How Trump's cybersecurity comments might translate to his cyber policy
Experts weigh in on the 'old-fashioned way' of communication vs. modern technology
On New Year’s Eve, President-elect Donald Trump offered a few words about cybersecurity. As is sometimes the case, those words landed with deafening thud.
"You know, if you have something really important, write it out and have it delivered by courier, the old-fashioned way. Because I'll tell you what: No computer is safe," Trump said. "I don't care what they say."
Though many laughed the comments off, the question of whether critical information should be kept offline is interesting, especially following high-profile hacks of the federal Office of Personnel Management, the IRS and the DNC. Should the federal government consider a return to a pre-tech era?
Offline communications are inherently more secure than digital ones because they require physical proximity in order to intercept messages (Trump reportedly rarely uses email or computers, though he's clearly a fan of Twitter).
Trump is no stranger to hacking either. The Trump Hotel chain suffered multiple cyberattacks over the last few years that exposed the personal information of about 70,000 customers and prompted New York state to slap the hotel chain with a $50,000 fine.
The problem with taking any suggestion that we return to the day of the courier seriously is that we are clearly far too technologically advanced to make it feasible.
"The digital genie is long out of the bottle and it won't be going back in," said Robert Huber, chief security and strategy officer at Eastwind Networks. "The trend points towards commerce being only available online, in some cases, not the other way around."
"No communication is 100% secure. And the massive efficiency penalty of reverting to paper makes it completely infeasible."
Director of inbound marketing at Varonis
And even data that's not already in digital form can easily be made digital using today's most basic technologies.
"The ubiquity of mobile phones with built-in cameras makes it trivial to quickly digitize a physical letter," said Rob Sobers, director of inbound marketing at cybersecurity firm Varonis. "No communication is 100% secure. And the massive efficiency penalty of reverting to paper makes it completely infeasible."
It would be nearly impossible to disconnect completely in the name of security. "It is a non-starter to un-digitize your banking, commerce, health and other information," agreed Nir Polak, CEO at Exabeam. "For the latter, even if you somehow convinced every employee to send paper letters instead of email, they would still surf the web; i.e., get malware from compromised web pages."
The best alternative, experts say, is better prevention.
"The bottom line is that most of the valuable information a company has is already digitized, and the pathways to get to it are growing, not shrinking," added Polak. "The focus should be on protecting the system, not rolling it back in time."
It's not that no computer is safe, according to Simon Gibson, fellow security architect at Gigamon and former Bloomberg CISO. "The issue is in how we think about protecting the data on them. The problem is that the more perfectly systems are interconnected, the more value they create."
Therefore, Gibson explained, better risk analysis should be used to determine what is made available electronically and what is made available to the internet at large. And of course, that doesn’t change the fact that even the best security is not foolproof.
"Eventually, everyone will consider best practices regarding avoiding malware or phishing or using biometric authentication as common as using a seat belt behind the wheel."
CEO of Resilient Network Systems
"Cybersecurity can reduce risk, but it must be resourced appropriately and continuously monitored to drive risk down," said Huber. "Just like physical security at your home or office can reduce risk — locks, cameras, and motion sensors — you are still left with residual risk."
There are, however, tried and true approaches to make hacks vastly more difficult or expensive, from the technical (encryption, multi-factor authentication and secure e-mail) to the cultural (better training, more careful sharing or privacy protection).
"In the early days of automobiles, before airbags, crumple zones and three-point seat belts, it was a significantly more dangerous time to be a driver," said Ethan Ayer, CEO of Resilient Network Systems. "In the cyber world, virtually everyone is behind the wheel of a dangerous vehicle full of data, and we are still in the early days of cyber safety. Eventually, everyone will consider best practices regarding avoiding malware or phishing or using biometric authentication as common as using a seat belt behind the wheel."
Where does this leave us?
Trump has outlined little so far in terms of an actual cybersecurity plan, though he did offer the following statement last week following the release of an intelligence report about Russian hacks:
"Whether it is our government, organizations, associations or businesses we need to aggressively combat and stop cyberattacks. I will appoint a team to give me a plan within 90 days of taking office. The methods, tools and tactics we use to keep America safe should not be a public discussion that will benefit those who seek to do us harm. Two weeks from today I will take the oath of office and America's safety and security will be my number one priority."
With little revealed in terms of Trump's concrete cyber plans at this point, cybersecurity experts are left wondering how comments like the one he made on New Year’s Eve will shape his cybersecurity policy for the country. What type of policy will he issue? Will the federal government’s IT progress effectively grind to a halt?
"We live in a technology-driven society and I doubt we will see a complete return to the days of couriers, routing envelopes and interoffice memos."
Threat systems manager at Fidelis Cybersecurity
Sobers of Varonis thinks the most likely outcome will be something akin to the European Union’s new General Data Protection Regulation, whereby companies can continue to use technology but have to put strict safeguards in place on important data.
John Bambenek, threat systems manager at Fidelis Cybersecurity, predicts Trump’s views on tech means he is likely to be very strategic and conservative when it comes to implementing any new technologies.
"I do not see the next administration adopting new technology for the sake of adopting new technology," said Bambenek. "We live in a technology-driven society and I doubt we will see a complete return to the days of couriers, routing envelopes and interoffice memos. But I would expect that the administration would not be quick to adopt new tools without understanding the risks and what can be done to mitigate them."
"President-elect Trump will need to be educated on cybersecurity risks and capabilities to weigh that against benefits gained," said Huber. "I'm certain the benefits of going digital are obvious to Mr. Trump, which will likely lead to an increased focus on cybersecurity during his presidency."
How might that translate to the private sector?
Ironically, the public tends to grow easily frustrated with more secure processes, so layering on more security may be in the public’s best interest, but may not be the best answer. A recent McKinsey study found that customers who became frustrated with the authentication process typically use digital services 20% less.
"The biggest barrier to safer computers is the inherent tension between security and ease of use," said Ayer. "Consumers want a frictionless digital experience but many of these new security measures come at a cost to user experience, and ultimately the bottom-line of the company providing the digital service. We are still at a point in time where both customers and companies are trying to find the correct equilibrium between convenience and security."