totally made up facts by sleazebag political operatives, both Democrats and Republicans - FAKE NEWS! Russia says nothing exists. Probably... released by "Intelligence" even knowing there is no proof, and never will be. My people will have a full report on hacking within 90 days!"
released by "Intelligence" even knowing there is no proof, and never will be. My people will have a full report on hacking within 90 days!— Donald J. Trump (@realDonaldTrump) January 13, 2017
If Trump meant a report on the Russian hack, it'll never come. That's what most people inferred from his comments and tweets. "There is no team, there is no plan and there is no clear answer from the White House on who would even be working on what," reports the political newspaper Politico. Only his most die-hard supporters believe he'll issue a report focused on the Russian hacking.
But if we're charitable, and give Trump the benefit of the doubt that he meant a comprehensive cybersecurity review - although that's not the way he phrased it - then taking well over 90 days to complete the report is justified.
Let's not nit-pick over a few days or a few weeks or even months. President Barack Obama's 60-day cyber policy review in 2009, led by National Security Council official Melissa Hathaway, took more than 100 days to complete (see The President's 10-Point Cybersecurity Action Plan). Mapping out an IT security plan for the federal government takes time. After all, cybersecurity is complex, something Trump is likely discovering along with healthcare and tax reform.
Opportunity to Review
It's not just the White House that's missing cybersecurity deadlines. In mid-March, the Department of Homeland Security missed a deadline for submitting a new cybersecurity strategy to Congress, and a top DHS cybersecurity official said it could be months before it provides lawmakers with that policy (see DHS Late in Submitting CyberSec Strategy to Congress). "We're working on the strategy," Jeanette Manfra, acting deputy undersecretary for cybersecurity and communications, testified at a hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection on March 28. "We do need time to insure that the new administration has an opportunity to review and provide guidance on what that strategy should look like."
The Trump administration is taking its time as it works on a cybersecurity executive order, with at least three versions of the document having been circulated among cybersecurity experts and policymakers in and out of government. The latest known one, which surfaced in early March, emphasizes a risk-based approach to cybersecurity, including a requirement that federal agencies adopt the NIST cybersecurity framework (see Latest Executive Order Draft Promotes Risk-Based Approach).
Other signs that the Trump administration is taking cybersecurity seriously came this past week. Although sparse on details, DHS Secretary John Kelly, speaking last Tuesday at George Washington University, outlined the federal government's aggressive approach to cybersecurity, including partnering with the private sector to integrate their cutting-edge, commercially-available technology with the government's own capabilities to defend federal networks against the endless stream of cyberattacks (see DHS Secretary Seeks Help from Tech Sector to Fight Cyberthreat). "No more muskets; our federal cybersecurity needs heavy artillery," Kelly said. " Our work is just beginning, but we're on the job. Cybersecurity is a priority for our department, because our country depends on a secure cyberspace."
'Some Internal Commission Kind of Thing'
Kelly in his remarks repeatedly spoke of a partnership with the tech sector to develop cybersecurity solutions, but except for revealing a recent trip he made to Microsoft, he didn't provide any details on how the administration would create that public-private sector collaboration.
The homeland security secretary referenced "some internal commission kind of thing" emanating from the White House, but he didn't clarify that statement in his remarks. I queried the White House and DHS for details. The White House referred me to DHS, which never responded.
A week before being sworn in as president, Trump named Rudolph Giuliani as a cybersecurity adviser, charging the former New York City mayor to develop that public-private partnership (see Donald Trump Taps Rudy Giuliani as Cybersecurity Adviser). Giuliani runs a security advisory firm. The White House never responded to my inquiry seeking the status of Giuliani's mission.
Perhaps we should give that mission time to develop, just like the issuance of a cybersecurity report.