Look for U.S. President Donald Trump’s administration to push for increased cybersecurity spending in government, but also for increased digital surveillance and encryption workarounds.
That’s the view of some cybersecurity policy experts, who said they expect Trump to focus on improving U.S. agencies’ cybersecurity while shying away from new cybersecurity regulations for businesses.
Trump is likely to look for ways for the National Security Agency and other agencies to assist the government and companies defend against cyberattacks, said Jeffrey Eisenach, a visiting scholar at the American Enterprise Institute and a tech advisor during Trump’s presidential transition.
“Cyber has to be top of mind for any view of the United States’ global strategy,” Eisenach said Wednesday during a discussion about Trump’s cybersecurity priorities. “If you’re not thinking of cyber first, I don’t know what you should be thinking about.”
A proposed executive order from Trump on cybersecurity was leaked in January, but its formal release was postponed. Beyond the leaked drafts, it’s difficult to read the tea leaves of a Trump cyber policy, other cybersecurity experts said.
Given Trump’s focus on fighting terrorism during his presidential campaign, he’s likely to push for greater surveillance powers, said Adam Klein, a senior fellow at the Center for a New American Security. A foreign surveillance provision in U.S. law is set to expire at the end of the year, and Klein expects the Trump team to push for unfettered reauthorization.
Trump “campaigned on vigorous counterterrorism efforts, and that is likely to lead [his] approach on surveillance and privacy issues,” Klein said. Trump may move away from former President Barack Obama’s attempts to balance privacy and national security, he said.
The Department of Homeland Security has already talked about demanding social media passwords during border searches, Klein said. While he said he doubts the searches will happen, the discussion “suggests we’re in a new era here,” he added.
Meanwhile, Trump and new Attorney General Jeff Sessions have both criticized tech companies’ resistance to encryption backdoors, Klein noted. Both called on Apple to assist the FBI with unlocking a terrorism suspect’s iPhone last year. Even if Congress doesn’t pass encryption legislation, the Department of Justice could aggressively sue tech companies that refuse to break encryption, he said.
While Trump initially pushed for the cybersecurity executive order, related issues now seem to be on the backburner in his administration as he focuses on a travel ban from Muslim-majority countries, building a border wall, and other issues, said Denise Zheng, director of the Technology Policy Program at the Center for Strategic and International Studies.
Drafts of the executive order assigned each cabinet official more responsibility for the safety of data within their agencies. Trump has also called for agencies to modernize their IT systems as a way to improve cybersecurity.
One of the main cybersecurity issues going forward is Russian hacking and its impact on the presidential election, but that’s a “tough issue” for Trump to tackle, Zheng said.
Trump should focus on encouraging agencies and companies to share cyberthreat information and on modernizing government IT systems, recommended Steve Grobman, CTO of Intel Security. The government’s legacy IT systems “were not designed to make use of modern security best practices,” he said.
To help with private-sector cybersecurity, Trump should look for ways to expand cybersecurity training programs, Grobman recommended.
And instead of regulations, Trump could look at tax breaks as a way to encourage companies to improve their cybersecurity, he added. “Positive incentives, rather than punitive regulations, will help produce real results,” he said.
Grobman also called on the Trump administration to resist any urges to require encryption backdoors in tech products. Encryption backdoors in devices may prompt criminals to move to other encryption technologies that device makers have no control over, he said.
“We need to test whether we’re solving the problem with the solution that’s being recommended,” he added.