The apocryphal joke is rather crude: “Other than that Mrs. Lincoln, how was the play?”
And yet I was reminded of it when reflecting on the first year of the Trump presidency because to separately evaluate conventional benchmarks apart from the extreme transgressions of decency is as impossible a task as asking Mrs. Lincoln to assess the play independent of the assassination. The transgressive nature of the Trump era—replete with narcissism, racism, anti-Semitism and what-about-ism—is amplified by Trump’s wholesale assault on fundamental American institutions. His disdain for the rule of law, equality of opportunity, a free press, an independent judiciary, and the professional intelligence and law enforcement communities are, in metaphorical ways, much like Lincoln’s death. How can one possibly assess the play when the denouement is so fundamentally disruptive of reality?
Ignoring Trumpian dysfunction is difficult. So much of the policy that he has adopted might, coming from someone else and seen in that different light, be viewed as a useful course corrective to the drift of the Obama era. For example, though it is outside my expertise, I have long had a sense that American interests are not well-served by the current operation of the United Nations. In another’s hands I would perhaps welcome the new approach advanced by Ambassador Nikki Haley.
Though it is difficult, if not impossible, to disassociate the act from the actor if we were to magically close our eyes to the nature of Trumpian dysfunction, how would did he fare?
Even with that generous effort of imagination, Trump’s efforts in cybersecurity have not been terribly impressive. He has made some modest policy improvements and begun putting together a good team—but not much more. Given the low bar inherently set for a president who thinks that hackers are fat kids in garages, the absence of a disaster is, itself, a positive. But in a world where cyberthreats morph at light speed, the administration’s rather turgid efforts have been all too timid and incomplete.
The effort started slowly but with some promise, particularly after the much-delayed release of the May 11 executive order on cybersecurity. The order was long on “study the problem” and short on action items, but it could be explained or excused as a baselining exercise to set up further action. Sadly, however, the promise of that order has yet to be fulfilled. The reports have, in many cases, been late, and, more to the point, there has not yet been significant follow-up with associated action plans.
Much of the delay can, I think, be attributed to the turmoil in the executive agencies tasked with the cybersecurity mission. The Department of Homeland Security got off to a relatively strong start, but after its secretary, Gen. John Kelly, moved to the White House, the department suffered from not having a confirmed leader. That should change in the next year, now that Kirstjen Nielsen, a cyber expert, is at the helm. But a year into the administration, there still is no confirmed head for DHS’s cyber division. Likewise, the Justice Department has been distracted by other initiatives and by the president’s unrelenting assault on it. I can’t remember the last time I heard of any significant activity out of the computer-crime section.
To be sure, there were some successes (or, if not full-blown successes, at least modest improvements). Both by virtue of luck and some good effort, the United States suffered far less from the WannaCry ransomware attack than other nations. And, notwithstanding major breaches such as what happened at Equifax, the country managed to get through another year without an existential catastrophe. That has to count for something.
There are other pluses. The National Security Strategy did a pretty good job contemplating cyber issues. More indictments were returned against Chinese hackers. The Vulnerability Equities Process got a charter. And, even though my colleague Jack Goldsmith has doubts about it, I approve of the gentle policy moves toward greater transparency and public attribution that led to naming North Korea as the source of the WannaCry malware. All these steps are surely good things in the grand scheme.
But all of those positives pale in comparison to the single, overarching massive failure of national policymaking in the cyber area: the utter unwillingness to come to grips with the vulnerability of our electoral infrastructure.
In this the Trump administration is not alone. As the Washington Post reports, the Obama administration’s response was characterized by complacency, dithering and indecisiveness.
But the Trumpian response is all those things and more. It is fairly characterized as a state of denial—a state that starts (and likely ends) at the top. As a result, the Trump administration has done virtually nothing to secure the next election: no strategy; no risk assessment; no resource allocation—nothing. I have no doubt that senior intelligence officials do not share the president’s view. I have no doubt that if it were free to do so, the National Security Council could devise a strategy for enhancing electoral security. Failure to act puts at grave risk the American public’s faith in the fidelity of the democratic process.
And yet, because of this president’s childish insecurity about the legitimacy of his election, the government has done nothing, and the prospect of action in the next year is nil. The failure is directly attributable to the aberrational nature of the president.
And that’s why this play stinks.