A Security Failure in the White House

We all remember the conclusions of the January 2017 Office of the Director of National Intelligence (ODNI) report:

Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election. Russia's goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency …. Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations such as cyber activity with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or “trolls” …. Russia’s intelligence services conducted cyber operations against targets associated with the 2016 U.S. presidential election, including targets associated with both major US political parties[.]

At the time, ODNI predicted similar Russian efforts in the future. That prediction has come to pass: The FBI has reported Russian efforts against the 2020 elections. Nor are they the only ones taking aim at U.S. elections. Facebook recently found evidence of Iranian operations against the Trump campaign.

One would think that the White House would take the threat of state-sponsored cyberattacks seriously. After all, the White House is a political target and a breach of its communication networks could create all sorts of havoc, including election interference. The last presidency certainly took securing White House communication networks seriously. In 2014, after a breach of the White House network, the Obama administration created the Office of the Chief Information Security Officer, whose role was to anticipate and protect against communications security threats. But the Trump administration’s response to the current set of security threats has been to abolish that office.

Dmitrious Vastakis, chief of the White House computer network defense, resigned recently. In his letter, he reported that staff in the Office of the Chief Information Security Officer faced a “revocation of incentives, reduc[tion] in scope of duties, redu[ced] access to programs, revok[ed] access to buildings, and revok[ed] positions with strategic and decision making authorities” before the administration entirely folded the office’s work into the White House Office of the Chief Information Officer in July. Vastakis says that’s where “business operations and quality of service takes precedence over securing the President’s network.”

The situation has only grown worse since then. According to Vastakis, now the administration appears to be chasing out remaining senior government employees from the security mission. The plan appears to be to transfer the communications security effort to the White House Communications Agency, the agency charged with providing communications support for the president and his staff. That office’s role is to enable the president, vice president, first lady and Cabinet members to communicate anytime, anywhere. It’s about running secure wires and the like, and that role is very different from the focus of the chief information security officer, whose job was to anticipate and protect against new threats and challenges.

In this presidency, convenience tops security. The president has persisted in using insecure cellphones despite being warned the Russians are listening in. The Israeli government is suspected of having put in StingRays—surveillance devices that mimic cell towers—within range of the White House, but the president continued to use phones that lacked appropriate security protections.

It seems that the Trump administration’s response to foreign threats against his communications has been unilateral disarmament. But go read Vastakis’s resignation letter—and his warnings of security risks—for yourself.

There’s another concern here. The United States faces ongoing and extreme cybersecurity threats. Our cyber-fighting doctrine is evolving to “persistent engagement” and “defending forward” (letting the enemy know we’re in their networks). Not all the kinks of how to operate with such aggressive tactics—although not more aggressive than those of our adversaries—have been worked out. But it doesn’t take a military expert to know that disarming White House communications doesn’t fit within an effective cyber-defense strategy.

Congress can’t prevent the president from using insecure communications channels. But Congress can—and must—ensure that the administration’s efforts at creating such insecurity are kept limited to the White House, especially in advance of the 2020 election. For example, ensuring that the intelligence community has the ability to surveil and counter our adversaries’ efforts to attack U.S. elections during the coming year is crucial to the health of our democracy. It is critical that the White House disease of cyber-insecurity doesn’t spread any further.