March 10, 2017
Can Trump Make ‘the Cyber’ Secure?
by Adam Levin
The new administration is making bad decisions based on a basic incomprehension of what is at stake and of what needs to happen next.
I have to admit that when now-President Donald Trump uttered the phrase “The Cyber” during the first presidential debate, I was right there with the tech community in the eye-rolling that followed. “The Cyber” memes were born, along with real concern about the then-candidate’s grasp on cybersecurity, and, with the announcement of former New York City Mayor Rudy Giuliani as the cyber czar, those concerns multiplied.
The seeming “misunderestimation” — or possibly anti-comprehension — regarding something so crucial to national security may not on the surface seem like a consumer issue, but it is.
Our nation’s approach to cybersecurity at this juncture — beset by hostile state-sponsored attacks on our electoral process; expertise and secret information grabs from major industries and the federal government; and ransomware attacks — is a matter of the utmost urgency, and the now-president has said as much, to his credit.
But Trump’s response can’t be just a marketing move or a branding opportunity — things he gets. There must not be merely the appearance of change, with commissions talking and debating endlessly but with little to show for it. There must be actual boots-on-the-ground solutions — now.
Unfortunately, I don’t think that’s what will happen.
Consumer protection at risk
The Consumer Financial Protection Bureau specifically comes to mind if Trump does as many are predicting he will do and makes it yet another piece of President Obama’s dismantled legacy.
The CFPB was an important accomplishment of the Dodd-Frank Wall Street Reform and the Consumer Protection Act of 2010. The agency is charged with protecting consumers from the predatory financial practices that brought about the economic meltdown of 2007-08 and watching out for signs of future trouble. The CFPB has the power to ban financial products deemed “deceptive, unfair or abusive” and to impose penalties on companies that take advantage of consumers.
Barring a judicial miracle, current CFPB Director Richard Cordray is almost certainly going to receive one of Trump’s signature “you’re fired” communiqués. Worse, an anti-CFPB former Texas representative, Randy Neugebauer, appears to be the leading candidate to get the job.
See also: Election Elevates Cyber Issues for 2017
Among other things, Neugebauer thinks that payday lenders are too roughly treated by the CFPB and that all business contracts should contain mandatory arbitration clauses (barring class action suits). He also thinks the CFPB should be headed not by a single director, but by a commission of people from both sides of the aisle. Those of us who support the CFPB believe that this would diminish the agency’s ability to go after dangerous practices that harm consumers in a timely and effective way.
The Trump transition team did not respond to a request for comment regarding its plans for the CFPB or Cordray.
This is about appointing the right people
It was reported that the cybersecurity czar role in the Trump administration will fall to the president’s close associate and campaign stalwart: Giuliani.
There is a connection here between what appears to be afoot at the CFPB and the next administration’s approach to cybersecurity. Both represent bad decisions based on a basic incomprehension of what is at stake and of what needs to happen next. The CFPB works — specifically, the single-director approach. Instead of hiring an opponent of the agency to presumably dismantle it, we should be using it as a model to create a single-director federal agency that emulates the CFPB to oversee cybersecurity.
As it stands, Giuliani will be bringing together experts working on cybersecurity solutions and business leaders who are targeted by hackers from the energy, financial and transportation sectors. The next step that is missing here is a government agency that can fine entities that do not meet the threshold for cybersecurity best practices — mandated employee education, maintaining technology and tools, hiring experts — that the agency would determine and set as a standard. (You can learn more about how to protect yourself from cyber threats like identity theft here and can monitor two of your free credit scores for signs of foul play every 14 days on Credit.com.)
In a recent interview, Giuliani said of the Trump, “He’s going to elevate this to a very large priority for the government — and I think, by doing this, he’s trying to elevate this as a priority for the private sector.”
Depending on private sector
As the Christian Science Monitor’s Passcode noted, quoting the former NYC mayor, the idea here is pretty simple: Trump will go straight to the public to “educate people on how important (cybersecurity) is, even to the point of their own personal protection.”
That is a fantastic idea that everyone should applaud. Whether the user is in the Pentagon or logging onto a free Wi-Fi network, our cybersecurity too often comes down to an individual clicking or not clicking on a malware-laden link or falling prey to some other security pratfall.
That said, any agency dedicated to cybersecurity would need to work closely with the military and intelligence communities and would also have to focus its resources on real solutions to the dangers we face, many of them extinction-level threats. The person running it would have to be at the cutting edge of cybersecurity best practices.
See also: Insurance Industry Can Solve Cyber
When the news came down of Giuliani’s cyber czar role, experts almost immediately hit Twitter with reasons why this was a bad idea. (Trump’s team also didn’t respond to requests for comment regarding this choice. Giuliani was not readily available for comment, either.) As it happens, the cybersecurity community took a look at the website of Giuiliani’s cybersecurity company, giulianisecurity.com. They found serious problems, including expired SSL, no https and an exposed CMS login — just to name a few. You don’t need to know what these things are, but the cyber czar sure does. There can be no “oops” in his or her record.
This article originally appeared on ThirdCertainty.