National Infrastructure Advisory Council (NIAC) Contains No Recognizable Cybersecurity Luminaries
In August, eight out of 28 members of President Trump’s National Infrastructure Advisory Council (NIAC) resigned — seven en masse on the day before publication of the council’s draft report ‘Addressing Urgent Cyber Threats to Critical Infrastructure‘, and an eighth at the end of the same week. These resignations beg an important question: what do the president’s own advisors think of his approach to the security of America’s critical infrastructure?
A resignation letter from the former NIAC members gives some clues: “Your actions have threatened the security of the homeland I took an oath to protect… You have given insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process.”
The draft report published the following day, but clearly not endorsed by the resignees, provides further clues. Sqrrl director Matt Zanderigo had two major issues with it. Firstl, the majority of recommendations are not new; and second, the recommendations are voluntary. Most security experts do not believe that voluntary proposals work — they need to be enforced. Business leaders, however, tend to like proposals to be voluntary because they can be implemented, or not, with the minimum disruption to the business.
It is noticeable that the vast majority of the remaining members of the council are business leaders (many of them former business leaders). While the president’s former Strategic and Policy Forum (a business advisory panel) included business luminaries such as Elon Musk and Disney’s Robert Iger, and CEOs from JPMorgan Chase, Merck, Uber, Intel, and the Blackstone Group (all of whom resigned), NIAC contains no such immediately recognizable cybersecurity luminaries.
The question, then, is does President Trump actually understand cybersecurity issues, and is he serious about tackling them?
Opinions among security practitioners vary. Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, wonders if it is ever possible to do enough to please everyone. “I think it’s fair to say that no one country, company or industry can or will ever do “enough” to protect against cyberattacks,” she told SecurityWeek. “Just as there is no such thing as perfect security, there will never be a strong enough cyber defense to withstand all potential attackers.”
“Let’s be clear,” says Chris Roberts, chief security architect at Acalvio. “The resignations were not just about the state of critical infrastructure security. They were in response to a number of issues and were probably partially motivated by the fact a lot of people are assessing the impact of being with President Trump vs. sitting on the sidelines watching this whole mess unfold.”
But he doesn’t think that’s the whole answer. “There is a huge concern in the community (both the NIAC and Energy/Natural Resource Committee to name a couple) have called into question the awareness and level of attentiveness demonstrated by the current administration when it comes to all things technical.”
The concern seems to be, not that the administration is incapable of doing things — Trump signed a new cybersecurity executive order in May, and raised USCYBERCOM to the status of a unified combatant command last month — but that it fails to adequately follow up on them. “Signing something and then paying attention to it afterwards seem to be two very separate things. A lot of criticism has been leveled at him based on his lack of response on multiple occasions with regards to actually doing anything when it comes to securing our infrastructure, sorting out who did vote for him and other issues.”
Andrew McDonnell, president at AsTech, has a similar view. For him, the problem is the very nature of NIAC. “From an information security perspective,” he told SecurityWeek, “the federal government is continuing its track record of assigning accountability to leadership positions and groups without granting authority or leveling consequences to drive meaningful progress. While supporting decisive action is by no means trivial, it is an essential next step to clearly identifying and mitigating vulnerabilities that — if exploited — could lead to massive material harm.”
The problem with NIAC and the administration is less that it doesn’t know what to do — nearly everybody associated with cybersecurity knows what needs to be done — it is that it simply isn’t providing the means to make sure that it gets done. At the same time, this lack of action from the administration must not be taken as an excuse for a lack of action among practitioners.
“Let’s face it,” says Roberts: “the boss is not paying attention, so we can either sit and complain about it all day or we can just get our heads down and fix things. That seems to be the problem. We want someone to tell us what to do, but we know what needs to happen and we know that defaults, passwords, segmentation and a host of other things have to be done. So why the hell don’t we just bloody fix it and let the boss wander around doing nothing, as normal? We know what has/should be done to get things fixed so why are we waiting for someone to tell us what needs to happen? Oh, someone has to force us to collaborate? That’s bullshit. Someone has to force us to prioritize? Again, BS. We know what needs to be done… just do it.”