Trump

It’s no secret that conservatives, who will soon control all three branches of the U.S. government with the election of President Trump, are more liable to give more power and deference to law enforcement. Perhaps the strongest influence is the likely appointment of one to three conservative Supreme Court justices.

What does that mean for computer security? What are the good and the bad possible outcomes?

[ An InfoWorld exclusive: Go inside a security operations center. | President Trump: An uncertain future for tech industry, digital rights. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

Increased privacy concerns

In general, most governments and their law enforcement agencies would like the ability to invade citizens’ privacy whenever they feel it would benefit their investigations. At the same time, businesses and marketers want as much insight into their potential customers’ lives to better sell goods and services.

Neither impulse necessarily derives from evil intent. Anyone performing any job wants the tools and access to make their jobs easier. But this natural need should be balanced by citizen privacy protections, codified in law, to make these intrusions justifiable, legal, and minimal. Most countries struggle to find the right balance.

In the United States, hundreds of acts and laws govern privacy. Some of the notable ones:

  • The Privacy Act of 1974
  • The Patriot Act and its successors
  • The Freedom of Information Act

Any law or guidance that affects the operations and activities of the National Security Agency, Federal Bureau of Investigation, or Central Intelligence Agency impacts American and foreign citizens around the world.

We already have red light cameras, public CCTV, automated license plate readers, and toll booth sensors that collect information about our vehicles and our travel. Much of that information is intended to be stored in perpetuity. Dozens of “fusion centers” aggregate information about everything from book-buying habits to childcare choices. Many law enforcement agencies don’t need warrants to use cellphone tracking technology such as Stingray. Moreover, you can be compelled by a court to provide your cellphone’s PIN, even if it leads to self-incrimination.

The recent political shift is likely to encourage even less privacy, with expanded government and business invasions. One ray of hope: A small contingent of libertarians want to protect or even broaden citizen privacy. These libertarians made themselves known after recent leaks involving the CIA and NSA. The resulting public uproar resulted in a few positive changes to the extension of the Patriot Act. Unfortunately, those gains were modest and short-lived.

Impact on government security

Few people think the election of a new president will improve the security of government computers, which remains in a lamentable state. That said, the U.S. government has some impact on security through guidelines and recommendations.

The top two issuers of these directives are the Defense Information Systems Agency, which is directly responsible for protecting our government’s information security assets, and the National Institute for Standard and Technology, which publishes the United States Government Configuration Baseline. The Baseline mandates computer security configurations across many government agencies. Both agencies’ computer security initiatives, as flawed as they may be, have had significant impact on securing government agency computers.

The trend over the years has been for these guidelines to be even more inclusive in providing a solid set of computer security recommendations. Implementing them does reduce risk. In fact, many of the people charged with implementing them will tell you they go too far and break too many applications—a good complaint to hear when you’re a computer security pro! Plus, the Defense Information Systems Agency is looking at implementing strict application control (that is, whitelisting) on managed computers, which should significantly complicate hackers’ plans.

Increasing the security of government computers was already a top priority. I don’t expect the new administration to try and remove those “troublesome regulations.”

Mandated security defenses for business

Some wonder if private businesses will be mandated to be more secure. Since incoming President Trump and other conservatives ran on a platform of fewer government regulations, it’s unlikely we’ll see new computer security defenses mandated for private businesses. I see a risk, though, that some of what’s already out there may be weakened or removed.

Will that make a difference either way? We already have sweeping regulations and guidelines, such as the Payment Card Industry’s Data Security Standard for credit cards, the Health Insurance Portability and Accountability Act, and the NIST Cybersecurity Framework, which attempts to cover, recommend, and enforce basic computer security best practices. Would another new law really help?

Barring an unforeseen, cataclysmic computer security attack against multiple businesses or our financial system, I don’t think new laws mandating additional computer security for businesses will be passed anytime soon.

Punishment for hackers

Trump campaigned as the “law and order” candidate, so I expect law enforcement to be better funded and sentences for breaking the law to be intensified. Law enforcement will probably be enabled with more ways to catch and identify hackers and those able to be brought to American justice will likely face longer and more severe sentences.

I, of course, support these measures. Unfortunately, all administrations learn how hard it is to catch and prosecute hackers, especially when they are located in unreachable areas. On a related note, I don’t think the new administration will be any more successful in trying to put down all the Russian ransomware campaigns.

Funding for STEM and immigration

The U.S. federal government has been increasing funds for STEM (science, technology, engineering, and math) for a long time now. Whether that continues at current levels is anyone’s guess.

It’s important to note, however, that the United States' own STEM colleges have a disproportionate number of students born of recent immigrants. No American who won a Nobel Prize in science or economics this year was originally born here. Because Trump ran on an anti-immigrant platform, many scholars may opt to study and gain citizenship in countries other than the United States.

Lastly, the new administration has run on the idea of giving states more control over their public education systems. While this can be good for a number of reasons, it could potentially mean further uneven promotion and preparedness for STEM careers in some states versus others. Plus, it could directly mean less federal STEM funding in general to the states that continue to aggressively pursue it.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security Adviser

It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

"Last night we were on the receiving end of what our IT chief called a 'massive' DoS [denial of service] attack," he told Talking Points Memo.

"As with any DDoS [distributed DoS] attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything. We are still investigating."

The story, written by staffer Kurt Eichenwald, detailed how former employees of Trump Hotels had arranged a visit to Cuba in 1998 to explore the possibility of joint ventures with the communist regime. A consultancy company called Seven Arrows made the visit, and the funds to pay for the trip were then allegedly hidden as a charitable expense.

Shortly after the story was published, traffic on the site started to rise – as you'd expect in a presidential season with serious allegations being made. But the traffic count continued to rise and eventually brought the site down.

As with any DDoS attack, finding the culprit is nearly impossible. But it appears that the article has pissed off a lot of people who control many Russian servers. ®

Sponsored: Flash storage buyer's guide


The Register - Security

Trump hotel chain fined over data breachesA chip-enabled credit card, inserted into a store's reader. Credit: Zach Miners

Trump Hotel Collection has arrived at a settlement with New York Attorney General Eric T. Schneiderman over hacks that are said to have led to the exposure of over 70,000 credit card numbers and other personal data.

The hotel chain, one of the businesses of Republican presidential candidate Donald Trump, has agreed to pay $ 50,000 in penalties and promised to take measures to beef up its data security practices, according to the attorney general’s office.

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The chain is one of many hotels and retailers that have been hit recently by malware that skimmed payment card information.

The key charges apparently against Trump Hotel Collection (THC) are that it didn’t have adequate protection and even after the attacks became known, did not quickly inform the people affected, in breach of New York law.

"It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law," Schneiderman said in a statement Friday.

In May 2015, banks analyzed fraudulent credit card transactions and figured that THC was the last merchant where a legitimate transaction had been made using the cards, suggesting that the hotel chain had been targeted in a cyberattack that resulted in the compromise of credit card information.

Further investigations found that a person with access to legitimate domain administrator credentials had infiltrated the chain's payment processing system in May 2014 and planted malware for stealing credit card information, which was noticed in computer networks at multiple locations, including its New York, Las Vegas and Chicago hotels, according to the statement by the attorney general’s office.

THC could not be immediately reached for comment. Safeguarding customer data is a top priority for the company, a THC spokeswoman
InfoWorld Security