Stephen Boyd’s Capitol Hill briefing for Alabama’s business, financial, defense and government affairs executives.
Regardless of Election Outcome, Auburn’s McCrary Institute Poised to Guide Next Administration on Cyber Policy
It sounds like the start of a spy movie: a covert Chinese hacking syndicate dubbed “Salt Typhoon” appears to have broken into the systems of multiple telecom companies in an attempt to eavesdrop on the calls of prominent Americans.
But this story isn’t Hollywood fiction. The very real recent digital intrusion targeted current U.S. government officials, presidential candidate Donald Trump, and his running-mate JD Vance. It remains unclear what access was obtained and multiple U.S. agencies are investigating. But it’s not hard to see how Chinese hackers obtaining sensitive information from Trump’s calls and leaking it prior to Tuesday’s vote could impact a close election.
The linkage between private companies that maintain vast data networks and the government agencies and officials that use them is one of several themes raised in a new report from Auburn University’s McCrary Institute of Cybersecurity and Critical Infrastructure.
The report, “Securing America’s Digital Future: A Bipartisan Roadmap for the Next Administration” is tailor made for the next occupants of the White House and the newly installed leaders of a host of acronym agencies critical to digital security.
The Report makes 84 recommendations across eight key areas to provide the next administration a roadmap for cyber policy. It’s already in the hands of the Trump and Harris transition teams.
It should come as no surprise that Auburn’s McCrary Institute is providing advice to the nation’s next cyber leaders.
Since its founding in 2015 – made possible through a donation from the Alabama Power Foundation – the Institute has staked out a leadership role on cyber policy. From its offices just blocks from the U.S. Capitol, the Institute’s staff, experts, and fellows develop policy, conduct research, and educate decision makers to shape cyber strategy. (I’m honored to be a Senior Fellow at the Institute, though my contribution to this report was minor.)
The Institute is led by Frank Cilluffo, whose work in homeland security dates back to the days after the September 11, 2001 attacks when President Bush appointed him to the Office of Homeland Security to focus on counterterrorism. Since then, Cilluffo has become a well-known leader in Washington’s cyber community.
With the election around the corner, we had the opportunity to catch up to discuss the Report’s release. Here’s a portion of our conversation:
Stephen Boyd: Frank, there are a lot of “think tanks” in Washington. What makes Auburn’s McCrary Institute different?
Frank Cilluffo: At the McCrary Institute, we like to think a key differentiator is that we are not just a think tank, but also a do tank, more focused on blending theory with practice and ultimately ensuring that our solutions can be acted upon and are operationally relevant and sound.
Boyd: I suspect that when we say “cyber security” most people think “passwords” and “bank accounts.” Financial crime is part of it, but the threat matrix today is much bigger than that. How do you characterize the challenge?
Cilluffo: The cyber threat comes in various shapes, sizes, and forms ranging from nation states like Russian, China, Iran, North Korea, their proxies, criminal enterprises, insider threats and hacktivists of various stripes, who are often more difficult to discern between puppet and puppet master, to criminal enterprises focused on ransomware attacks. Cybersecurity is about keeping our systems secure and resilient to cyber-attack, so that we can mitigate threats to our economy, national security, and public safety.
Boyd: I had a front row seat to the 2016 presidential transition. It was pretty chaotic–I suspect they all are. How can this transition report help?
Cilluffo: We intentionally broke this out into short- medium- and long-term priorities. Some of these are very straightforward. Many on our task force, including myself, have been involved in transition planning offices, and everyone is drinking out of a fire hose. This report can give transition teams a head start on major issues. Hopefully, it will be a resource for whoever wins on Tuesday . We structured the report across eight lines of effort with a healthy mix of digestible, actionable policy items and longer-term goals.
Boyd: At the Department of Justice, I’d cringe when someone said “whole of government” response because often when everyone owns a problem, no one does. But cyber really does demand multi-agency coordination. What does the Report say about that collaboration?
