While plenty of controversy has surrounded President Donald Trump’s fledgling administration, it hasn’t yet faced a major crisis.
But according to Forrester Research, aside from any political or military events, the new president will face a cyber crisis sometime within his first 100 days.
The company made the prediction last fall, prior to the election, as part of its “Predictions 2017” brief, so it didn’t specifically focus on either Trump or Democratic candidate Hillary Clinton.
But it said, “the momentum of winning the election gives new presidents the public sponsorship to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding (himself or herself) facing a cybersecurity incident.”
The Forrester brief said possible crises could range from a cyber attack by another country to a heightened debate within the country over new digital security and privacy laws.
And given the constant barrage of major cyber incidents in both the public and private sectors, such a prediction seems about as certain as predicting that Trump will take to Twitter sometime during the week.
As Dana Simberkoff, chief compliance and risk officer at AvePoint put it, “to suggest that a crisis would not happen in the next 100 days is probably a bit more controversial than the reverse.”
But, of course, “crisis” can mean things to different people.
Jeff Pollard, principle analyst at Forrester, described it as, “anything that interrupts a person, or company from focusing on what they want to accomplish.”
He said the aftermath of an attack – the investigation, possible legal action and fixing the problem – can take weeks to years, and is disruptive enough to, “take attention away from other priorities for the parties involved.”
But that doesn’t amount to a crisis in the view of other experts.
Jeffrey Carr, author and principal consultant at the 20K League, said one of the biggest cyber incidents of the Obama administration – the 2014 breach of the federal Office of Personnel Management (OPM), which compromised more than 22 million personal records of current and former federal employees – “was terrible, but it wasn’t a crisis.”
Along similar lines, he said last fall’s DDoS attack, which used the Mirai botnet to take down internet backbone provider Dyn, “was a wake-up call and had some significant effects regionally, but it wasn’t a crisis.”
In his view, a crisis would, “interfere with our critical infrastructure,” in the areas of:
- Transportation, especially air travel, trains, and trucking
- Financial services, such as stock trading
- Power grid, involving repeated outages over a sustained period
Richard Stiennon, chief strategy officer at Blancco Technology Group said it could range from a crisis of staffing, as the administration, “scrambles to find leadership in cyber defense,” but could also come from nation-state adversaries.
“It could easily be a last gasp effort on the part of North Korea to demonstrate its prowess. It could be a Russian attack on critical infrastructure coincident with some military action in Eastern Europe. It could be a Ukraine-style power outage,” he said.
Reg Harnish, CEO at GreyCastle Security, said it is possible that a “Twitter-jacking” of the president’s account could cause a crisis.
“Don't underestimate the power of fake tweets – they have crushed stock prices, ruined careers and mobilized countries toward military action,” he said. “There are an infinite number of things that could be done.”
He said it could begin as simply as an attacker spoofing a tweet from Trump saying he had decided to release his tax returns, with a link presumably to see those returns.
“Within 30 minutes there would be 18 million people who clicked that malicious link, infecting their computers and giving access to corporate networks all over the world. The possibilities are endless,” he said.
But Harnish agreed that more damage would come from a state-sponsored cyber attack on, “our intelligence platforms, military, industrial base and critical infrastructure.”
Jason Healey, founding director of Atlantic Council Statecraft Initiative and senior research scholar in cyber conflict and risk at Columbia University, agreed that a crisis would be something more significant than the kinds of major breaches and attacks that occur dozens to hundreds of times every year.
“The scenarios I’m concerned about are a North Korean cyber-tantrum, to go alongside their missile and nuclear testing tantrums; China, Iran or, less probably, Russia getting impatient with broken deals and lashing out, though this seems like it will take more than 70 days to unfold; and random cyber attacks not tied to geopolitical events, such as a major worm or criminal DDoS,” he said.
Any of those things are possible, which raises some obvious questions: Is the Trump administration prepared for them? Can any president be prepared for a cyber crisis of that magnitude, not just within the first 100 days but for an entire presidency?
There was general agreement among experts that Clinton likely would have been better prepared, in significant measure because there would have been more continuity of staffing between the outgoing Obama administration and hers.
Healey said the Clinton team, “had dozens of prepared policy memos to deal with these issues, and a huge bench to fill key positions at the White House, DHS, DoD, State, Commerce, and intelligence.”
He said he also thought there would be less risk of a major crisis since, “she would have been less willing to poke other nations in ways that would lead them to want to retaliate with cyber attacks.”
But they also agree that no administration has yet been truly prepared for a cyber crisis. Carr and others said the risk goes well beyond who is the president. “We aren’t vulnerable to a cyber crisis because of any one president,” he said. “The problem lies with private industry, which owns 90% of critical infrastructure in the areas I mentioned.
“So neither Trump nor Obama nor any other president could stop it from happening.”
Stiennon agreed, although for different reasons. He said while the Obama administration put significant emphasis on cybersecurity with policies and executive orders, “no concrete action has been taken to reduce susceptibility to cyber-attacks.
“Though assessments have been done, risks calculated and even a new CISO hired, the hard tasks of beefing up authentication and authorization and locking down systems is still ahead of us,” he said.
And, as has been widely reported, while there have been two draft executive orders (EO) from the Trump administration on cyber security, the president hasn’t signed one yet.
Harnish also said it doesn’t matter who is president – the government is unprepared. “Not because our technology is inadequate, but because our people are,” he said. “If you think cybersecurity risks come down to anything but people, you're wrong. There are no exceptions.”
While all of this sounds ominous, experts say the new administration is not helpless – there are things it can do, both to lower the risk and to respond effectively to attacks.
Simberkoff said government, like any organization, should assume it has already been breached. “That way, you can have your response plan and communication strategy ready to roll out on a moment’s notice,” she said. “Crisis is as much about perception as it is about reality. Having a very clear plan in place to prepare for a breach is critical.”
Harnish agreed. “Prevention is a failed concept – there is no way to avoid or prevent all cybercrime. The key is knowing when it happens and being adequately prepared to minimize its impact. This requires having an effective incident response plan, highly trained responders and a culture of security.”
But that, he said, requires, “very hard work. And it seems that human beings aren't too interested in really hard work these days.”
Carr said the administration could start by, “putting funding into building resilient, independent systems so that if one system goes down, another can take over. Then offer incentives for private industry to build them.”
Stiennon said he had some hopes, from Trump’s original leaked draft EO on cybersecurity, “that the administration had grasped the importance of assigning responsibility at the cabinet level. Nothing gets done in cybersecurity unless there is someone whose job depends on it,” he said.