Corman was impressed. “He understands the tensions and tradeoffs between security and not stifling innovation, not attacking civil liberties,” says Corman. “His questions showed someone who understands the complexities.”
A Cooler Head
Since Trump took office, his administration has rarely spoken in detail about cyber security. The president’s own statements during his campaign consisted of vague promises to stop digital attacks, alongside cringeworthy rants about “the cyber” and his 10-year-old son’s computer skills. But when Trump’s draft executive order on cybersecurity emerged last week, it surprised the cyber security world by hewing closely to the recommendations of bipartisan experts—including one commission assembled by the Obama administration.
According to cyber security policy watchers, that looks like the work of Bossert, a former homeland security official under George W. Bush with a reputation for a measured approach that deeply contrasts with the Trump administration’s so-far volatile style. “The draft executive order would be a much less disruptive effort than some of President Trump’s other actions have been,” says Paul Rosenzweig, a cybersecurity lawyer and former DHS adviser who worked with Bossert in the Bush administration. “I think that reflects Tom’s thoughtfulness and caution.”
Bossert will share responsibility on cybersecurity and counterterrorism with national security adviser Michael Flynn, a far more aggressive, hot-tempered figure. Bossert’s presence as a relatively wonkish and considered policymaker should serve as a relief, says former Atlantic Council director Jason Healey, himself no Trump supporter. “People that follow cybersecurity issues will be happy that Tom is involved in those discussions as one of the reasoned voices,” Healey says.
“Frankly, he’s an unusual figure in this White House. He’s not a Bannon. He’s not even a Priebus,” says one former senior Obama administration official who asked to remain unnamed, contrasting Bossert with Trump’s top advisers Stephen Bannon and Reince Priebus. “He has a lot of credibility. He’s very straightforward and level-headed.”
Tough on Feds, Easy on Companies
A lawyer who shifted his focus to security policy after 9/11, Bossert served as deputy homeland security adviser during Bush’s second term. He quickly became someone to whom the president turned on cyber security issues, says Healey, who also served as a cybersecurity adviser earlier in the Bush administration. In 2008, Bossert helped push through Bush’s Comprehensive National Cybersecurity Initiative, a landmark, largely classified presidential directive designed to shore up the federal government’s cybersecurity infrastructure. The CNCI would put the DHS in charge of protecting federal agencies—subordinating the role of the NSA to informing the DHS’s work—and launching initiatives to track all of the federal government’s internet connections, recruit more cybersecurity talent, and share more of the government’s threat intelligence with the private sector.
“The government had a problem and threw smart people at it to solve some of it,” says Rosenzweig, who served at the time as a DHS policy adviser. “Is it perfect? No, but are we safer today than we were in 2005? Absolutely.”
Plenty of work remains. In the wake of federal cybersecurity disasters like the hack of the Office of Personnel Management and the Russian breaches of the White House and State Department, Bossert will focus once again on tightening the federal government’s digital defenses, Healey says. “Like many of us, he was outraged by OPM,” Healey says. “He really wants to unfuck US government cyber security … The same problems he had as a deputy have only gotten worse, and he’s got a high degree of impatience on that.”
Bossert has a more laissez-faire approach to private-sector cybersecurity, former colleagues say. His distaste for increased regulation, at least, fits in with Trump’s broader agenda. Bossert has instead favored cybersecurity insurance, which proponents argue could offset the risk of major hacking incidents while also incentivizing companies to reduce their cyber security vulnerabilities by tying those risks to their insurance premiums. “Right now, the free market is working in cyber,” Bossert said at an Atlantic Council panel on cybersecurity insurance in 2013. “All signs point to it continuing to work.”
The White House didn’t respond to WIRED’s request for an interview with Bossert, but his official statement at the time of his appointment reflected that free-market approach. “We must work toward cyber doctrine that reflects the wisdom of free markets, private competition, and the important but limited role of government in establishing and enforcing the rule of law, honoring the rights of personal property, the benefits of free and fair trade, and the fundamental principles of liberty,” it reads. “The internet is a US invention, it should reflect these US values as it continues to transform the future for all nations and all generations.”
Tensions to Come
The final direction of Trump’s cybersecurity policies, of course, has yet to materialize. The draft executive order his staff spoke about in a briefing with reporters last week was inexplicably delayed, and Trump still hasn’t signed it.
‘Frankly, he’s an unusual figure in this White House.’SENIOR OBAMA ADMINISTRATION OFFICIAL
That briefing also hinted at possible tensions within Trump’s group of cybersecurity advisers. Bossert attended it, but so did Flynn and former NSA director General Keith Alexander. The latter two are known for their aggressive postures on not only cyber security defense but also offensive measures like hacking into adversaries computers’ for espionage and disruption. Trump himself has touted the need for “crippling” cyberattack capabilities. Bossert, according to some former colleagues, believes in a more cautious approach to the military use of American hacking power, particularly against foreign governments.
Whatever his own beliefs, Bossert has a history of putting the goals of the president for whom he works before his own, former colleagues say. “He was a true, honest broker,” Rosenzweig says of Bossert’s time serving under President Bush. “It wasn’t his priorities that came through, it was the president’s.”
In other words, “reasoned voice” or not, the ultimate power to shape America’s cybersecurity stance for the next four years won’t be entirely in Bossert’s hands but in those of his temperamental boss.
This post has been updated to reflect that Jason Healey is the former, not current, director of the Atlantic Council.