By: Maria Korolov
Senior security industry professionals were dismayed about the travel ban imposed this weekend by President Trump, and worried that the repercussions could go far beyond the handful of countries singled out so far.
The nation’s cybersecurity posture would be hurt in numerous ways, they said, citing increased anti-American sentiment spurring more hacking attacks, hurting international cyber enforcement cooperation efforts, discouraging foreign students from coming here to study, hurting recruitment efforts, and influencing organizers of international cybersecurity conferences to look at other countries for meeting locations.
And while most of these effects will take time to be realized, some companies have already felt the impact of the ban.
San Jose-based cloud security company Zscaler, Inc. will be holding a sales event next month, and an employee who originally came from Iran might not be able to make the event, said company CEO Jay Chaudhry.
Chaudhry flew from Amsterdam to London on Monday for business meetings, and was shocked at how much Trump’s travel ban dominated every conversation.
“Generally, when you go to business meetings, it’s not for political talk,” he said.
“But I had a few business meetings today and every meeting would start with, ‘So, America, you’re closing down? You’re going to build a wall around yourself?’ I’m not sure we’re gaining much from this. But we have a lot to lose.”
The U.S. is a country of immigrants, he added.
“Every country out there used to look at America as a role model,” he said. “This goes against our fundamental values. Reagan went to Berlin and said, ‘Mr. Gorbachev, tear down this wall!’ Now we’ve come full circle.”
ValiMail, a San Francisco-based email security vendor, was in the process of transferring an employee who had an H1-B visa and was in the process of applying for a green card.
“She — and we — had to immediately start making calls to make sure the process and application are in no way impacted,” said company CEO Alexander Garcia-Tobar. “To date, we are still in limbo. Nobody seems to know the exact extent of the order as it is worded in overly broad terms.”
The same thing is happening at thousands of other companies, he said.
And those seven countries could be just the start, said Morey Haber, VP of technology at Phoenix-based BeyondTrust, inc.
“The president did indicate that others will be added as needed,” he said. “Any company or project that works in the Middle East should take note.”
In addition, groups of American employees participating in international events may also become more attractive targets for terrorists, he said.
The listed countries could retaliate against the U.S. with travel bans of their own, he added.
Several security experts also pointed out that the annual RSA Conference is coming up in two weeks. Attendees from Iran, Iraq, Libya, Somalia, Sudan, Syria and Yemen will have to rethink their plans.
Even employees who are already in the United States will be affected, since they won’t be able to leave the country on work-related assignments — or for any other reason — until the situation is resolved, and neither will their family members.
“I hope that this immigration ban is only temporary and most of the companies impacted can work through and around this,” said James Carder, CISO at Boulder, Colo.-based cybersecurity firm LogRhythm, Inc. and VP of LogRhythm Labs.
“However, I don’t know what’s next and if there is a short-term end in sight. Will it just be 90 days or will it be much longer?”
The travel ban may may also have a more insidious long-term effect on recruiting. The cybersecurity industry already has a massive talent shortage, Carder said.
“Would you want to go work for a company, based in the U.S., that sees you as a threat, an enemy, or a terrorist?” he asked. “I would likely take my advanced degree and training to Canada, or somewhere else, where I’m viewed for my skills and not by where I’m from nor my religion.”
Cybersecurity is a global community, said Jeff Williams, CTO at Palo Alto, Calif.-based Contrast Security. “Most of the bug bounty security researchers are from foreign countries,” he said.
“Many cyber companies are started by foreign nationals. And most security teams at major companies are staffed with people from all over the world. And the cybersecurity programs in our colleges and universities are flooded with immigrants. Basically, until now, the US has been the beneficiary of the global cybersecurity brain drain.”
If the U.S. shuts its doors, all that will change, he said.
“It’s the height of irony that we are closing off the human resource supply chain in an effort to secure our borders,” he said.
Hurt global cooperation
One common tactic used to catch international criminals is to lure to them to the United States, said LogRhythm’s Carder.
“If you are a cybercriminal and your country is listed as one of the seven countries banned, you will not be lured over to the U.S. any time soon,” he said.
Plus, the international nature of cybercrime also requires a great deal of cooperation between nations.
The relationship with the seven banned countries will obviously be damaged first.
“If those countries were willing to work with the U.S. government before in prosecuting international cyber criminals, they may not do so now that we’ve cast them as enemies,” he said. “I also wouldn’t be surprised if their governing of what constitutes cybercrime against the U.S. loosens up after this.”
But relationships with other countries may sour as well. Not only other Muslim countries, but also those in Asia and Europe.
“The more we constrict and insulate ourselves from the world, the less likely our allies are going to cooperate with us, including on things like law enforcement actions,” said Anup Ghosh, founder and CEO at Fairvax, Vir.-based Invincea, Inc.
Spur more cyber attacks
The ban, instead of reducing risk, may actually provide more motivation for attacks — including for cyber attacks.
“We’ve already seen attacks by Iran on banks,” said Ghosh. “So I don’t think it will be shocking if we see more attacks coming from Iran.”
And it’s not just that country, he added.
“If we’re signaling to the rest of the world that we’re unwilling to help with the refugee crisis and we’re going to wage a war against religion, then we can expect more attacks against our critical infrastructure,” he said.
On a positive note, the seven countries targeted by the ban are not particularly known for their technology infrastructure, said Dave Dufour, senior director of engineering at Broomfield, Colo.-based Webroot Inc.
The likelihood of a criminal moving to one of these locations to avoid capture is minimal, he said. “Frankly, there are much better choices in terms of countries without extradition to the U.S. to set up shop.”