The Trump administration’s approach to cybersecurity has generated plenty of eyebrow-raising headlines. Plot twists, such as DOGE-driven layoffs that left the Cybersecurity and Infrastructure Security Agency (CISA) reeling, egregious security mistakes by DOGE staffers and even Cabinet-level appointees, and President Trump’s punishments of CISA’s previous directors, Chris Krebs and Jen Easterly, have combined to leave information-security experts anxious and angry.
At a security policy conference in Washington last week, Trump’s senior cyber advisor tried to make news in a different way, outlining a policy agenda that starts with making attackers pay.
“We are striving as an administration to make sure that there is a single coordinated strategy in this domain in a way that hasn’t happened before,” National Cyber Director Sean Cairncross said in a panel at the Aspen Cyber Summit. “As a top-line matter, it is going to be focused on shaping adversary behavior.”
Cairncross, confirmed by the Senate in August, suggested that past administrations had neglected that angle. “We have not done a good job of sending signals to our adversaries that this behavior is not consequence-free,” he told his onstage interviewer, Kevin Mandia, a partner with security-focused VC firm Ballistic Ventures. “We need to make that statement clear.”
Mandia, who earlier founded the security firm Mandiant that Google bought in 2022, pointed out one prerequisite: “First, we’ve gotta get attribution right.”
Their conversation did not surface specific consequences that might follow a correct attribution of a cyberattack. “Is it possible to raise costs in a way that maybe make people want to find something more productive to do with their day?” Cairncross asked.
Mandiant suggested the desired end state for an attacker: “No travel, no money, no fun.”
(That would seem to take drone strikes off the table, but other cybersecurity advocates have leaned in that direction. At a Center for Cybersecurity Policy and Law event in Washington in August, Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies, asked whether it was time to explore “a physical response to a cyber incident” instead of sticking with what he called “sanctions and other bullshit.”)
Cairncross advertised a six-pillar cybersecurity strategy coming from the White House but didn’t list all six, instead citing such policy priorities as “a workforce initiative” to bring more people into the field, “streamlining the regulatory environment” based on input from private industry, and expediting federal IT procurement processes.
The emphasis on offense would mark a major shift from cybersecurity policy under the Biden administration. That White House emphasized persuading and pushing tech firms to build more secure products and systems via such incentives as federal IT-contracting rules, an investigatory board modeled after the National Transportation Safety Board, voluntary security labels for connected-home gadgets, and a Secure by Design initiative run by CISA.
‘The Federal Cavalry Is Not Coming’
The other speakers at the Aspen Institute event agreed that cybersecurity amounts to exceedingly unfinished business. “We’re responding to victims every day,” Sandra Joyce, VP of Google Threat Intelligence, said in another panel. “People feel very outmatched.”
But they also pointed to decisions made by the Trump administration that have made the problem worse. A panel about state and local cybersecurity responses focused on recent federal cuts to state partnership programs.
“We are feeling it intensely,” griped Paula Starr, CIO for the Cherokee Nation. She observed that in one case, the tribal government only had three days’ notice before one program was yanked.
“The federal cavalry is not coming,” warned James “TJ” White, chief of Texas’s Cyber Command.
CISA in particular now has fewer people working this problem, as Fox News national-security correspondent Jennifer Griffin noted in an onstage interview of retired General Paul Nakasone, former head of US Cyber Command, when she asked him if he was concerned that 40% of CISA’s positions were unfilled.
Nakasone, now director of the Vanderbilt Institute of National Security, answered affirmatively. Asked if US adversaries fear us, he replied: “I think they don’t fear us as much as they need to.”
‘We Need the US in the Region’
Representatives of some of America’s friends, meanwhile, sounded a little neglected in the day’s penultimate panel.
David Koh, chief executive of Singapore’s Cyber Security Agency, criticized the scant US presence at a major cybersecurity conference that had taken place the previous week there.
“Almost no one from the US administration came to the Singapore International Cyber Week,” he said. “Other people are showing up, and they are painting their narrative.”
That’s “other people” as in “China.” And while Koh’s implicit plug for a conference in his city-state may be self-serving, he has plenty of company in noting CISA’s newfound absence from policy discussions outside the US, yet another consequence of budget cuts at that agency.
Koh also observed that Cairncross was the sole Trump-administration appointee to speak at this event: “If you’re not here even to interact with your own community, it is a challenge.”
Brendan Dowling, deputy secretary for critical infrastructure and national resilience in Australia’s Department of Home Affairs, put in his own plug for continued US outreach: “We need the US in the region.”
One security expert who attended the conference offered a subsequent endorsement of Cairncross’s emphasis on responding forcefully to attacks—paired with a warning about the work needed to make the threat of consequences realistic to attackers overseas.
“Consequences need to exceed rewards for operators to change behavior,” wrote Rob T. Lee, chief AI officer and chief of research at the SANS Institute, in an email two days after the event.
But the US can’t carry out a strategy to close “the response gap” between its reactions to physical and cyber attacks by itself.
“Executing it requires bilateral extradition agreements, real-time financial interdiction, and countries willing to arrest operators on their soil,” he wrote. “Here’s the trade-off nobody talks about—getting partner countries to extradite cyber criminals to us means they get the same rights to extradite people from us.”
Lee advised watching the government for visible moves toward stronger international cooperation over the next six months, such as new extradition frameworks. “Those signal whether this has diplomatic backing and budget or remains another round of correct principles with no execution plan.”
He didn’t offer odds on this administration following his advice.
About Our Expert
Rob Pegoraro writes about interesting problems and possibilities in computers, gadgets, apps, services, telecom, and other things that beep or blink. He’s covered such developments as the evolution of the cell phone from 1G to 5G, the fall and rise of Apple, Google’s growth from obscure Yahoo rival to verb status, and the transformation of social media from CompuServe forums to Facebook’s billions of users. Pegoraro has met most of the founders of the internet and once received a single-word email reply from Steve Jobs.
-
SpaceX’s Starship Suffers Major Test Mishap a Day After Blue Origin Unveils Rocket Upgrade Plans
-
Among Social Media Users, Reddit Soars As X Stagnates
-
With Its Next Big Thing, Mozilla Wants to Do More Than Improve the Web
-
Court Rejects FTC’s Bid to Break Up Meta, Finds It’s Not a Social Media Monopoly
-
AT&T Boosts 5G Speed and Capacity With EchoStar Spectrum
-
More from Rob Pegoraro
