The incoming Trump administration has promised to create a brand new “hacking defense” policy to protect the federal government and American companies.
It’s unclear what that will look like. But there’s a dire need.
In recent years, criminal hackers have stolen hundreds of millions of dollars and mountains of personal data from U.S. companies. Foreign governments have stolen classified information from federal agencies.
“The United States is hacked by everybody. That includes Russia and China and everybody,” President-elect Donald Trump said at a press conference Wednesday.
Right now, it’s no one’s job to protect all Americans from hackers.
Trump has tapped former New York City mayor Rudy Giuliani to chair a cybersecurity commission to put forward new ideas within 90 days.
Giuliani told reporters he will lean heavily on the nation’s quickly growing cybersecurity industry to develop these policies. He will also have the president meet executives of top cybersecurity companies.
Giuliani said Thursday that the idea is “to create a very vibrant and robust cyber defense for both the private sector and the government.”
That won’t be easy. The country’s current digital defenses are fragmented.
For example, it’s the job of the Department of Homeland Security to defend the federal government computers.
“But the reality is, they really don’t,” said former DHS deputy assistant secretary James Norton. “Each government agency is essentially on its own.”
That’s how you get a case like the OPM hack, in which China is suspected of stealing 21.5 million personnel records of federal employees.
As for protecting the American populace, that’s a dispersed job too. The FBI usually tips off companies when they’ve been hacked, then tries to catch the attacker. The Secret Service hunts down hackers who have stolen credit cards or engaged in identity fraud. DHS responds to attacks on private energy companies and other critical infrastructure. The National Security Agency has a role in warning American companies about incoming attacks, but its actions are shrouded in secrecy.
Cybersecurity expert Marcus J. Carey says the nation needs to be trained.
“People are the weakest link in organizations and there is nothing that our government can do to prevent this from happening,” said Carey, who previously worked at the NSA, defending the spy agency’s own networks from global hackers. “You can’t patch humans.”
Dani Grant, a cybersecurity expert at the internet company CloudFlare, agrees.
“Every student should learn how to protect themselves online as early as elementary school, and no engineering college student should get their computer science degree without taking a required course in computer security,” she said.
Katie Moussouris, one of the world’s top experts in the shadowy market for hacking tools, offered an alternative approach — relying on hackers for security.
“National hacking defense is only possible if we allow the global community of hackers to test the systems we rely on and report vulnerabilities so they can be fixed,” she said.
Trump’s administration could also push internet service companies — like AT&T, Comcast and Verizon — to start policing their own networks. It’s obvious they already watch the traffic that travels on their underground cables, because they catch people who illegally download pirated movies and songs. These network owners can start blocking annoying DDOS attacks and certain types of hacks, said Zuk Avraham, who founded cybersecurity firm Zimperium.
The United States has become one of the top hackers in the world — routinely breaking into foreign government computers to steal secrets and monitor activity. But, Giuliani pointed out: “We’ve let our defense fall behind. Our offense is way ahead of our defense.”
Cybersecurity experts largely agree on that — and the need to take a closer look at American resources.
“I think this is a great idea,” said Casey Ellis, CEO of cybersecurity firm Bugcrowd. “If the team that prepares the report is assembled thoughtfully, it’s a good opportunity for Trump to get a consolidated view of where the U.S. cyber defense actually stands.”