Cilluffo: Well, our very first recommendation is the need to harmonize often conflicting, cumbersome regulations across various federal agencies. That requires an empowered National Cyber Director who can see across government and action collaboration. All agencies have a role to play, but the roles should be clearly defined, resourced – policy without resources is rhetoric – and make sense. And most importantly, the federal government should be promoting a unity of effort to better support state, local, tribal, and territorial governments, as well as the private sector.
Boyd: The list of people you’ve involved in the Institute is impressive. Many former senior officials at FBI, NSA, and CISA, not to mention major private sector players like Google. How’d you recruit that brain power?
Cilluffo: Working on important issues and hard problems tends to draw and attract good people. It is important to ground these issues in reality, so that we aren’t just long on nouns and short on verbs, but actually getting things done. We are very proud at McCrary of having a track record of not just coming up with ideas, but also advancing policy recommendations into reality. We could not have done this without the high caliber expertise of our senior fellows, notably including you, by the way, Stephen. Your background as Assistant Attorney General and leadership on the Hill are exactly what we needed to make sure this task force came up with the sound policy recommendations we issued.
Boyd: In our meetings in Washington, I don’t recall hearing a single partisan statement from anyone involved in the development of this report. That might be hard for some in 2024 to believe. Doesn’t that really speak to the bipartisan nature of the problem?
Cilluffo: Yes, it does, and while there are going to be differences and nuances between various administrations, this isn’t a red issue or blue issue, it is a red, white, and blue issue. I believe that reality is represented by this task force.
Boyd: Cyber is hamstrung by a patchwork quilt of different legal authorities for different agencies. Harmonizing that framework will require Congress. How do you engage with Members of Congress and staff on legislative issues that are important but often outside their comfort zones?
Cilluffo: We will need to bring together both ends of Pennsylvania Avenue to solve these challenges. Regulatory and statutory harmonization cannot be done without the help of Congress, and, particularly in a post-Chevron deference world, it is more important than ever that we support Members and congressional staff with expertise.
Boyd: Agencies like the FBI need to move from a policy of “deterrence” to a policy of “cost imposition." Basically, we want to make it as costly and uncomfortable as possible for adversaries when they choose to attack us digitally. How do we make them pay a price?
Cilluffo: For too long we’ve been blaming the victim, but now is the time to impose cost and consequence on our adversaries to induce changes in behavior. We are never going to simply firewall our way out of this problem. We have to lean forward. Ransomware claw backs and recoup work that the FBI is engaged in is a good start. Now, let’s scale those efforts. We also should allow the State Department to develop a process of designating state sponsors of cyber crime, similar to the state sponsors of terrorism list. That way, we can more aggressively call out, identify, and unleash additional national security authorities against the bad actors.
Boyd: The importance of coordination between the private and public sectors is a theme in the report. The Salt Typhoon attack highlights the need for that. But let’s say a small defense contractor in Huntsville thinks it may have been hacked. On the one hand, that firm could probably use help from the government and also could warn others. On the other hand, it’s not always great for business to acknowledge a vulnerability or sensitive data loss. What systems do we
need to help businesses in that scenario?
Cilluffo: It is more than coordination – it is collaboration and the need for operational collaboration. We know who is coming for us—it’s not a mystery. We need to have the type of relationships fostered between the private sector and all levels of government, so people have a measure of trust in responding to and mitigating
cyber threats.
Boyd: I’m watching closely the growing military partnerships within the CRINK alliance, which is China, Russia, Iran, and North Korea. Any reason at all to believe that the cyber threat from these countries will diminish in the years to come?
Cilluffo: Unfortunately, no, at least not of their own choosing.
Stephen E. Boyd is a Partner at Horizons Global Solutions. Previously, he served as a Senate-confirmed Assistant Attorney General at the U.S. Department of Justice, Chief of Staff for Alabama members in both the U.S. Senate and U.S. House of Representatives, and as a Communications Director of the Senate Committee on the Judiciary. He resides in the Washington, D.C. area. Opinions expressed herein are his own. Contact Stephen at [email protected] or via X at @SEBOYD79 or via LinkedIn.