When it comes to cybersecurity policy, the Trump administration's head and body have rarely seemed to agree. Take the past two months, for instance. In late October, the president made an absurd declaration at a campaign rally that “nobody gets hacked.” That same week, the Cybersecurity and Infrastructure Security Administration (CISA), Justice Department, and Treasury Department all took separate, landmark steps to counter Russian hacking—unsealing an indictment against six hackers in Russia's GRU military intelligence agency, imposing new sanctions on the Moscow research institute responsible for a uniquely dangerous piece of malware, and warning of an ongoing hacking campaign believed to be carried out by the FSB.
A few weeks later, Donald Trump lost the election and laid the blame on false conspiracy theories about electoral hacking and fraud. When CISA released a statement lauding the election as the "most secure in American history," contradicting the president's claims, Trump summarily fired CISA director Chris Krebs. This year was finally capped off by revelations of a disastrous hacking campaign that hijacked the software updates of IT management firm SolarWinds to breach a slew of federal agencies and tech firms. Now, even as attorney general William Barr and secretary of state Mike Pompeo have pointed to Russia as the culprit, Trump has responded by downplaying the crisis, suggesting intrusions might have been carried out by China instead.
On almost every significant cybersecurity issue of the past year, President Trump has appeared to be either AWOL or at war with his own federal agencies. But cybersecurity observers on both sides of the political divide say the results of that disconnect have been a surprisingly mixed bag: The ongoing SolarWinds debacle shows how Trump's disjointed, self-serving failures of leadership have left the federal government struggling to pull together a coherent response to one of America's most serious cybersecurity failures in years. But in other cases, Trump's inattention to and ignorance of cyber issues led him to empower and then largely ignore leaders at agencies like CISA, the NSA, and Cyber Command, allowing them to carry out aggressive new tactics that often were effective, if uncoordinated.
In that sense, the Trump administration's headless strategy has at times seemed to be an inadvertent success, argues Jacquelyn Schneider, a cybersecurity fellow at the Hoover Institution and a senior policy adviser to the DOD Task Force on the Cyber Solarium Commission. Agencies were trying a broad set of unprecedented actions to curb foreign hacking, from indictments and sanctions to attempts to reveal and sabotage adversaries' hacking tools. Their efforts have won bipartisan approval from the security community. "We got progress because the administration was so dysfunctional that it just kind of forgot about all these capabilities that they've given these agencies and let the agencies figure it out," says Schneider. "We got a lot of bottom-up experimentation, and the agencies were able to do and try things that, maybe with a lot of overhead and a lot of careful watching, they wouldn't have done."
Only after SolarWinds did the real cracks in that decentralized strategy—or lack of strategy—begin to show, Schneider argues. "They're doing the best they can operationally, and having some operational success," Schneider says of the heads of agencies like CISA, the NSA, and Cyber Command. "But they’re missing the larger strategic picture, especially when it comes to Russia."
Strong Arms, Weak Brain
This year's bold measures from the federal government to counter foreign hacking have included a statement in February from the State Department naming and shaming the Russian military unit behind a cyberattack against the nation of Georgia—a rare move given that Georgia is not a member of NATO. Throughout the year, the NSA, Cyber Command, and CISA have all published information about foreign hackers' tools with warnings about how they're being used—and, in the case of Cyber Command, accompanied by mocking cartoons—rendering them far less effective and stealthy. And Cyber Command in October took the unprecedented step of hacking into and sabotaging the TrickBot botnet, a collection of more than a million cybercriminal-controlled computers that had been used in ransomware attacks, severing the operators' connections to the majority of their enslaved machines. That hacking operation was not merely the first time Cyber Command's abilities had been used against hackers; it's also the first known case of the agency using its attack capabilities against any adversary's hacking infrastructure.
Most of those actions were the result of strong leadership at the agency level of the federal government, argues J. Michael Daniel, the president of the Cyber Threat Alliance, who served as cybersecurity coordinator during the Obama administration. He names NSA director and head of Cyber Command General Paul Nakasone, NSA cybersecurity directorate head Anne Neuberger, and CISA's Krebs as a few of the figures who pushed for aggressive responses on cybersecurity despite the relative inattention of the president. "This administration at the most senior levels really doesn't value these kinds of activities, and the fact that the agencies have continued to slog away at them is a real testament to their personal drive to stick to their missions," Daniels says.
