By Joseph Marks
President Trump delivers the State of the Union address in Washington on Feb. 5. (Toni L. Sandys/The Washington Post)
The omission was glaring given that Trump's own Homeland Security chief has warned that digital attacks pose a greater threat to U.S. security than terrorism. And experts say it was a missed opportunity to catalyze the nation to do something about it.
From the head of the Global Cyber Alliance and former Obama administration cyber official:
Loss from cybercrime: $600B (@CSIS)— Phil Reitinger, Principle Engineer (@CarpeDiemCyber) February 6, 2019
Records of personal info breached: 446.5M (@itrcsd)
Sentences about cybersecurity in #SOTU: 0 (non-specific IP theft reference)
How far to go for cybersecurity and privacy: A long way
Yet the state of the union's cybersecurity is, in a word, precarious. And there was a lot Trump could have said on digital security.
Even Trump's tougher comments on China put a rosy spin on a major economic drain on American companies. He did not provide a roadmap for actually reducing IP theft as Chinese hackers continue to rob U.S. companies of reams of IP and trade secrets. And the global cost of cybercrime has also grown nearly 50 percent in four years and accounts for nearly 1 percent of global GDP.
What's more, intelligence officials continue to warn that Russia, Iran or North Korea might launch a major hack against U.S. critical infrastructure, such as hospitals and energy plants. That threat did not earn a single mention in the speech -- and Trump's section on infrastructure also did not mention fortifying it from such an attack.
Experts said there's lots to do on this front. From Tenable's VP of global government affairs:
Good to see a call for investment in infrastructure in tonight’s #SOTU. We must safeguard our #criticalinfrastructure from cyberattacks, develop nat'l standards to monitor vulnerabilities in CI, close the Cyber Exposure Gap and address fundamentals like basic cyber hygiene.— James Hayes (@HayesJh27) February 6, 2019
That was a missed opportunity for the president to use his highest-profile speech of the year to issue a stark warning to Russia and other nations seeking to undermine U.S. democracy, experts said.
There’s no guarantee that would cow Russian President Vladimir Putin and other U.S. adversaries, but it would have been a strong message from a president who has wavered on endorsing the intelligence community’s conclusion that Russia was responsible.
“As long as Trump is in active denial of what happened to the U.S. in 2016 and continued to this very day, it will enable not just Russia but incentivize other actors to attack similarly,” Peter Singer, a senior fellow at the New America think tank, told me.
The speech may be a sign that the prospects look grim for major cyber initiatives in 2019.
“Sadly, 2019 will likely be a year of retrenchment in terms of American activity” on cyber issues, Paul Rosenzweig, a former DHS cyber official and a senior cybersecurity fellow at the R Street Institute, told me.
The president could have issued a clarion call to critical industry sectors and cybersecurity companies to work more closely with government on identifying and combating cyberthreats, Neil Jenkins, a former top cyber official at the Homeland Security Department who’s now chief analytic officer at the Cyber Threat Alliance, told me.
Or he could have called on U.S. allies to band together to combat digital theft of intellectual property and to protect global supply chains, former White House chief information officer and current Fortalice CEO Theresa Payton suggested.
He could have launched a wide-scale public awareness campaign about cyberthreats and how to combat them, Tony Cole, chief technology officer at Attivo Networks and an adviser to NASA, told me, including offering federally backed cybersecurity training programs at the K-12 and university level as well as more federal money for cybersecurity-focused scholarships and internships.
He could even have announced a new civilian cybersecurity corps, Singer suggested — a coalition of security-screened and cyber- savvy volunteers across the country who are ready to step in and help, say, to secure the communications of emergency responders after a natural disaster or to assist after a state agency is breached or is facing a distributed denial of service attack.
Instead, Cole told me, the nation’s cyber problems will likely continue to grow without major presidential attention.
“Cyberthreats are a current and major security challenge faced by corporations, governments, and all Americans,” Cole said, “and it’s getting worse each day.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Acting attorney general Matthew G. Whitaker and Homeland Security Secretary Kirstjen Nielsen at the Justice Department in Washington on Jan. 28. (Jacquelyn Martin/AP)
In December, Director of National Intelligence Daniel Coats also said that the U.S. intelligence community didn't find any compromise of U.S. election infrastructure that would have disrupted the 2018 midterms. DHS's top cybersecurity official has warned that Russia and other adversaries may view the midterms as merely a "warm up" for the 2020 presidential contest.
Sen. Amy Klobuchar (D-Minn.) on Capitol Hill on Jan. 15. (Carolyn Kaster/AP)
Under the legislation, foreign officials involved in running elections would be invited to travel to the United States to study American election procedures. U.S. officials and experts would also have an opportunity to study how foreign allies seek to protect their elections from interference by adversaries. Klobuchar and Sullivan initially introduced the legislation in the previous Congress.
The Washington skyline on Jan. 9. (J. Scott Applewhite/AP)
Industry has been historically wary of sharing cyber threat information with government, but begun to share more information in recent years, Suzanne Spaulding, a former top DHS cybersecurity official, said during an FDD panel discussion Tuesday following the memo's release. While industry largely has not taken advantage of an Obama-era law that gave them legal protections if they shared threat information directly with the government, they have stepped up information sharing with industry sector groups that then share that information with government in turn, Spaulding said.
A pedestrian walks past a Huawei store in Beijing on Jan. 29. (Kevin Frayer/Getty Images)
— A former deputy assistant director of the FBI's Cyber Division said the focus on hiring more cyber professionals isn't the solution to fix America's cybersecurity problems, Nextgov's Aaron Boyd reported. Steven Chabinsky, now a partner at White and Case, suggested during the FDD panel discussion Tuesday that the government and businesses ought to partner to address threats against critical infrastructure instead of just hiring more people.
“The largest problem with all of cybersecurity is that we recognize that the private sector is on the front lines but we have not empowered, in any way, shape or form, economically, the private sector to do what needs to be done with the government to resolve this at a higher level,” said Chabinsky, who also served as senior cyber adviser to the director of national intelligence, according to Nextgov. “Every person, every business should not be on the front lines of a national security problem. It’s crazy.”
Rep. Jan Schakowsky (D-Ill.) on Capitol Hill on Dec. 1, 2015. (Chip Somodevilla/Getty Images)
The flaw allowed a user to listen in on another user before the recipient had picked up by calling them in a group conversation. “Your company and others must proactively ensure devices and applications protect consumer privacy, immediately act when a vulnerability is identified, and address any harm caused when you fail to meet your obligations to consumers,” the lawmakers told Cook in the letter.
— More cybersecurity news from the public sector:
Vilnius, Lithuania, on Jan. 18 , 2019. (Mindaugas Kulbis/AP)
Russia is also targeting Lithuania's energy industry, according to the nation's intelligence agencies. “The agencies said they had observed Russian intelligence targeting people in Lithuania’s energy sector and trying to hack into control systems to gain the ability to disrupt Lithuania’s electricity supply,” Reuters reported.
— More cybersecurity news from abroad:
- CPX 360 cybersecurity summit in Las Vegas.
- The Center for Strategic and International Studies holds an event titled “Mitigating security risks to emerging 5G networks.”
- Texas Technology Summit in Houston.
- ARC Industry Forum in Orlando through tomorrow.
- The Center for Strategic and International Studies holds an event on digital surveillance on Feb. 13.
Richmond residents react to Northam controversy:
Inside the lucrative world of Iraqi pigeon racing:
Spiny-necked dinosaur discovered in Patagonia:
Source: The Washington Post