As Americans prepare for the upcoming U.S. presidential election and weigh the policies of former Secretary of State Hillary Clinton and Donald Trump, industry pros observing the cybersecurity policy discussions between the two candidates may be excused for wondering “How did we arrive here?”
While neither candidate has offered much detail into their cybersecurity policy priorities, they have signaled through comments during the debates and events that they would take different approaches to managing nation-state cybersecurity threats facing the country.
The two candidates have given cybersecurity pros cause for concern; Clinton and Trump will both face difficulties convincing the industry that they will rise to the cybersecurity challenges now facing the U.S.
The Federal Bureau of Investigation (FBI) probe into Clinton's use of private email servers dominated cybersecurity headlines for much of the past year, culminating with FBI Director James Comey's July statement that the agency did not find evidence that Clinton intentionally deleted e-mails and would not recommend criminal charges against the former Secretary of State.
The announcement was a satisfying resolution for Clinton supporters, though the episode highlighted causes for concern among many industry sources. Especially jarring to security pros was Comey's conclusion that the State Department under Clinton was “extremely careless” in handling classified information. As Clinton faced national scrutiny for her email practices, hotels owned by Donald Trump suffered multiple data breaches and DDoSattacks.
Authentic8 co-founder and CEO Scott Petry told SCMagazine.com that if Trump and Clinton did not think information security was important enough to secure their own digital assets, “how can we trust them with our digital assets as a country?”
Clinton's personal information security failings have received more scrutiny than of Trump and “quite possibly for good reason,” said Alexander Urbelis, CEO of information security firm Black Chambers Inc. and partner at Blackstone Law Group. Urbelis told SCMagazine.com that Clinton “took on a greater measure of personal responsibility” by moving her email system over to a personal server. In Trump's case, the cyberattacks against his companies were seen as the cost of doing business.
Even if some pros have been willing to overlook Trump's personal cybersecurity shortcomings, few industry pros were as forgiving of his gleeful encouragement that Russia try to “find the 30,000 emails that are missing,” a reference to Clinton that was interpreted as an invitation to engage in foreign espionage.
Trump's comments to Russian hackers were “absolutely troubling,” according to Urbelis. “He seems to be overtly normalizing authorizing the use of cyber capabilities between nations in order to gain political advantage,” he told SCMagazine.com. “When it is normalized to such a great extent, it will invariable bleed over in the private sector through misappropriation of trade secrets.”
Indeed, many of Trump's comments about cybersecurity issues are deeply troubling to security pros, from referring to cybersecurity as ‘the cyber” or theorizing that the DNC hack was conducted by a “400-pound hacker.”
Clinton has been more consistent in signaling to foreign hackers that attacks against U.S. targets will not be tolerated. “There's no doubt now that Russia has used cyberattacks against all kinds of organizations in our country, and I am deeply concerned about this,” she said during the first presidential debate. “We need to make it very clear — whether it's Russia, China, Iran or anybody else — the United States has much greater capacity.”
Robert Morgus, a policy analyst with New America's Cybersecurity Initiative, told SCMagazine.com that while he was pleased to see Clinton embrace an idea of deterrence, he cautioned against relying too heavily on offensive cyber capabilities as the method of deterrence. “The response to a cyber incident does not need to occur through a cyber response,” he told SCMagazine.com.
Clinton's campaign website promised she would “build on the Obama Administration's Cybersecurity National Action Plan,” especially by modernizing federal IT and upgrading government-wide cybersecurity.
Petry said the language implies she would increase spending on the country's defensive posture, a focus that he finds encouraging. “You don't need to look very far beyond OPM to see that while we may have the best offensive capabilities in the world, our defensive posture is not.”
Malcolm Harkins, chief security and trust officer at Cylance and a fellow at the Institute for Critical Infrastructure Technology (ICIT) said the U.S.' focus on offensive capabilities has helped “create our own victimization.” He said he hopes the next administration will focus on developing international cyber norms to “dramatically change the risk curve.”
Clinton and Trump have both taken stances on the encryption debate earlier this year that have displeased security pros.
The encryption debate that set the FBI against Apple earlier this year was characterized by Clinton as “a legitimate dilemma.” During a Town Hall discussion with Bernie Sanders in February, she pleaded with the government and tech companies to “keep working together to see that there isn't some legitimate way to help deal with these kinds of very real world problems that we face.”
Trump has taken a more direct stance, stating bluntly during an interview during the same month, “Who do they think they are? No, we have to open it.”
Petry said these arguments against encryption are troublesome. “Free speech and the right to privacy are pillars of our democracy,” he said. “Sweeping arguments like, “Terrorists use encryption, therefore encryption is bad' are an incomplete argument.”
Last December, Trump called on “closing that Internet up in some way.” Later that month, during the fifth Republican debate he again voiced support for “closing parts of the Internet” to prevent ISIS recruitment efforts.
Trump's comments were unclear if he referred only to ISIS-controlled regions. Sam Curry, chief product officer at Cybereason, noted that the comments could have been referring to an electronic warfare campaign. He noted that such a scenario would be akin to shutting down highways as an offensive tactic, albeit more damaging. “If he meant it in anything other than a war context I am highly skeptical,” he said.
Clinton has called for combatting ISIS's ability to communicate by censoring social media sites like YouTube, Twitter, and Facebook. “You're going to hear all of the usual complaints, you know, freedom of speech, et cetera,” she said during a keynote speech at The Brookings Institution. “But if we truly are in a war against terrorism and we are truly looking for ways to shut off their funding, shut off the flow of foreign fighters, then we've got to shut off their means of communicating.”
Morgus noted that the candidates' approaches to cybersecurity is a microcosm of their campaigns. Clinton is “more willing to engage internationally and on diplomatic front,” whereas Trump is hyper-focused on what we can do within the US to ‘make America great again and he “somewhat disregards the impact that the U.S. can have on the rest of the world and the impact that the rest of the world can have on the U.S.”