| This is the seventh entry in a series examining actions during the first 100 days of the new Trump administration and their possible implications on the arms trade, security assistance and weapons use in the future. |  Allison Pytlak |
Russia’s interference in the 2016 U.S. election was one of the biggest stories in recent history. "Cyberwar"’ and "cyber security" dominated headlines at the outset of Donald Trump’s presidency, even before his inauguration. Yet despite the unprecedented media chatter and controversy, the President’s response to cyber issues has been underwhelming. Key deadlines on publicly articulated deliverables have been missed entirely and other initiatives are lagging. While there are inklings of plans to strengthen America’s online infrastructure and systems, including through partnership with the private sector, technology moves notoriously faster than politics. If President Trump doesn’t act soon, it will continue to be dangerously vulnerable.
Much of the story about Trump’s first 100 days in the cyber context is rooted in the scandal over whether or not the Russian government played a role in determining the outcome of the U.S. elections, through various hacking and doxing schemes, and by extension, if the then-presidential candidate had a role in any of it. To refresh our memories, this first began in June 2016 when the Democratic National Committee reported an intrusion into its computer network and the cyber security firm CrowdStrike publicly blamed Russian hackers, following their investigation. As stolen emails from the committee began to appear on public sites, there were other voices – from the government and the intelligence community – reinforcing the view that the attacks originated from the Russian government.
In December the already suspected motive for these actions gained credence when the Washington Post disclosed a secret CIA assessment that declared it “quite clear” that a Trump presidency was the ultimate goal of the hacks. In January, the CIA, FBI and NSA – referring to themselves collectively as the “intelligence community” – publicly concluded that Russia had used cyber methods in pursuit of “undermining public faith in the U.S. democratic process, denigrate Secretary [Hillary] Clinton, and harm her electability and potential presidency”.
While attribution in cyber space is complex and difficult, it is not impossible. Good forensics can uncover digital fingerprints. Ascribing such a clear and conclusive motivation to a cyber operation is more unusual, often because the evidence is circumstantial at best. Not surprisingly, the intelligence report prompted a maelstrom of finger pointing, accusations and reactions from President Obama before leaving office.
The response from then President-elect Trump was quite clear, in that he said he would appoint a team to provide an anti-hacking plan within 90 days of taking office. This was reinforced by a tweet on January 13 and followed up by an event on cyber security in late January that featured former New York City mayor Rudy Giuliani, who now leads a group tasked with building private sector partnerships on cyber security. At the time Trump said, “We must protect federal networks and data. We operate these networks on behalf of the American people and they are very important.”
The 90-day mark for this plan has now come and gone with nothing in sight nor any updates on its status. As we now hit the 100-day milestone, most in the community are wondering if this plan will ever emerge.
Also languishing is the Senate Intelligence Committee’s probe into the election interference, including whether there was any coordination between the Kremlin and Trump. The Committee announced it had agreed on the scope of its investigation more than three months ago, and claims it has done some initial work. But it is significantly hampered by lack of capacity, recently promising to add more staffers after being criticized for lacking full-time dedicated staff, and those working on it part-time said to lack investigative experience.
On the international front, the State Department recently argued that a proposed new treaty to govern cyberspace would be “misguided” and “misses the mark.” Microsoft has recently begun to call for such an agreement, referring to it as a “Digital Geneva Convention." There are various multilateral discussion fora in which states meet to discuss behavioral norms in cyberspace that the United States participates in; some wonder if this will change.
The one bright spot is a pending executive order on cyber security that is expected any day. Leaked drafts indicate that it could mandate agency-by-agency reviews of security practices and requiring agency compliance with the National Institute for Standards and Technology cyber security framework. It might also make it a policy to modernize information technology or encourage the expansion of the cyber workforce. Overall, the emphasis would be on improvement and modernization; which could lay the groundwork for related legislation.
This would be positive. Research shows us that that the more developed and technologically sophisticated a country is, the more vulnerable it becomes to hacking and other malicious cyber operations because so much of how it functions involves digital networks. This vulnerability is true for both foreign and domestic cyber attacks. As Symantec recently noted, the 2015 hack of the Office of Personnel Management continues to impact the federal government technologically and financially, while state and local governments, as well as universities, find themselves under constant attack and struggling to defend the safety of the vast amount of information they keep.
It’s also clear that this is not a problem that will go away anytime soon. To date, most cyber "conflict" actually entails low-level antagonistic actions like hacking, distributed denial of service (DDoS) attacks or similar. But what is very much on the minds of many governments is how to protect their critical infrastructure, which could range from electrical grids to, in the case of the United States, nuclear or other weapons systems.
