|When turning around a ship of this size, there's going to be a long moment where you make neither forward nor backward progress...|
I wanted to provide a counter-tale to the Paul Rosenzweig piece in Lawfare last week. We can sum it up with this quote:
Trump’s efforts in cybersecurity have not been terribly impressive. He has made some modest policy improvements and begun putting together a good team—but not much more.But in fact I think it is a mistake to say that doing nothing is not progress and all the areas where I have been directly involved have been massive improvements on that front. In particular:
The VEP process was one of a bad idea that was about to be codified into law. Instead, it has been shaped by a team that understands the real equities and supply chain issues involved, to try to make it work strategically as opposed to being driven by a an unrealistic ideology. The message previously was "We don't understand why we even need this line of the modern SIGINT business." That goes into massive brain drain and strategic failure. Now: Exactly the opposite message, even though the policy has not changed a lot, as Paul mentions in his article.
A similar thing is true for the export control area. The idea that you have to cut two regulations to add any one regulation is a silly one. But it works. Previously there literally was no concept of reducing the regulatory burden from things like export control, one of the most spaghetti codes on our lawbooks, and one that applies equally to all American businesses, big and small. If we had a Democratic administration I have no doubt that we would have implemented the Wassenaar Arrangements broken cyber tools controls without even bothering to change them - or more importantly, without examining WHY they were broken in the first place.
Needless to say, the fact that the EU and the US are going in very different directions on cyber regulations is not something we can just paper over, but without some of the sillier rules in place, and a savvy and business friendly appointment at Commerce, we wouldn't have situational awareness of our policy gaps going into the near future (AI, Quantum, etc.).
To sum up: America's cyber policy overall has been moving towards something more data-based, and realistic as opposed to something purely aspirational. While yes, as Paul and many people have noted, we don't have a Universal Theory or a detailed national strategy for dealing with many of our currently known systemic threats, we are at least demonstrating that we can change our policy based on evidence, which is a good first step.
P.S. I also think the Kaspersky thing is a sign of progress, but hard to detangle that argument here. :)