As a presidential candidate Donald Trump, along with his surrogates and children Donald Trump Jr. and Eric Trump, pledged to defend American institutions, government organizations, and businesses from cyberattacks and hackers. But as is frequently the case with political campaigns confronted with the hard realities of governing, the Trump administration has stumbled regarding cybersecurity policy.
As the campaign was heating up, during the New Hampshire primary, both Trump brothers spoke with TechRepublic about the need for a robust cyber-defense policy. "Cyberattacks are one of the biggest security threats we actually face today," Donald Trump Jr. told TechRepublic in an interview during the 2016 presidential campaign. "[Donald Trump] would do what he does with a business, which is bring in the best of the best to make sure we have people that are competent and working on the right things to make sure that those systems are in place to be able to thwart and disarm any attacks that are coming this way."
The American government does a poor job of protecting business by fending off cyberattacks, Eric Trump said emphatically in an interview with TechRepublic. "Our whole way of life is electronic. You can't allow people to come in and infiltrate that ... You can't have people come in and ... attack private industry ... and attack the government. You can't allow that to happen. You have to be every bit as tough on cybersecurity as you are on regular security. He would be great at that."
SEE: Security awareness and training policy (Tech Pro Research)
And on multiple occasions during the campaign and as the president, Trump affirmed the need for stronger cyber-defense policy. In May the administration issued a cybersecurity executive order that aimed to identify and enumerate US advisaries, vulnerabilities, and capabilities of cyber-strikes against government and business targets. As recently as July 9th, 2017, Trump—amid accusations his campaign colluded with US adversary Russia—announced the formation of an "impenetrable cyber unit."
Both policies, however, were quickly stung with bipartisan criticism, including by Republicans who once worked on the campaign and in the Trump White House. "The joint cyber-unit is a joke and probably won't happen," said one former official who chose to speak anonymously, "and ironic in light of recent news [that Donald Trump Jr. met with a Russian attorney during the campaign] given [the president's] attacks" on rival Hillary Clinton during the campaign for her use of a private email server.
Business executives are also fuming at the proposed cyber-defense policy. "The [cybersecurity] executive order was terrible," Ed Amoroso, the former chief security officer of AT&T, told TechRepublic's Jason Hiner at the 2017 Borderless Cyber conference in New York. While the cybersecurity policy's goals are commendable, he said, the bill itself is incomprehensible and an "amazing jumble of page after page after page of requesting reports ... Who the hell is reading all those, and who's writing them? ... A thousand reports are just going to confuse us all."
Amoroso said the country—and by extension American business—would be safer if the administration focused on a few specific objectives: The president should make NIST the government's only security framework, move to the cloud and stop focusing on perimeter security, and create a Cyber Corps to recruit young people into cybersecurity.
"Your perimeter is police tape," Amoroso said. "It keeps nice people out. Bad people just lift the police tape." These three tactics, he explained, will protect American business interests by reducing the attack surface in the short term and provide long-term security by fostering a workforce skilled in cyber-defense.
SEE: How to make your Twitter Trump free and get back to work (TechRepublic)
Cybersecurity is a global problem that will acutely impact business with the rise of Internet of Things and artificial intelligence. All organizations—be they government, NGO, or business—need to take cyber-defense seriously and devise technological solutions for monitoring networks, create a policy for a rapid response to data breaches, and traini human assets to protect data by adopting best practices. It's imperative to train employees to follow best practices, said Eddie Schwartz, chair of ISACA's Cyber Security Advisory Council. "Your people are your assets, and you need to invest in them continually," Schwartz said in an interview with TechRepublic's Alison DeNisco. "If you don't get your people patched continually, you're always going to have vulnerabilities."
SEE: Infographic: Almost half of companies say cybersecurity readiness has improved in the past year (Tech Pro Research)
Cisco's Anthony Grieco, senior director of security and trust, advises a similar policy that amalgamates technological and human solutions to cyber-defense challenges. "We recommend that businesses take a holistic view in a security strategy that includes people, process, policy, and technology versus solutions for one type of attack," Grieco said. "Threats have become increasingly complex and often are related, so it's important to look at the bigger picture, particularly when so much can be at stake."
More security news:
- Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas (TechRepublic)
- Ukraine is a test bed for global cyberattacks that will target major infrastructure (TechRepublic)
- Interview with a hacker: Kapustkiy from New World Hackers (TechRepublic)
- Get ready for the rise of spymail, the hottest trend in email hacking (TechRepublic)
- How to become a master cyber-sleuth (TechRepublic)
- From Russia with Tech: The top 5 most interesting Russian startups (TechRepublic)
- Video: Top 5 ways to track data breaches (TechRepublic)
- Get an inside look at the exploit infrastructure (TechRepublic)
- US government pushed tech firms to hand over source code (ZDNet)
- Microsoft's new Middle East chief: Why cloud and security are our big focus (ZDNet)
- Meet the shadowy tech brokers that deliver your data to the NSA (ZDNet)
- Employee political activity policy (Tech Pro Research)
- IT consultant code of conduct (Tech Pro Research)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Producer for CNET and CBS News.