Cyber Security

Cyber SecurityI have to admit that when President-elect Trump uttered “the cyber” during the first presidential debate, I was right there with the tech community in the collective eye-rolling that followed. “The Cyber” memes were born, along with real concern about the candidate’s grasp on cyber security, and with the recent announcement of former New York City Mayor Rudy Giuliani as the cyber czar, those concerns multiplied.

The seeming “misunderestimation,” or possibly anti-comprehension, regarding something so crucial to national security may not on the surface seem like a consumer issue, but it is.

Our nation’s approach to cyber security at this juncture — beset by hostile state-sponsored attacks on our electoral process, expertise and secret information grabs from major industries and the federal government, and ransomware attacks —is a matter of the utmost urgency, and the President-Elect has said as much to his credit.

But Mr. Trump’s response can’t be just a marketing move or a branding opportunity — things he gets. There must not be merely the appearance of change — commissions talking and debating endlessly with little to show for it. There must be actual boots-on-the-ground solutions — now. Unfortunately, I don’t think that’s what will happen.

The Consumer Financial Protection Bureau specifically comes to mind—our nation’s most successful boots-on-the-ground agency — if Mr. Trump does as many are predicting he will do, and makes it yet another piece of President Obama’s dismantled legacy.

The CFPB was an important accomplishment of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The agency is charged with protecting consumers from the predatory financial practices that brought about the economic meltdown of 2007 to 2008, and to watch out for signs of future trouble. The CFPB has the power to ban financial products deemed “deceptive, unfair or abusive” and to impose penalties on companies that take advantage of consumers.

Barring a judicial miracle, the current CFPB director Richard Cordray is almost certainly going to receive one of Mr. Trump’s signature “You’re Fired” communiqués. (Interesting side note, our President-elect doesn’t own that trademark.) Worse, an anti-CFPB former Texas Congressman, Randy Neugebauer, appears to be the leading candidate to get the job.

Among other things, the Distinguished Gentleman from Texas thinks payday lenders are too roughly treated by the CFPB and that all business contracts should contain mandatory arbitration clauses (barring class action suits). He also thinks that the CFPB should be headed not by a single director, but by a commission of people from both sides of the aisle. Those of us who support the CFPB believe that this would diminish the agency’s ability to go after dangerous practices that harm consumers in a timely and effective way.

The Trump transition team did not respond to a request for comment regarding its plans for the CFPB and/or Cordray.

This Is About Appointing the Right People

It was reported last week that the cyber security czar role in the Trump administration will fall to the President-elect’s close associate and campaign stalwart, former New York City Mayor Rudy Giuliani.

There is a connection here between what appears to be afoot at the CFPB and the next administration’s approach to cyber security — both represent bad decisions based on a basic incomprehension of what is at stake and what needs to happen next. The CFPB works, specifically the single-director approach. Instead of hiring an opponent of the agency to presumably dismantle it, we should be using it as a model to create a single-director federal agency that emulates the CFPB to oversee cyber security.

As it stands, Mr. Giuliani will be bringing together experts working on cyber security solutions and business leaders who are targeted by hackers from the energy, financial and transportation sectors. The next step that is missing here is a government agency that can fine entities that do not meet the threshold for cyber security best practices— mandated employee education, maintaining technology and tools, hiring experts — practices that the agency would determine and set as a standard. (You can learn more about how to protect yourself from cyber threats like identity theft here and monitor two of your free credit scores for signs of foul play every 14 days on Credit.com.)

In a recent interview, Mr. Giuliani said of the President-elect, “He’s going to elevate this to a very large priority for the government — and I think by doing this, he’s trying to elevate this as a priority for the private sector.”

As the Christian Science Monitor’s Passcode noted, quoting the former NYC mayor, the idea here is pretty simple: Trump will go straight to the public to “educate people on how important [cybersecurity] is, even to the point of their own personal protection.”

That is a fantastic idea that everyone should applaud. Whether the user is in the Pentagon or logging onto a free Wi-Fi network, our cyber security too often comes down to an individual clicking or not clicking on a malware-laden link or falling prey to some other security pratfall.

That said, any agency dedicated to cyber security would need to work closely with the military and intelligence communities, and would also have to focus its resources on real solutions to the dangers we face, many of them extinction-level threats. The person running it would have to be at the cutting edge of cyber security best practices.

When the news came down of Mr. Giuliani’s cyber czar role, experts almost immediately hit Twitter with reasons this was a bad idea. (Mr. Trump’s transition team also didn’t respond to request for comment regarding this choice. Guiliani was not readily available for comment either.) As happens, the cyber security community took a look at the website of Giuiliani’s cyber security company, giulianisecurity.com. They found serious problems, including expired SSL, no https and an exposed CMS login, to name a few. You don’t need to know what these things are, but the cyber czar sure does. There can be no “oops” in his or her record.