The Obama White House has had to reckon with cybersecurity like no other presidential administration in history, from China's 2009 hack of Google, to the Office of Personnel Management breach, to the rise of botnets built from dangerously insecure "internet-of-things" devices. Now, in the waning days of Obama's presidency, his team has a new plan to shore up America's protections from digital threats. Whether any of it happens, though, is up to Donald Trump.
Late Friday afternoon last week, the White House's Commission on Enhancing National Cybersecurity released the results of a nine-month study of America's cybersecurity problems. Its recommendations, in a hundred-page report, cover a lot of ground. It proposes fixing the shambolic security of internet-of-things consumer devices like routers and webcams, re-organizing responsibility for the cybersecurity of federal agencies, and fostering a new generation of skilled American cybersecurity experts, among other actionable steps.
But as President Obama acknowledged in a statement accompanying those recommendations, actualizing them is largely out of his hands. He asked the cybersecurity commission to brief President-elect Trump's transition team on its work as soon as possible. "As the Commission’s report counsels, we have the opportunity to change the balance further in our favor in cyberspace---but only if we take additional bold action to do so," Obama writes. "Now it is time for the next Administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change---both in the United States and around the world."
Whether the Trump team will in fact accept the commission's advice---or even its briefing request---remains a mystery. "No one in Washington knows what he’s going to do," says Alan Paller, the director of research at the security-focused SANS Institute and a former cybersecurity advisor to the Department of Homeland Security under George W. Bush. Paller says that even Trump's potential appointments for cybersecurity policy positions remain an unknown. "It’s very challenging to know who will be picked, and whether this [report] will have anything to do with their priorities." The Trump transition team didn't respond to WIRED's request for comment.
If the commission does get Trump's ear, it will have plenty to say. Its report includes dozens of "action items," including recommendations that the next White House:
- Create a system of security ratings for consumer products that resemble "nutrition labels" for buyers. Those ratings would be created by an independent organization and give consumers a sense of the vulnerabilities to hacking of the products they buy. (One potential rating organization might be the Cyber Independent Testing Lab, created at the White House's suggestion by hacker Peiter Zatko and his wife Sarah Zatko, a former NSA mathematician who advised the cybersecurity commission.)
- Assign the Department of Justice to perform a six-month study of legal liability for security flaws in internet-of-things devices. That investigation might be the first step in pushing for more legal consequences for product manufacturers whose insecure devices lead to harm to consumers or even companies and government agencies.
- Launch a national cybersecurity apprenticeship program that trains college students in applied information security, with the goal of adding 50,000 new "cybersecurity practitioners" to America's government and private sector workforce by 2020.
- Create a mandatory program that requires senior officials at all federal agencies be trained in cybersecurity basics to create a government "culture of cybersecurity."
- Ask Congress to increase research and development funding for any government agency that contributes to advancing an "integrated government–private-sector cybersecurity roadmap" to be created by the Director of the Office of Science and Technology Policy. That roadmap's goal would be funding computer systems that are cheaper, more secure and more usable.
The security product rating recommendation, in particular, could have a powerful effect on consumer awareness of cybersecurity issues, and create an incentive for manufacturers to secure their devices, says Josh Corman, who founded the internet-of-things security non-profit I Am The Cavalry and served as an advisor to the White House commission. "This isn’t saying you can’t make crappy, insecure products, but it has to be clear to the public just how healthy your products are," Corman says. "This would allow free-market forces to rule the day instead of heavy-handed compliance frameworks."
But many of the other recommendations only go as far as asking for more studies and voluntary guidelines for agencies and companies. That lack of bold action is a disappointment, says Paller. He had hoped the commission would recommend federal procurement guidelines that not only rated products based on their security, but required government agencies to only buy products above a certain security rating. "The imperatives were to protect, defend, and secure," he says. "If you read down through the recommendations, you don’t see it. You see, 'go to a meeting, look at a framework, have another discussion.'"
Trump's cybersecurity policy has so far been entirely secret or non-existent. The approach to cybersecurity revealed in his campaign consisted of his remarks in one debate that the "security aspect of cyber is very, very tough," followed by a non sequitur about his 10-year-old son's skill with computers. In a YouTube video last month about his plans for his first 100 days in office, he touched on cybersecurity only to say that he would ask the Department of Defense to "develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks, and all other form of attacks."
In general, Trump doesn't seem likely to continue much that Obama started: He's promised to rescind many of Obama's executive orders. And he's vowed that for any single new regulation he puts into place, he'll get rid of two existing regulations, a promise that doesn't bode well for new, strong cybersecurity safeguards.
But I Am the Cavalry's Corman says he still hopes the cybersecurity commission's recommendations can transcend partisan politics---and that its last nine months of meetings, hearings and investigations won't be thrown out as the Trump administration starts from scratch. "If they have no intention of looking at it, it’ll be a shame," Corman says. "If they do, there’s plenty to sink to their teeth into."
