When then-presidential candidate Donald Trump promised a comprehensive cybersecurity plan in 2016, it was pitched as a guard against the threat of cyber attacks on critical infrastructure – from power grids, to government agencies and election systems.
Now, with midterms around the corner, the National Cyber Strategy has been released but a number of actions illustrate a disconnect between the strategy’s words and the administration’s actions.
In March, the Office of Management and Budget reported that 74 percent of the 96 agencies it assessed were either “At Risk” or “High Risk” of a security breach.
More recently, nearly 85 percent of cybersecurity professionals at the Black Hat security conference agreed cyberattacks on the midterms were likely.
Despite this, the administration killed key cyber positions, repealed a directive to balance offensive cyber attacks, and refused additional funds for election systems around the country.
Whether this disregard is rooted in ignorance or is a more calculated form of neglect is yet to be seen, but the outcome is the same; critical systems are at risk.
Cybersecurity positions at the White House are a game of musical chairs – not so much because people’s positions change, but because seats are removed from the game.
Cybersecurity czar Tom Bossert and coordinator Rob Joyce were forced out of the White House, with their responsibilities shifted to two National Security Council senior directors. The U.S. State Department has also left the position of cyber ambassador unfilled.
Despite this, the National Cyber Strategy identifies “refining roles and responsibilities” as one of its priorities, calling for ‘clarity’ and ‘coordination’ of the roles of Federal agencies in addressing cyber threats to the U.S.
In mid-July, Congress excluded new funds for improving election security from its spending bill. The funds would have added millions of dollars to help states improve voting systems and administer elections.
September’s National Cyber Strategy highlights “Protecting our Democracy” as a priority, promising increased training and support for state and local government officials “when requested”.
Attacks against voting infrastructure have been confirmed, and the refusal to bolster already compromised infrastructure is – to put it mildly – concerning. One case, against the Illinois State Board of Elections, illustrates the level of vulnerability – asked about the Board’s ability to defend itself, an executive characterized the fight as “bows and arrows against the lightning”.
Leading with the Chin
In August, President Trump reversed Presidential Policy Directive 20 (PPD-20). This laid out a complicated interagency process for deploying cyber weapons against adversaries.
Pulling back PPD-20 means the gloves are off and offensive cyber capabilities can be deployed more easily. The cyber strategy codifies this, giving agencies such as the NSA greater remit to conduct offensive cyber attacks.
Certainly, revisiting how the U.S. should respond to threats is important, but the U.S. is not prepared to defend its key infrastructure from targeted cyberattacks. At its apparent state of readiness, conducting any kind of offensive cyber warfare would have severe repercussions, while the attacks against the U.S that are already succeeding will continue to succeed. As in boxing, if you keep your guard down it’ll be a short bout – no matter how many haymakers you throw.
What we know is that the federal government has displayed an alarming lack of commitment to election security as a crucial midterm election approaches, even though it’s been made plain that bad actors will attempt to breach or influence those systems.
So now, with the midterm elections looming, the cyber strategy has all the right words, but no one seems to be singing them.