Last Monday evening, President-Elect Donald Trump released a video in which he promised to work with the Department of Defense and Joint Chiefs of Staff on a “plan to protect Americas’ vital infrastructure from cyber attacks.” This promise reflects Trump’s ignorance of how cyber warfare works — calling in the Marines to secure the nation’s computers is about as effective as killing malware with a firearm.
On the vast, interdependent internet, evolving technologies and best practices must be adopted across the ecosystem for anyone to be secure. An effective cyber defense requires long, hard years of continued investment in research, education, strong encryption, standards, regulations, enforcement, and global cooperation. Unfortunately, Trump’s stated policy goals promise to halt and even reverse the hard-fought progress made in recent years defining and enforcing new cyber standards. The impact on national security will be dire.
Furthermore, Trump’s call to boycott Apple for refusing to break their iPhone encryption exposes a disregard for cyber privacy that threatens to undermine both our freedoms and our prosperity under his presidency.
Stop-and-Frisk in Cyberspace
The US is a cyber superpower, alongside China, England, Israel and Russia. While Edward Snowden’s revelations suggest that the U.S. likely harbors the most potent cyber weapons, the agencies that develop and wield them have a clear mandate to use them only on foreign targets — for example, to retaliate against Russia’s repeated pattern of cyber aggression.
To Trump, however, Vladimir Putin is a friend — the nation’s true enemies lurk within the American homeland: illegal Mexican immigrants, Muslim jihadist refugees, obstructive protesters, and conspiring journalists. Echoing Rudolph Giuliani, Trump has touted stop-and-frisk as a legitimate exercise of “law and order” so we should expect the same in cyberspace, as federal agencies redirect their formidable arsenals away from foreign and toward domestic surveillance. No wonder Peter Thiel supported and now advises Trump – his company Palantir sells the software used by intelligence agencies to monitor large populations; investors plowed another $20 million into the Palantir just last week.
Judicial and legislative oversight bodies normally protect US citizens from mass domestic surveillance. But Trump’s tweets and campaign rally warnings about ISIS have escalated American fear of the terrorist threat to the highest point since 9-11, when Congress passed the Patriot Act. The Republican Congress and Trump-appointed judges may give the President broad leeway.
The Danger of Deregulation
Preventing cyber attacks is impossible without regulation, because cyber neglect is like polluting, drunk driving, or refusing to vaccinate – it endangers not only the reckless, but everyone else as well. The security of every online transaction depends upon the integrity of all the vendors in the ecosystem who handle payments, network traffic, email delivery, cloud servers, and more. Furthermore, any infected computer or device can be used to attack others (as we saw in the October DDoS attack that caused massive internet outages). Without broad regulations and enforcement, internet commerce cannot be secured.
Donald Trump’s campaign speeches and web site have consistently promised to reduce the rules, headcount, and overall spending in the SEC, FTC, CFPB, FCC and IS Oversight Office – the very federal regulatory agencies that have taken the lead in defining and enforcing cyber standards. (His adviser Mark Jamison openly plans to nearly eliminate the FCC.) In addition to the budget savings, Trump sees this as a key element in his plan to promote business and increase jobs. By design, these cuts will relax the rules and enforcement of cyber standards for the public companies, banks, consumer-facing merchants, and network carriers that these agencies regulate. We should expect similar cuts in other regulatory authorities such as the Center for Medicare and Medicaid Services (which enforces HIPAA rules for the healthcare industry) and the Federal Energy Regulatory Commission (which oversees NERC standards for the power grid).
Cyber deregulation will empower American businesses to sell our data to anyone collecting profiles of US citizens. Meanwhile, with a U.S. president who actually invited and benefited from Russia’s intervention in the election, Russian cyber attackers feel they enjoy free rein in American cyberspace. With the rollback of cyber regulations, consumer-facing businesses will slash their own cyber security budgets, leading to weaker systems that further accelerate the growth and severity of information breaches. With our private information exposed, brace for a dramatic rise in identity theft and cyber stalking.
In contrast, the European Union has set the standard for privacy laws that limit how businesses and government agencies can use our information. Once disdained by the business community, these laws now give Europe the competitive advantage. In the wake of Snowden’s revelations, mistrustful Europeans moved their data from US clouds and services to EU alternatives — during Trump’s presidency, Americans will join them. While some Americans look to Switzerland as a safe haven for money, and Canada as a safe haven for our families, many will look to Germany as a safe haven for data.
President Trump’s deregulatory policies will jeopardize not only privacy, but also national security. Our homeland’s greatest vulnerability may well be the cyber threat to our critical infrastructure, potentially disrupting life-support services like power and water. Furthermore, a single breach of a water treatment facility, dam, or nuclear reactor can directly kill millions of people – a cyber 9-11. And yet today most of the nation’s utilities run un-patched software on industrial control systems that remain defenseless, awaiting NERC cyber regulations to kick in next year. A four-year reprieve from these rules by Trump’s administration will expose the U.S. to a massive terrorist attack, and open the door for Russia or other nations to embed cyber bombs in our machinery for future activation. Even if the Defense Department can accurately attribute such attacks, they can only retaliate—they cannot prevent them.
The election of Donald Trump has profound implications for the security of cyberspace. Unless Trump reverses his positions on deregulation, government surveillance, and the Russian threat, his administration will dismantle the safeguards of cyberspace, threatening America’s commercial prosperity, individual privacy, and national security.
Source: SANS ISC SecNewsFeed @ November 30, 2016 at 01:15PM