But those agency-level actions clashed with the politics of the Trump White House, most visibly in the firing of Krebs in November. Daniels argues that dissonance, as well as a more general lack of attention from the White House, resulted in a disorganized response when the administration faced the surprise of the SolarWinds hack. Even before Trump's Twitter comments undermining the seriousness of the hacking campaign and the attribution to Russia, Daniels points out, CISA and the NSA each released separate reports about the intrusions that probably ought to have been combined, had each agency been aware of the other's work. "It's in the crisis moments that you can see the central leadership really missing," says Daniels.
More broadly, Daniels argues, the lack of coordination across agencies means lost opportunities to amplify actions with diplomacy, White House statements, or economic pressure. He points, by contrast, to examples of responses to Chinese hacking in the Obama administration, when the White House, State Department, Treasury, and the Department of Justice all closely aligned their messaging that China's state-sponsored theft of private-sector intellectual property needed to stop. "Whether it was at the secretarial level, whether it was at the presidential level, ambassadors, or elsewhere, part of the talking points was pushing on this issue of the theft of intellectual property. The message was organized and coherent, and it was backed up by things that we were doing in other areas." The result, Daniels says, was a landmark agreement between Obama and Chinese president Xi Jinping that neither would engage in state-sponsored hacking of the other's private sector for commercial gain, an agreement that led to an immediate drop-off in Chinese intrusions in US targets.
That sort of coordination has been lacking from the Trump administration most visibly since 2018, when Trump's then-national security adviser, John Bolton, summarily removed both Rob Joyce, Trump's cybersecurity coordinator, and homeland security adviser Tom Bossert, Trump's most senior cybersecurity-focused official. Joyce, who had formerly led the NSA's elite Tailored Access Operations team, returned to a position at the NSA, but neither he nor Bossert were ever replaced in their White House roles.
Bossert today say he's been dismayed by the Trump administration's chaotic response to the SolarWinds breaches, particularly on the question of attributing the operation to a nation-state, which he argues should be the responsibility of the federal government. "It's important that the government provide some leadership here," Bossert says. "The government at the very least has a responsibility not to misattribute or cloud the attribution." Instead, Trump's tweet casting suspicion on China has only muddied the waters.
Other than this most recent imbroglio, however, Bossert argues that the Trump administration's aggressive cybersecurity policies have been effective and that they aren't just an accident or the result of a leadership vacuum. He says that along with Joyce and others in the Trump administration, he tried to instill in officials a preference for action rather than deliberation. He describes a conversation with Joyce early on, in which Joyce told Bossert that they needed to "play jazz music," as he put it.
"Instead of sitting down and composing a whole orchestra on sheet music, you want to actually make the music by playing it," says Bossert, who now serves as the president of cybersecurity firm Trinity Cyber. Rather than create policy by debating rules and norms on paper, you create it by taking action. "I said, yeah, we're going to have a bent toward action and make decisions and policies as we go." That bent, Bossert says, led to moves to call out North Korea for its use of the destructive WannaCry worm in May 2017, for instance, and to call out and then sanction Russia for its deployment of the even more destructive NotPetya worm that hit the following month.
Even without presidential coordination, Bossert argues, the preference for action to curb foreign hacking continued after his departure from the White House. "It wasn't just an outgrowth of the accidental, haphazard nature of the Trump administration," Bossert says. "You can make that argument in some instances, but that was also the conscious design that I brought to my job for a year and a half. And I can tell nobody really changed anything that I put in motion after I left."
But even if federal agencies chalked up unlikely cybersecurity successes over the Trump administration’s last, chaotic year, its critics say they'd still like to see significantly more cybersecurity leadership from the Biden White House. The Hoover Institution's Jacquelyn Schneider calls for an approach that falls somewhere between the Obama administration's careful coordination and deliberation—sometimes verging on over-deliberation—on cyber policy issues and the Trump administration's headless approach, which verged on a free-for-all after the departure of Joyce and Bossert. The need for central coordination isn't just evidenced in the SolarWinds disaster, either, she says: Offensive hacking operations by Cyber Command, for instance, do require oversight to avoid mission creep, she argues, and more central coordination could make the sort of actions that CISA or Cyber Command took far more effective.
Still, Schneider says she doesn't want to fully erase the results of all the cyber policy experimentation carried out under Trump—or despite him.
"Are we going to go back to just Obama 2.0? I don't think we should, actually," Schneider says. "I think there are some things that the Trump administration unintentionally did correct. And we should probably build on that."