Private sector and former Homeland Security aides say the Trump administration’s intense focus on immigration and border security has come at a cost to national cybersecurity as officials worry about a massive attack from Iran.
“DHS has essentially become the Department of Immigration and Border Security rather than Homeland Security,” said David Lapan, who was press secretary at the Department of Homeland Security at the start of the Trump administration.
“The challenge is the commander in chief — the president — is so focused on one particular element of the Homeland Security mission. That shows priorities. Cybersecurity and aviation security and other things get a lower level of priority,” said Lapan, who joined the Washington-based Bipartisan Policy Center in late 2017. He pointed to one instance last April when Secretary Kirstjen Nielsen, whose background was in cyber and aviation security, had been in Europe discussing cybersecurity with global leaders and was called back to the United States for a California border tour with Trump.
“The department has definitely lost its focus and influence,” a second former senior official at DHS, who helped lay out its cyber goals, wrote in an email.
Adam Levin, the founder of data protection group CyberScout, lamented that the White House has used $11 billion in DHS and Pentagon money since 2017 to fund border fence construction projects along the U.S.-Mexico border, even as the nation’s borderless digital barriers are frequently hacked.
“Cyber people have been saying for years that not enough focus has been dedicated to defensive cybersecurity,” said Levin. “You’re not going to protect critical infrastructure — you’re not going to protect ordinary Americans in the United States by simply having a wall.”
The White House requested $17.4 billion for government cybersecurity operations in fiscal 2020. Research firm Gartner Inc. estimated the U.S. cybersecurity industry spent $124 billion in fiscal 2019. The average data breach costs a company $3.6 million, according to cybersecurity company Forcepoint.
[Also read: Endless array of targets: The terrifying possibilities for an Iranian cyberattack]
In 2013, the Obama administration said it would not attempt to police the internet as it relates to hacking and security. However, it began moving on ways to help the private sector, including the banking, retail, energy, and healthcare industries, and to focus on best practices regarding cyberattacks.
Over the past three years, the Trump administration has not tried to improve election security dramatically, Levin said.
“Think about the mixed messaging that’s been coming out of the White House. Anything to do with cybersecurity that in any way could relate to an election is immediately dismissed. Their cyber adviser was fired,” Levin said, referring to former national security adviser John Bolton’s liquidation of the cybersecurity position in mid-2018.
The Cybersecurity and Infrastructure Security Agency was created several years ago within the DHS and was meant to take the lead over all other federal agencies and departments.
“I think CISA and Chris Krebs and his organization are doing what they can, but, again, you don’t hear the president talking about cybersecurity,” Lapan said. “You don’t hear him talking about much of the DHS mission except border security and immigration.”
The Trump administration has instead focused on DHS agencies responsible for enforcing federal laws at border checkpoints. The southern border was where 99% of illegal crossings, including asylum-seekers, gained entry into the country in fiscal 2019.
In 2018, the DHS announced the creation of the National Risk Management Center, a new office within the department that would thwart cyberattacks from foreign adversaries. Nielsen said the move showed the Trump administration was taking outside cyber threats seriously and that it was trying to protect — without overstepping its bounds — nongovernment entities by calling on the private sector to partner with the DHS.
James Norton, a former DHS appointee who now runs a strategic consulting firm in Washington, said there is general training on cyber issues across the government, but smaller agencies, as well as state and local governments, do not have the financial means or the ability to safeguard themselves to the extent big corporations or the large agencies can.
The DHS did not respond to a request for comment.
