President-elect Donald Trump has repeatedly questioned whether critical computer networks can ever be protected from intruders, alarming cybersecurity experts who say his comments could upend more than a decade of national cybersecurity policy and put both government and private data at risk.
Asked late Saturday about Russian hacking allegations and his cybersecurity plans, Trump told reporters that “no computer is safe” and that, for intelligence officials, “hacking is a very hard thing to prove.”
“You want something to really go without detection, write it out and have it sent by courier,” he said as he entered a New Year’s Eve party at Mar-a-Lago, his Florida resort.
Since President George W. Bush moved to develop a comprehensive national cybersecurity policy after the attacks of Sept. 11, 2001, the federal government has made a top priority of preserving the integrity of the public- and private-sector computer networks that enable modern commerce and society.
Trump delivered a campaign address in October that deemed cybersecurity “a major priority for both the government and the private sector” and said that cyberattacks from both state and non-state actors “constitute one of our most critical national security concerns.”
But the U.S. intelligence community’s determination that Russia engaged in a state-sponsored hacking effort aimed at electing Trump has prompted the president-elect to openly question the reliability of that assessment while simultaneously taking aim at the broader notion of cybersecurity.
Michael Sulmeyer, a former Defense Department policy adviser who directs the cybersecurity project for the Harvard Kennedy School of Government, referred to one of Trump’s earliest efforts — during a presidential debate in September — to cast doubt on allegations of Russian interference on his behalf.
“This is not some issue about a 400-pound hacker in a bedroom who might be mischievous,” Sulmeyer said. “These are real threats to our country, and the concerning part for me is to see how this issue has become politicized and made partisan.”
Although some Republicans have pushed for a sharper response to the Russian hacking — notably Sens. John McCain (Ariz.) and Lindsey O. Graham (S.C.) — many others have joined Trump in playing down the intense coverage and debate.
“Russia spying on the U.S. is not news,” said Rep. Devin Nunes (R-Calif.), the chairman of the House Intelligence Committee and a top Trump ally. “It’s what they do. A lot is being made about something that’s already known. To all the people acting shocked, it’s as if they’re shocked there is gambling going on in a casino.”
Transition spokesman Sean Spicer, slated to become White House communications director upon Trump’s inauguration, said Sunday that intelligence officials will brief Trump this week on the election-related hacking.
He suggested on ABC’s “This Week” that the retaliatory sanctions President Obama imposed against Russia last week — which included the expulsion of 35 suspected intelligence agents — may not have been justified.
“The question is, is that response in proportion to the actions taken?” Spicer said. “Maybe it was, maybe it wasn’t, but you have to think about that.”
Spicer compared the Obama administration’s sharp response to the recent Russian hacking with its reaction to last year’s revelation that hackers linked to the Chinese government stole the personal data of millions of federal employees.
“Not one thing happened,” he said. “So there is a question about whether there’s a political retribution here versus a diplomatic response.”
Rep. Adam B. Schiff (Calif.), the top Democrat on the House Intelligence Committee, drew a sharp distinction between the two cases and called on Trump “to stop denigrating the intelligence community.”
“They didn’t just steal data; they weaponized it,” he said of Russia, also on the ABC program. “They dumped it during an election with the specific intent of influencing the outcomes of that election and sowing discord in the United States. That is not something China has ever done.”
Ari Schwartz, who served as the top cybersecurity adviser on the National Security Council in 2015, said in an interview that Spicer misjudged the Obama administration’s response to the employee data hack. Private talks with the Chinese government, he said, resulted in a demonstrable decline in state-sponsored hacking.
“We came up with ways of dealing with them and working with them,” Schwartz said. “It proves that the sanctions work. Even the threat of the sanctions have changed Chinese behavior.
Trump’s recent comments, Schwartz said, point to a possible recalibration of cybersecurity policy — one that could shift the careful balance of innovation and security embraced by both Bush and Obama.
“We’re not going back to the world of couriers and letter-writing; we’re going to continue to do things online,” he said. “There are ways to do it where you can manage risk, and that’s really what the goal should be here — to get to the point where we can have the efficiencies and the benefits and still be secure.”
What remains unclear is to what degree Trump’s views on cybersecurity will remain filtered through the prism of the Russian hacking affair.
In his October campaign speech, he pledged to undertake a comprehensive review of national cybersecurity systems, create law enforcement task forces to combat cybercriminals and strengthen the military’s Cyber Command. In a sign that he plans to follow through on those plans, last week he chose Thomas P. Bossert, a Bush administration official who played a central role in cybersecurity planning, as his top White House assistant for homeland security and counterterrorism.
On the Russian hacking, Trump said Saturday that he knows “things that other people don’t know, and so they cannot be sure of the situation.” Asked what he was referring to, he said, “You’ll find out on Tuesday or Wednesday” — an apparent reference to his upcoming intelligence briefings.
As long as Trump openly doubts the intelligence community’s ability to accurately assign responsibility for cyberattacks, he could find it difficult to identify, fend off and retaliate against cyberattackers. He has publicly compared the intelligence community’s Russian hacking assessment to its erroneous determination that Iraqi leader Saddam Hussein was stockpiling weapons of mass destruction — a comparison Spicer repeated Sunday.
Said Sulmeyer: “If they don’t want to make a full-fledged apology or correction about Russian hacking, okay, but at some point, they’re going to have to come out and explain their understanding of the threat and what they want to do about it. If we see that soon, I think that’s a good sign. If that slips, I think that will be an indicator that they are not prioritizing it and they are leaving the American people at greater risk.”