Assessing President Trump’s Legacy of Cyber Confusion
Things did not start off well with Rudy Giuliani named as President-Elect Trump’s cybersecurity advisor in January 2017, a position he still technically holds to this day. It was not until May 2017 that President Trump signed a long-awaited executive order mandating a series of risk management reports in the hundreds on cybersecurity issues across the federal system. These reports were largely delivered behind schedule with no response or action.
There has been no movement from the executive branch on election security, aside from a bill that makes hacking voting systems a federal crime. The confusion over the election and voting machines, with a tinge of a global plot lead by long-dead Venezuelan President Hugo Chavez, is a symptom of the lack of federal coordination on standards and regulations over electoral security.
In April 2018, U.S. Cyber Command released [PDF] their long-awaited strategy, now called a vision, that articulated persistent engagement as the defining orientation of U.S. cyber warriors in opposition to the Obama’s administration’s position of restraint in cyberspace. In September 2018, the Department of Defense (DOD) released their Cyber Strategy [PDF], which did not mention persistent engagement and instead was focused on the concept of defend forward.
Confusion of terminology ensued with no one quite sure how to rectify the two visions of U.S. cyber strategy from the same overall department (DOD). The issue was not really cleared up until 2019 when Commander of U.S. Cyber Command Paul Nakasone clarified [PDF] that persistent engagement was the operational implementation of the defend forward strategy.
There still remains confusion if persistent engagement is an aggressive and dangerous strategy, or a purely defensive strategy to secure the nation. With no metrics for evaluation, we could never know. A distinction of what was and wasn’t a persistent engagement operation was never clarified, and now nearly every operation—disrupting the Internet Research Agency, deploying Cyber National Mission Forces to Estonia, or sharing malware with the private sector—is labeled persistent engagement.
Behind closed doors, the Trump administration loosened authorities on offensive cyber operations through NSMP 13, or at least we think they did since the whole issue was classified even to Congress at the time. There were also reported secret orders to give more authorities to the CIA to launch offensive cyber operations.
Other areas where President Trump’s cyber legacy deserves low marks include the “Clean Network” initiative, bans on TikTok and WeChat, the elimination of the national cyber coordinator position, the gutting of the State Department’s cyber diplomats, and “covfefe.”
On December 13, news started to leak of a massive hack into U.S. systems through a vulnerability in the SolarWinds Orion IT monitoring service. The widespread attack has affected almost all aspects of the U.S. government and many companies, including Microsoft. Although Secretary of State Mike Pompeo stated that “we can say pretty clearly that it was the Russians that engaged in this activity,” President Trump nearly immediately contradicted him, writing in a Tweet, “Russia, Russia, Russia is the priority chant when anything happens because Lamestream [media] is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!).”
Through all this, there is a concern that the Trump administration will uncouple the NSA and U.S. Cyber Command, ending the dual-hatted role of its leader, General Paul Nakasone. While there is merit to the idea, completing the massive task on the way out the door, in the middle of the massive fallout from the SolarWinds incident, complicates the ability of President-Elect Biden to organize cybersecurity defenses.
Overall, the Trump administration will leave a legacy of confusion over cybersecurity issues with few positives. CISA, the wing of the Department of Homeland Security focused on cyber issues, became more powerful and established, leading some to wonder if it should be an independent agency. The crises between Iran and the United States during the Summer of 2019 after the downing of a U.S. Global Hawk drone actually deescalated due to cyber actions, providing a substitute for more aggressive military options.
The greatest positive of all could be that the Trump administration was unable to slow down the Cyberspace Solarium Commission’s efforts to reform cyber strategy. The commission articulated an evolution of U.S. cyber strategy through layered cyber deterrence, but more critically, it offered fifty-two legislative proposals, of which twenty-five made it into the 2021 NDAA [PDF], making it perhaps the most comprehensive piece of legislation on cybersecurity so far.
The Biden administration could enter to provide clarity in a domain that has lacked it since its inception. It is more likely that the United States will move forward with slow incremental change. Nonetheless, anything should be an improvement over the last four years, which have set the bar quite low.
Brandon Valeriano is the Bren Chair of Military Innovation at the Marine Corps University. He also serves as a senior fellow at the Cato Institute.This article is published courtesy of the Council on Foreign Relations (CFR).
