How Did Cybersecurity Become So Political?
It wasn’t always this complicated.
Less than a month before he was elected president, Donald Trump promised to make cybersecurity “an immediate and top priority for my administration.” He had talked about technology often on the campaign trail—mostly to attack Hillary Clinton for using a private email server when she was secretary of state.
But less than two weeks into his presidency, it’s Trump and his team who have struggled to plug important security holes, some of which are reminiscent of Clinton’s troubles.
Rather than sparking an uproar, the problems have largely been buried the by other changes and crises of the Trump administration’s first days. But even without the distracting firehose of executive orders, announcements and tweets, half of America wouldn’t blink at the new president’s computer-security shortcomings. That’s because cybersecurity, like just about everything else, has become burdened with political baggage.
Here’s a short rundown of the security problems that dogged Trump’s White House during his first week as president:
- Trump still uses his personal smartphone—and according to an analysis at Android Central, it’s a Samsung Galaxy S3, a phone first introduced in 2012. “A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world,” Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, wrote in Lawfare. It’s safe to assume the president’s Android phone has already been compromised by at least one foreign intelligence service, Weaver wrote, and is giving foreign agents constant access to Trump’s location, or recording everything said near the device at all times.
- Several of Trump’s top staffers, meanwhile, appear to have been using private email addresses hosted by the Republican National Committee until last week. Kellyanne Conway, Jared Kushner, Sean Spicer and Steve Bannon all had email addresses that ended in rnchq.com, Newsweek reported, opening them up to hacking attacks—as well as to some of the same criticisms leveled at Clinton during the campaign.
- The Twitter accounts of several of those same advisers—as well as the official @POTUS and @VP accounts—were found to have poor security settings that can make it easy to guess the email addresses associated with them. The @POTUS and @VP accounts had been secured with private Gmail addresses, as were accounts belonging to Bannon, Trump’s chief strategist, and Spicer, his press secretary. If any of those personal email addresses were compromised—via a spearphishing attack, for example, which was how hackers got into John Podesta’s emails—the connected Twitter accounts could easily be taken over, too. As Joseph Bernstein wrote in BuzzFeed earlier this month, a takeover of Trump’s Twitter accounts could lead to a national-security disaster in any number of ways.
- On the topic of Twitter: Since taking over the official @PressSec account, Spicer has twice tweeted, and then quickly deleted, a meaningless string of letters and numbers. They may have been his Twitter passwords.
- The one person in Trump’s inner circle who’s specifically designated to advise him on cybersecurity matters, Rudy Giuliani, doesn’t seem very qualified for the job. The former New York City mayor started a cybersecurity consulting company after the end of his mayoralty—but as Zach Whittaker wrote in ZDNet, it’s very unclear what the company actually does. In his public statements on cybersecurity, Giuliani has compared hacking to cancer, and hackers to the Mafia. His company’s website, now inactive, was plagued with security issues. And he only discovered Signal, the gold standard of secure messaging, a few weeks ago, when “one of my cybersecurity experts downloaded it for me,” he told The Wall Street Journal.
Cybersecurity figured more prominently in the 2016 race than ever before, in part because Clinton’s email server was in the spotlight for so much of it. But that doesn’t mean voters suddenly care about how carefully politicians guard their digital secrets.
A survey conducted last week by Public Policy Polling asked whether Trump should be allowed to use a private email server—and 42 percent of Trump voters said yes. (By contrast, 87 percent of Republicans said Clinton did something illegal—for example, by using a private server—compared to 13 percent of Democrats who said the same, in a McClatchy-Marist poll from November.)
A similar split appears when Democrats and Republicans are asked about Russia’s attempts to influence the election. In a Fox News poll from December, 85 percent of Republicans said Russia’s meddling had no effect, compared to 36 percent of Democrats who said the same. (A report prepared by the intelligence community concluded Russia had tried to help Trump win the presidency, but didn’t evaluate whether the Kremlin’s effort was effective.)
How did we get here?
For years, cybersecurity was straightfoward. It was about common-sense goals: keeping your own PC clean, company networks free from hackers, and critical infrastructure safe from foreign intrusions. But as it started to affect and frighten everyday Americans—not to mention Congress, which is famously behind the curve on technology—cybersecurity got sucked into the inevitable vortex of politicization.
Things began changing sometime in the last four or so years. Documents leaked by Edward Snowden in 2013 brought to light the extent of the national-security spying apparatus for the first time, and captured widespread attention, far beyond just privacy wonks and IT professionals.
Around the same time, massive data breaches hit Americans one after another: one that affected Target customers in 2013, another at Home Depot in 2014, and two enormous breaches at the Office of Personnel Management that same year. And while the intrusion into Sony Pictures that year didn’t affect as many people as some of the other breaches, the sordid details it revealed brought the power of state-on-state cybercrime even to the pages of TMZ.
As cybersecurity nudged its way into the lives of normal people, Washington took note. The 113th and 114th Congresses passed several cybersecurity bills that were signed into law, including the controversial Cybersecurity Information-Sharing Act, which provided incentives for companies to share details about cyberthreats with the government, and the USA Freedom Act, which ended the National Security Agency’s bulk-spying program.
Along the way, cybersecurity—and especially privacy—became increasingly political. Only one Democrat voted against the USA Freedom Act, for example, which cut back on Patriot Act surveillance powers. I wrote about the increasing partisanship around digital privacy last year, when Democrats and Republicans were divided over supporting Apple or the FBI in a case surrounding an iPhone that belonged to one of the San Bernardino shooters. Democrats tended to agree with Apple’s position—the company fought back against a request to unlock the shooter’s phone—but Republicans aligned more closely with the FBI.
Trump certainly hasn’t helped calm the waters. He’s shown a profound lack of understanding about computer security, hacking attribution, and cyberwar. And by writing off as a “political witch hunt” the intelligence community’s assessment that Russia was behind cyberattacks on top Democrats and Democratic organizations, he did more than just malign top intelligence agencies—he compounded his supporters’ belief that the findings were politically motivated.
(For his part, Barack Obama often framed cybersecurity as a bipartisan issue. “Defending against cyber threats, just like terrorism or other threats, is one more reason that we are calling on Congress not to engage in politics,” Obama said at a cybersecurity summit at Stanford. “This is not a Republican or Democratic issue.”)
Politicizing cybersecurity is dangerous: It threatens to tie a critical matter of national security to the whims of partisanship. And if voters make decisions about cybersecurity based on what party they identify with, protecting American people, businesses and government agencies—let alone the integrity of critical national infrastructure—will come in second to scoring political points.
NEXT STORY: GAO: NCCIC needs to clarify operating principles