Over the final years of the Obama administration, cybersecurity had become a top priority of government agencies. Massive compromises of citizen data have propelled the issue to the forefront of discussions to reshape government, most recently the Office of Personnel Management (OPM). After campaigning on a robust response to cybersecurity, what will the Trump administration do to improve the cyber resilience of government institutions?
From 2014 to 2015, OPM announced that there were major breaches of government databases that impacted over 22 million current and former federal employees. An initial hack, made sometime in early 2014, was not first reported to the public, and was only revealed to the public by a New York Times article in July 2014. It was suspected that the breach impacted nearly 400,000 current and former federal employees and may have been caused by stolen keycards.
A second breach, believed to have begun in December 2014, was not revealed to the public until June 2015 when OPM reported that 4 million current and former federal employees had their personal information compromised. Within the next few months FBI Director James Comey estimated that an additional breach of data impacted 18 million individuals, and an OPM investigation fixed this number at 19.7 million individuals.
The Obama Administration’s Response
An audit released by the Inspector General for OPM highlighted the IT security management system and high turnover of information security officers as two key concerns in the agency’s cybersecurity role. Additionally, the audit found many of the investigative service technology systems used by OPM were past due for security checkups. While OPM’s Federal Investigative Service, which conducts civilian background checks, remains within the agency, it is now secured by the Department of Defense and is now the National Background Investigation Bureau.
In December, the Obama administration’s Commission on Enhancing National Cybersecurity released a comprehensive report on Securing and Growing the Digital Economy. Among several recommendations the Commission suggested a national cybersecurity public-private program as a forum to address cyber concerns and for all agencies that interface with the public to use strong authentication software. Additionally they set forth several workforce planning initiatives to attract 100,000 new cybersecurity practitioners by 2020, and a motion to move federal agencies into a management approach based on enterprise risk management to better adapt to challenges and design better solutions.
The Commission’s report noted however that the Obama administration was mostly powerless to implement any of these recommendations, as they were released with a little over two months left before Trump took office. This highlights the approach that has been taken toward cyber reform within the past few years, which has been mostly through executive memorandum or orders and little legislation. One of those few pieces of legislation was the Cybersecurity Information Sharing Act of 2015, which gave private companies the legal protection to share information with government to help protect consumers.
The Trump Administration’s Approach
The Trump administration can change course from the previous administration by undoing or overturning executive orders or memorandums on cyber initiatives. However, efforts on the congressional front are already showing that cybersecurity efforts are a top priority for the 115th Congress. The National Defense Authorization Act (NDAA), passed by Congress before their final recess in 2016, includes several provisions for workforce planning that focus on attracting top cyber talent to the Department of Defense. Congressional action on this front adheres to the belief that the best way to remain on the forefront with cyber resilience is to hire the best talent.
According to President Trump’s platform, there will be a comprehensive review to all cyber defenses within the country and continued work across all levels of government to respond to cyber incidents. Additionally, there will be a push for ‘offensive’ cyber warfare in response to the attacks and government system compromises within previous years. The proposals given in Trump’s platform are more broad strokes, and may not reflect what next steps will be taken.
After the San Bernadino shooting, Trump called for a boycott of Apple products when the company signaled that it wouldn’t assist the FBI in breaking into the iPhone of the shooters. According to some security and privacy experts, calling on a private company to give its secure communications over to government so easily is an area of concern. While the cooperation of private companies with government falls in line with Obama cybersecurity recommendations, the encryption of consumer data by private companies is a level of protection that many feel is necessary given the frequent cyber breaches in the U.S. Trump’s comments suggest that the new administration may be more willing to compel private companies to cooperate with federal investigations on data breaches, which can be helpful in better understanding attacks and preventing future compromises of data.
Beyond the President, what will top policymakers in the new administration do with cyber reform? Of the appointments announced so far, Trump’s pick for Attorney General, Senator Jeff Sessions (R-AL), provides some insight into what cyber could resemble under the next administration. As a member of the Senate Judiciary Committee, Sessions also stood in solidarity with the FBI over its battle with Apple over encryption. He also supports greater power for the NSA and other surveillance agencies that may limit civil protections, and an amendment he proposed for the Email Privacy Act would have allowed government officials to demand data from tech companies without a warrant in emergency situations.
Fewer privacy protections in place and stringent requirements for companies to share data with government entities resembles a cyber environment that caters less to consumer protections and more to security concerns. However, the sharing of data between private and public entities, while mandatory, may improve the government’s response to cyber attacks in the new administration.