Rudy Giuliani is going to head a new Cybersecurity Working group for the Donald Trump transition team, a move that has caused many to reflexively wonder: What does the former mayor of New York know about cybersecurity?
That's probably a fair question, because Giuliani served as an undisciplined attack dog for Trump during the campaign, saying a large number of patently and provably false things on a wide array of topics. It is concerning to some that Trump will put him in charge of solving the very real problem of preventing foreign governments from using hacking to undermine our democracy and getting private corporations to treat cybersecurity as vitally important to the economic, security, and privacy interests of their businesses, employees, and customers.
But Giuliani is not an unqualified pick for this position, just a cynical one.
Since 2003, his consulting firm Giuliani Partners and its subsidiary Giuliani Security and Safety has at least nominally advised clients on cybersecurity, but people who have worked with his firm say the advice is focused more on liability mitigation for companies rather than implementing best security practices.
"If you hired them on a cyber engagement, they are going to tell you what your legal obligations are and how to manage the legal risk related to cyber," a cybersecurity executive in New York who has experience with Giuliani Security and Safety and requested to remain anonymous told Motherboard. "Basically, not to prevent a Target [breach], but how to prevent a Target CEO being fired."
Giuliani's general interest in the sector seems to come from its emerging growth—in a November interview with Marketwatch, he characterized the company's early interest in cybersecurity as a smart market grab. In 2007, after Giuliani joined the law firm Bracewell LLP with a security focus, the Associated Press noted that it was almost entirely an attempt for the firm to cash in on Giuliani's connections and name recognition, not his lawyerly or technical expertise.
"Honestly, it sounds like a nothing job. A hat-tip for the help during the campaign."
This is consistent with some of the former mayor's earliest interviews on the subject. A 2003 New York Times article announcing Giuliani Partners's earliest forays into the cybersecurity world asked him to discuss a common cybersecurity vulnerability.
"I could make a comment on the Cubs game tonight," Giuliani jokingly told The Times. Four years later, in a 2007 article, The Times described Giuliani Security and Safety as something of an interesting but growing side project.
Unlike many other cybersecurity firms, Giuliani Partners does not publish white papers about malware and large-scale hacks, or push for increased adoption of encryption, which would enhance cybersecurity across the board. In fact, it doesn't talk much about cybersecurity at all, instead choosing to focus on its more traditional anti-crime consulting work.
Giuliani Partners' website promotes its crime reduction successes in countries like El Salvador, Colombia, Mexico, and the Dominican Republic, not its cybersecurity work. Some of the only publicly available cybersecurity work the company has ever done came in 2003, after the firm investigated an electronic betting scandal for the National Thoroughbred Racing Association.
In other words, Giuliani is a lawyer, not a cybersecurity expert.
While the work of Giuliani's firm is "comprehensive" and "well thought out," the NYC executive said, it's "not something I would expect an infosec engineer in the trenches to respect."
"Lawyers are risk managers and their work product is high level management of risk, not incident response," the source added. "If an engineer is a firefighter, the lawyer isn't even the building inspector trying to prevent future fires, the lawyer is the guy writing the building code with an eye to prevent fires, but managing other competing interests too."
If you have ever worked with Giuliani himself or his firm, please contact us. You can use our SecureDrop, or email us directly at email@example.com or firstname.lastname@example.org. To contact us securely, see here and here. No need for names.
But Giuliani isn't even writing building code. He has published nothing for GreenbergTraurig law firm's cybersecurity practice, where he took over as chair in January 2016; the group, meanwhile, has published papers lamenting European Union privacy regulations and a spate of class action lawsuits related to consumer data privacy.
Here is a sampling of Giuliani's "news coverage" GreenbergTraurig has decided to highlight:
According to Alexander Urbelis, a New York-based infosec lawyer at Blackstone Law Group, Giuliani's past as a successful prosecutor could signal the direction Trump wants its administration's cybersecurity efforts to be: more clamping down on cybercime rather than anything else.
"On the one hand it's cronyism at its best, on the other hand Giuliani is not a bad person when it comes to law enforcement," Urbelis told Motherboard, alluding to Giuliani's close relationship with police. It should be noted, though, that Giuliani's legacy includes enacting the controversial stop-and-frisk policy.
Earlier this month, at the annual Consumer Electronics Show in Las Vegas of all places, the company partnered with BlackBerry to "take advantage of BlackBerry's leadership in secure mobile communications technology to assess infrastructures, identify potential cyber security vulnerabilities, address gaps and secure endpoints." (In the past, it should be noted, BlackBerry has had very serious security issues—namely that it has been willing to intercept and decrypt messages for Canadian law enforcement and its devices have been found to have serious security flaws.)
When Giuliani does talk about cybersecurity, it is not in a sophisticated way.
"You should see the technologies. They're great," Giuliani said in December, speaking to Fox News's Sean Hannity about the state of cybersecurity in Israel. "And the thing is to then do that and have your phone number changed, but have it done automatically so your phone number never changed but it really changed."
Giuliani has yet to form a coherent position on the encryption debate, perhaps because it pits his hardline law enforcement approach to security directly against the idea that more encryption is better for the security of all, which is common wisdom in the infosec community he purports to be a part of.
"When it comes to encryption, and digital technology more broadly, there is, unfortunately, no one-size-fits-all solution," he told the House Homeland Security Committee last February. "This is a complex and difficult challenge, and it is imperative that we tackle it directly, comprehensively, and with the future in mind."
Giuliani continues to be what he has been since the 9/11 attacks: A law-and-order hardliner with international name recognition. We don't know what, if anything, Giuliani's group will actually do under Trump. He's spent much of his later career racking up ceremonial job titles; this might just be one more.
"Honestly, it sounds like a nothing job," the unnamed cybersecurity executive said. "A hat-tip for the help during the campaign. 'We don't have a real job for you, so tell us some BS title to give you that will help your career outside of government and we'll do it.'"
Get six of our favorite Motherboard stories every day by signing up for our newsletter.