Brought to you by The VAR Guy
Additional reporting by Allison Francis.
Monday’s presidential debate raised a lot of eyebrows on a multitude of subjects.
Nearly buried in the verbal jousting over tax returns, President Obama’s birth certificate, and trade organizations was a short conversation on what the government’s approach should be to cybersecurity. We reached out to several experts to gauge reactions to the candidates’ responses.
First of all, why hasn’t this been a big focus of the race so far? Steven Toole, a security expert with cloud security provider Avanan, says we’re not having a collective, national conversation in large part because it’s harder to get people excited about something they can’t actually see. “It doesn’t make good television. There are no bodies in the street, blown out vehicles or crumbled buildings to show on CNN. Cybercrime makes very boring news footage,” he said.
But the constant headlines about massive data breaches and the rising levels of alarm from private citizens about the security of their private information is pushing this debate to the forefront.
“Regardless of who won the debate… or who wins the election here in the U.S., the average citizen is fed up with the current state of cybersecurity and the increasingly damaging attacks that seem to be occurring on a nearly daily basis,” said Stephen Gates of NSFOCUS.
“Cyber criminals are having their way with American entities, and the sub-par defenses in place to protect our citizens and national interests are viewed as a complete failure on a global scale… Our citizens don’t need more recommendations or public awareness campaigns; they need and want protection. The list of victims is truly overwhelming.”
Despite the serious national security threat of cyber-attacks, the consensus seems to be that neither candidate—indeed, very few individuals in positions of power in our government—really understands the nature of the crisis. Ladar Levison has had a long and storied history of interacting with the government on issues of security and privacy. In 2004, he founded Lavabit, a highly-encrypted email service with such advanced cryptographic protections that it’s said to be impenetrable—as the FBI discovered firsthand when it tried to gain access to the Lavabit account of one Edward Snowden. Levison was served with a court order to turn over the metadata. Rather than comply, he shut down the service. Levison says the urgency of the cyberthreat is underrated and misunderstood by the two candidates.
Moderator Lester Holt asked the candidates who they thought was behind the threat to national cybersecurity and what should be done to protect America. The question itself seemed to underscore the level of ignorance surrounding the threat.
“It is incredibly difficult, near impossible, to credibly attribute any cyber-attack to a specific actor, let alone a state actor,” Levison says. “What both candidates underscored in their response was a lack of knowledge and understanding when it comes to the cyberlandscape. Neither offered any concrete plans for the defense of this country or its infrastructure. At best they simply boasted about their willingness to engage in cyberwarfare, with nothing but blind hope for those who worry about it escalating into a hot war.”
Jeff Williams, CTO at Contrast Security, pointed out that Trump actually managed to somehow stumble across this point in his talk about ‘the cyber.’ “It’s known as the ‘attribution problem,’ and in a nutshell it means that it’s insanely hard to figure out exactly who is responsible for a cyber-attack. He argues that this happened because of President Obama and implies that we have lost control, but the truth is that this is a problem that is endemic to the Internet and has been for a long time.”
Both Clinton and Trump, it seems, want to walk tall and carry a big stick without knowing even what they should be swinging at.
Infrastructure, not ISIS
Most of the experts said the biggest threat isn’t, in fact, espionage. First Trump and then Clinton mentioned the need to stop ISIS from recruiting through online channels, but that’s missing the bulk of the point, Lief Morin, president of Key Information Systems, told The VAR Guy. “ISIS is a red herring in the context of cybersecurity. Certainly, the effort to recruit jihadists using a global communication network is a challenge worthy of significant focus, but the broader subject of cybersecurity is a major concern for the entire world.” Morin went on to say that those concerns are similar to those about physical terrorism: our defenses have to work 100 percent of the time, but the attackers only have to succeed once.
Morin and others say the scariest threat we face is to critical infrastructure like healthcare, military operations or utilities. “Of course, cyber-attacks are far more than stealing information,” said Williams. “The real concern is that a skilled adversary might interfere with the automated systems that our lives depend on in the U.S., such as food and water, energy, finance, transportation, government and defense–to name just a few.”
But protecting such assets is not something the government can do on its own. It will require partnerships and synergy with the private sector including the channel, which owns and/or manages a vast amount of the country’s infrastructure. It’s a point the candidates largely ignored, much to the frustration of the experts we interviewed.
Some, however, say the government can use its regulatory powers to force the private sector to be more accountable. “With the current state of affairs, the government will be forced to step in and force costly regulation on companies more than ever before, since they are obviously not putting the proper defenses and procedures in place,” says Gates.
John Christly, CISO at remotely-managed security service provider Netsurion, agrees. “If the new president were to mandate that certain protections need to be in place for any corporate entity that stores, processes or handles consumer, financial, healthcare and payment data, it would go a long way towards setting the bar higher than it is now. Sure, we have PCI and HIPAA regulations, but many of those are ‘checkbox’ regulations today that are loosely audited and without real ramifications until after a major breach.”
So who won the debate?
There isn’t much disagreement that Clinton came out on top, even if she did display a misunderstanding of the threat landscape. “Secretary Clinton clearly had a greater command of the both the details and the severity of the risks we face from cyberterrorism,” said Justin Moore, CEO of Axcient. Kenneth Geers, senior research scientist at cybersecurity firm Comodo, pointed out that Clinton gained personal experience with cyberwar when her campaign’s network was hacked earlier this summer, so she has a better understanding of how difficult it is to formulate a precise and proportional response.
“By contrast, Trump does not even recognize there is a national security issue here at all,” continued Geers. “In fact, there is considerable evidence pointing toward Russia, about which Trump seems to be unaware.”
Trump’s rambling response earned the contempt of many experts we spoke with. “Trump doesn’t show any understanding of computers or cyber, seeming to imply that maybe his 10-year-old son might be a good source of policy,” said Williams.
Of more concern to the industry is the defeatist attitude the Republican candidate displayed. “The security aspect of cyber is very, very tough,” Trump said in the debate. “And maybe it’s hardly doable.” Not exactly confidence inspiring stuff.
In the end, perhaps Christly said it best. “I don’t know about you, but if I were a hacker I am not sure I would want Clinton or Trump coming after me – since it seems both of them really know how to go on the attack and bitterly defend things they believe in. Let’s hope that they both can really get behind better cybersecurity for this great nation of ours.”