“There's a crack in everything, that's how the light gets in.” The 2016 presidential election certainly put truth to the late Leonard Cohen's poetic words in “Anthem.” No matter your political preferences, the campaign season was an eye-opener, shook things up and shed light on issues both bad and good about the U.S. and its political process.
Not since Toto pulled the curtain back on the Wizard, has so much been exposed, so quickly. Among the revelations: The limping state of cybersecurity in U.S.
Democratic nominee Hillary Clinton's private email server dominated much of the campaign, as did WikiLeaks's steady stream of emails pilfered from Clinton, her aides, the Democratic National Committee (DNC) and other organizations affiliated with the Clinton campaign.
If ever there was an argument for the importance of top-down security that was certainly it. While former Secretary of State Clinton's email setup seems like more of a bumble than something more nefarious, it provided a route around State Department processes and policy. Most security pros will tell you – and rue the fact - that executives and senior management of public and private organizations almost always challenge IT security because they operate outside the established rules in an effort to do their jobs seamlessly.
Also in sharp focus: The gaps and vulnerabilities exacerbated by government agencies' patchwork of systems and poorly crafted, even more poorly enforced policies, that leave them vulnerable to attack. Not that other organizations and the private sector fared much better – cybersecurity was clearly an afterthought to many that sometimes came at a hefty cost.
The election foibles certainly underscore that nation-states are an ever-present and growing threat. Then candidate Donald Trump was dogged by allegations that he and Russian President Vladmir Putin were in cahoots and that country's hacker operatives were working to swing the election in his favor. Regardless of potential affiliations and intent, when a country – in this case, Russia – mucks around in the U.S. election as the forensics seemed to show, that's unacceptable. It also begs the question of how we track, attribute, thwart and retaliate? Under Obama, the nation has sharpened its cyber stance – for instance, U.S. Cyber Command has been strengthening its chops to combat ISIS and the White House has promised a “proportional” response against Russia in retaliation for cyberattacks against U.S. political targets. The next president must not only keep the forward motion and but accelerate it.
The light shone harshly as well on Congress – you know, those people responsible for crafting legislation around cybersecurity and privacy. By and large, they were exposed as not proficient in cyberissues (not news as much as a reiteration), although by the end of the campaign cycle, the crowing from some lawmakers that they didn't even use email or were otherwise technically challenged had lowered to a whisper. And ZixCorp. CEO Dave Wagner told me that a recent trip to Capitol Hill to school lawmakers on securing email was well-received. As was, Internet Security Alliance President Larry Clinton says, expert guidance offered in “The Cybersecurity Social Contract,” a book penned by ISA board members that offers 106 recommendations for policymakers and a 12-step plan for the incoming administration.
As topsy-turvy – and at times, painful – as the election cycle was, it dragged cybersecurity into the mainstream. Outside of the heated rhetoric over private servers, leaked emails and alleged ties to foreign operatives, Trump and Clinton actually fielded a question about their cyber plans during the second debate.
Neither answer, some security pros say, was sufficient - with Clinton going down a wonky policy path and Trump harping on her email server - but at least cyber was put out there, in front of America, for contemplation. Even my 94-year-old mother now knows not to click on links in emails urging her to change her password, give up personal information or receive a super-great, limited time offer.
Contemplation and awareness are important. But they are toothless unless followed by action. There is an urgency here that we simply can't ignore – to turn the Wizard's words around we must “pay attention to the man [or in this case, issue] behind the curtain.” As nation-states rise, as cybercriminals devise new schemes, as organization after organization gets hit with crippling cyberattacks, we can't credibly say we didn't see them coming. The light that has washed over cyber gives truth to the lesser known lyrics of Cohen's “Anthem”: “The signs were sent.” Now, let's heed them.