Is Rudy Giuliani Qualified to Advise on cyber security?
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Is Rudy Giuliani Qualified to Advise on cyber security?

Trump picked Giuliani to lead an advisory council on cyber security.

Last week, Donald Trump’s transition team announced that Rudy Giuliani, former Mayor of New York City, would be advising Trump’s administration on cyber security issues. It’s not entirely clear what Giuliani will be doing, but he told CNN that “Trump plans to have a ‘private sector cyber security council’ that meets with the president several times a year.”

Giuliani would lead and organize this council.

This announcement immediately drew widespread criticism from the info sec community, who rightfully pointed out that Giuliani has no expertise in anything cyber-related.

The community’s first reaction was to poke into the website for Giuliani’s security firm. It did not take long to find out that GiulianiSecurity.com was anything but secure. The website was running on a seriously outdated operating system and CMS, both of which are vulnerable to known security exploits, in addition to a list of other bad practices.

The website also had an expired SSL certificate and allowed logins over HTTP.

Shortly after Trump made his announcement, GiulianiSecurity.com became inaccessible. It’s unclear if the site was taken down or knocked offline by the rush of traffic. You can view the site on the Internet Archive.

Rudy Giuliani, cyber security
GiulianiSecurity.com used an expired SSL certificate and had an F grade from SSL Labs. Image courtesy of @denormalize.

While it may be fun to laugh at how poorly managed his firm’s website is, Rob Graham pointed out that the site was probably put together with minimal effort.

Graham said “[The website is] there only because people expect if you have a business, you also have a website.” He also noted that the web hosting company being used by GiulianiSecurity.com is not even actively providing services anymore, and the state of the site is “exactly what you’d expect from a legacy hosting company that’s shut down some old business.”

The real problem is that Giuliani’s expertise with computers and information security is just as inadequate as his website’s configuration. Many have pointed out that Giuliani Security’s website does not even mention anything about “cyber security,” and is instead focused on offering physical security forces.

[su_pullquote]“Basically, not to prevent a Target [breach], but how to prevent a Target CEO being fired.”[/su_pullquote]

But in an interview with Politico, Rudy Giuliani said “we do cyber security for many people,” and “if they want cyber security solutions, we can give it to them.” Which makes his role sound like a glorified reseller more than an expert in any sense of the word. In the same interview, Giuliani refused to acknowledge how this new advisory role could benefit his businesses.

Trevor Timm, co-founder of The Freedom of the Press Foundation, wrote that “the president-elect claimed he would soon assemble ‘some of the greatest computer minds anywhere in the world’ to tackle the US government’s cyber security problem. On Thursday, he went the opposite route instead and hired Rudy Giuliani.”

So, why exactly did Donald Trump pick Rudy Giuliani? He must have some experience with “the cyber,” right?

Well, Rudy Giuliani is Chair of the cyber security, Privacy and Crisis Management Practice at Greenberg Traurig, a Miami based law firm. But their website has almost nothing to say about Giuliani’s expertise in information security, besides a bullet-point under “Areas of Concentration” that simply says “cyber security.”

Giuliani and his companies Giuliani Partners and Giuliani Security and Safety have been advising companies on information security since 2002, but it’s quite difficult to pin down any specifics on what they actually do.

Motherboard talked to an executive familiar with Giuliani Security and Safety. They said the firm was “focused more on liability mitigation for companies rather than implementing best security practices.” That executive, who requested to remain anonymous, summed up by saying “Basically, not to prevent a Target [breach], but how to prevent a Target CEO being fired.”

Motherboard dived deep looking for evidence of Giuliani’s expertise. They dug up an old New York Times interview from 2003. Here is a choice quote:

So, Mr. Giuliani, could you comment on the BIND vulnerability that was exploited to threaten the root server system?

”I could make a comment on the Cubs game tonight,” he said with a laugh, speaking by phone from Chicago.

I recommend reading Motherboard’s entire article to see the stunning lack of evidence that Giuliani has any idea whatsoever about how a computer works, let alone how you secure one.

It is fairly obvious that Giuliani’s contribution will be as a messenger between the private sector and Trump, and his most valuable assets are his connections and experience working with business and political leaders.

The problem is that our government needs an advisor with more than just connections. No matter how well connected you are, you are likely to deliver subpar results if you are hopelessly out of touch with the topic. You wouldn’t hire an oil lobbyist to advise you on zoning laws, and we should not be trusting info sec topics to a former mayor and state attorney with no IT background.

In its announcement of Giuliani’s appointment, GreatAgain.gov, the website for president-elect Trump’s transition effort, said “Mr. Giuliani was asked to initiate this process because of his long and very successful government career in law enforcement and his now sixteen years of work providing security solutions in the private sector.” So even Trump’s transition team seems to be building a tenuous link between Giuliani’s experience advising on physical security and information security.

Trump is right about one thing – America needs to take info sec more seriously, but this is not the way to do it.