Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program and David O’Connor is an intern at the Council on Foreign Relations.
After giving widely ridiculed remarks about cyber issues at last week’s debate, Donald Trump gave a speech on Monday laying the framework for his administration’s cybersecurity policy should he become president.
Fight cybercrime like the Mafia. Trump proposed creating joint task forces with a mandate to combat cybercriminals in the same vein as the task forces used to fight the Mafia: “I will instruct the Department of Justice to create Joint Task Forces throughout the United States to work together with Federal, State, and local law enforcement authorities and international law enforcement to crush this still-developing area of crime.”
Go on the offensive. Trump stated that cybersecurity can’t only focus on defense, and that the United States must develop “offensive technologies” as well. He called for “crippling cyber counter-attacks” to be used as a deterrent, referring to this as “the warfare of the future,” and U.S. offensive capabilities should also target non-state actors to turn cyber warfare “into one of our greatest weapons against the terrorists.” He would also seek recommendations from the Joint Chiefs of Staff and the U.S. secretary of defense for methods of bolstering the nation’s cyber defense capabilities.
Create a Cyber Review Team. Trump called for the creation of a team of “the best military, civilian and private sector cybersecurity experts” to “comprehensively review all of our cybersecurity systems and technology.” This team would begin their reviews with the most critical infrastructure and move on to less important systems, periodically conducting follow-up reviews. It would be empowered to provide departments with specific recommendations for “defensive technologies,” and provide up-to-date best practices for government employees to follow. Finally, the team would establish both a training program and a continuing education program for all government employees to be aware of potential cybersecurity threats and how to avoid them.
Viability and impact
Trump campaign’s cybersecurity proposals are the most detailed yet but they are fairly short on specifics. There is no mention of the debate over encryption, cybersecurity information sharing within the private sector and with government, or incentivizing the development of more secure software.
Nevertheless, the platform is largely consistent with current Obama administration policy. The U.S. government already has extensive offensive cyber capabilities, something the President Obama has been known to boast about. Consistent with Trump’s remarks that cyber tools need to be targeted at terrorists, Defense Secretary Ash Carter announced in February that the U.S. military was dropping “cyber bombs”—using cyber techniques to disrupt the self-proclaimed Islamic State’s command and control capabilities.
Trump’s call for a strong deterrent against cyberattacks is also consistent with Obama administration policy—the Department of Defense cyber strategy goes into this at length—and that of Hillary Clinton. The Democratic candidate has said that she “will make it clear that the United States will treat cyberattacks just like any other attack. We will be ready with serious political, economic and military responses.” At the first debate, she also emphasized the need to make America’s superior capabilities known to hostile actors.
Although both candidates vehemently agree with each other on the importance of cyber deterrence, experts are largely at odds on the viability of cyber deterrence as a strategy. Some believe that concepts of deterrence, largely copied from policymakers’ experience with nuclear deterrence, will not work given the enormous difference between nuclear weapons and offensive cyber tools. Others believe that some form of deterrence is possible, either through denial by strengthening defenses or through punishment by sanctioning unwanted behavior.
Analogizing cybercrime to combating the Mafia is interesting. Creating joint task forces to improve cooperation between local, state, and federal authorities could certainly help combat cybercrime and bring much needed tools and expertise to local authorities often understaffed or lacking the resources to investigate complaints. However, it is not always the case that cyber criminals are organized hierarchically like the mob, and in many cases one individual can attract more attention than a group. Additionally, it is unclear whether the task forces would investigate traditional crime facilitated by the internet (e.g. online fraud, ransom, harassment), crimes directed at computers (e.g. hacking, denial of service), or both.
Finally, the proposed cyber review team would seem to assume the functions of at least five other existing departments: the National Security Agency, the Department of Homeland Security, the Government Accountability Office, the Federal CIO Council, and the Office of Management and Budget. While an argument can be made for consolidation, without more details of what additional value the team would bring over existing entities suggests the review team would be one more bureaucratic creation in an already crowded and sometimes confusing cyber environment in government.
Overall, Donald Trump’s cybersecurity plan is partially a vague proposal for new government action on cybercrime, consolidation (or duplication) of existing executive branch work, and continuation of current U.S. policy with respect to offensive cyber activity.