President-elect Donald Trump’s transition team announced Thursday that former New York mayor Rudi Giuliani “will be sharing his expertise and insight as a trusted friend concerning private sector cyber security problems and emerging solutions developing in the private sector.” The details of this new role are vague and sparse; but it would be fair to say that it has raised eyebrows in the security industry.
Some reports suggest that he will be the new administration’s security Czar. For the moment, that is probably an exaggeration. The transition team announcement says only, “It is contemplated that the President-elect will be hosting a series of meetings with senior corporate executives from companies which have faced or are facing challenges similar to those facing the government and public entities today, such as hacking, intrusions, disruptions, manipulations, theft of data and identities, and securing information technology infrastructure… Mr. Giuliani was asked to initiate this process because of his long and very successful government career in law enforcement and his now sixteen years of work providing security solutions in the private sector.”
From this it would appear that Giuliani’s role is primarily that of a facilitator for meetings between the administration and private industry to discuss problems and practical solutions in cyber security. The announcement makes it clear, “No consensus advice or recommendations resulting from group deliberations or interaction is expected or will be solicited.” This should be a positive step with the administration listening to those who suffer from cyber security attacks rather than just those who sell solutions to those attacks.
It is the idea of Giuliani ‘sharing his expertise and insight as a trusted friend’ that raises eyebrows. His name is not well known in the cyber security industry, although his firm, Giuliani Partners, is a security consultancy. Needless to say, the firm’s website was rapidly examined by security professionals and immediately lambasted. The site, www.giulianisecurity.com, has now been taken down, but not before researchers noted a string of security issues.
These included expired SSL, use of Flash, exposed CMS login, out-of-date software and numerous open ports. Not everyone believes that should be a concern. Robert Graham at Errata Security wrote today, “But here’s the deal: it’s not his website. He just contracted with some generic web designer to put up a simple page with just some basic content. It’s there only because people expect if you have a business, you also have a website.”
But that’s not how cyber security works. You cannot just contract with some generic consultant and leave it at that — it is continuous attention to detail that makes the difference between secure and compromised. Where you don’t know the solution yourself, you need to be able to take advice from others. It is suggested that as mayor of New York, Giuliani was advised by the police not to site the city’s emergency response center in the World Trade Center for reasons that included its history as a terrorist target. Giuliani did not heed this advice, and the emergency response center was destroyed with the World Trade Center, 9/11.
Despite these concerns, Giuliani could prove a good selection if his role is primarily as an informal executive meeting facilitator. Although frequently described as a cyber security firm, his consultancy is more strategic than hands-on. Before it was taken down, the website described the ‘portfolio of services’ as including ‘Global Investigations/Litigation Support/Due Diligence’ and ‘Brand Protection/Anti-Counterfeiting Strategies & Solutions’. Clients include “governments, global corporations, energy industries, law firms, financial institutions, and universities among other organizations.”
In a conversation with Fox & Friends, Giuliani described his role as just such a facilitator. “The idea here is to bring together corporate leaders and their technological people. The president will meet with them on an ongoing basis as well as anyone else in the Administration. … I’ll coordinate the whole thing. I’ll get the people in, make sure the meeting takes place, make sure they get the information from the private sector.”
Cyber security information sharing between industry leaders and between industry and government can only be a good thing.