At what point does software become a weapon, and how can the arms control community, in the United States and elsewhere, address this? Experts believe it’s unlikely that a nuclear weapon could be detonated through a cyber operation or attack, but is a possibility not to be dismissed. More likely is that nuclear weapons software and associated systems could be altered as they are being built, or electronic signals might somehow be sent to nuclear weapons. Hackers could also wreak havoc through manipulating information that these systems depend on. The methods and means by which something like this, or other malicious operations, would occur require more thought.
Allison Pytlak is a Program Manager in the disarmament program (Reaching Critical Will) of the Women’s International League for Peace and Freedom
Much of the story about Trump’s first 100 days in the cyber context is rooted in the scandal over whether or not the Russian government played a role in determining the outcome of the U.S. elections, through various hacking and doxing schemes, and by extension, if the then-presidential candidate had a role in any of it. To refresh our memories, this first began in June 2016 when the Democratic National Committee reported an intrusion into its computer network and the cyber security firm CrowdStrike publicly blamed Russian hackers, following their investigation. As stolen emails from the committee began to appear on public sites, there were other voices – from the government and the intelligence community – reinforcing the view that the attacks originated from the Russian government.
In December the already suspected motive for these actions gained credence when the Washington Post disclosed a secret CIA assessment that declared it “quite clear” that a Trump presidency was the ultimate goal of the hacks. In January, the CIA, FBI and NSA – referring to themselves collectively as the “intelligence community” – publicly concluded that Russia had used cyber methods in pursuit of “undermining public faith in the U.S. democratic process, denigrate Secretary [Hillary] Clinton, and harm her electability and potential presidency”.
While attribution in cyber space is complex and difficult, it is not impossible. Good forensics can uncover digital fingerprints. Ascribing such a clear and conclusive motivation to a cyber operation is more unusual, often because the evidence is circumstantial at best. Not surprisingly, the intelligence report prompted a maelstrom of finger pointing, accusations and reactions from President Obama before leaving office.
The response from then President-elect Trump was quite clear, in that he said he would appoint a team to provide an anti-hacking plan within 90 days of taking office. This was reinforced by a tweet on January 13 and followed up by an event on cyber security in late January that featured former New York City mayor Rudy Giuliani, who now leads a group tasked with building private sector partnerships on cyber security. At the time Trump said, “We must protect federal networks and data. We operate these networks on behalf of the American people and they are very important.”
The 90-day mark for this plan has now come and gone with nothing in sight nor any updates on its status. As we now hit the 100-day milestone, most in the community are wondering if this plan will ever emerge.
Also languishing is the Senate Intelligence Committee’s probe into the election interference, including whether there was any coordination between the Kremlin and Trump. The Committee announced it had agreed on the scope of its investigation more than three months ago, and claims it has done some initial work. But it is significantly hampered by lack of capacity, recently promising to add more staffers after being criticized for lacking full-time dedicated staff, and those working on it part-time said to lack investigative experience.
On the international front, the State Department recently argued that a proposed new treaty to govern cyberspace would be “misguided” and “misses the mark.” Microsoft has recently begun to call for such an agreement, referring to it as a “Digital Geneva Convention." There are various multilateral discussion fora in which states meet to discuss behavioral norms in cyberspace that the United States participates in; some wonder if this will change.
The one bright spot is a pending executive order on cyber security that is expected any day. Leaked drafts indicate that it could mandate agency-by-agency reviews of security practices and requiring agency compliance with the National Institute for Standards and Technology cyber security framework. It might also make it a policy to modernize information technology or encourage the expansion of the cyber workforce. Overall, the emphasis would be on improvement and modernization; which could lay the groundwork for related legislation.
This would be positive. Research shows us that that the more developed and technologically sophisticated a country is, the more vulnerable it becomes to hacking and other malicious cyber operations because so much of how it functions involves digital networks. This vulnerability is true for both foreign and domestic cyber attacks. As Symantec recently noted, the 2015 hack of the Office of Personnel Management continues to impact the federal government technologically and financially, while state and local governments, as well as universities, find themselves under constant attack and struggling to defend the safety of the vast amount of information they keep.
It’s also clear that this is not a problem that will go away anytime soon. To date, most cyber "conflict" actually entails low-level antagonistic actions like hacking, distributed denial of service (DDoS) attacks or similar. But what is very much on the minds of many governments is how to protect their critical infrastructure, which could range from electrical grids to, in the case of the United States, nuclear or other weapons systems.
At what point does software become a weapon, and how can the arms control community, in the United States and elsewhere, address this? Experts believe it’s unlikely that a nuclear weapon could be detonated through a cyber operation or attack, but is a possibility not to be dismissed. More likely is that nuclear weapons software and associated systems could be altered as they are being built, or electronic signals might somehow be sent to nuclear weapons. Hackers could also wreak havoc through manipulating information that these systems depend on. The methods and means by which something like this, or other malicious operations, would occur require more thought.
Allison Pytlak is a Program Manager in the disarmament program (Reaching Critical Will) of the Women’s International League for Peace and Freedom
RSS Feed