Let's School the Presidential Hopefuls on Cybersecurity

Potential candidates need to understand the cybersecurity basics before they can craft policy.
Republican presidential candidates take the stage for the first primetime presidential debate August 6 2015 in Cleveland...
CLEVELAND, OH - AUGUST 06: Republican presidential candidates (L-R) New Jersey Gov. Chris Christie, Sen. Marco Rubio (R-FL), Ben Carson, Wisconsin Gov. Scott Walker, Donald Trump, Jeb Bush, Mike Huckabee, Sen. Ted Cruz (R-TX) and Sen. Rand Paul (R-KY) take the stage for the first prime-time presidential debate hosted by FOX News and Facebook at the Quicken Loans Arena August 6, 2015 in Cleveland, Ohio. The top-ten GOP candidates were selected to participate in the debate based on their rank in an average of the five most recent national political polls. (Photo by Scott Olson/Getty Images)Scott Olson/Getty Images

In the build up to the 2016 US election, both Democratic and Republican presidential hopefuls are talking about cybersecurity—and specifically state-sponsored hacks. Cybersecurity is the hot-button national security issue on the campaign trail.

Referencing breaches from China and Russia, last month Hillary Clinton said that cybersecurity legislation “doesn't go far enough” to defend the United States. 2016 GOP hopeful Mike Huckabee called on Obama to carry out a cyberattack against China in response to the Office of Personnel Management hack, while Senators Charles Schumer and Lindsey Graham urged the International Monetary Fund to punish the country financially.

Then just last week during the GOP debate, Carly Fiorina called for companies to pull down the “cyberwalls” that stop governments from accessing customer data, and Senator Ted Cruz said that state-sponsored hacks amount to acts of cyberwar.

As these discussions heat up, it's more important than ever that mainstream politicians actually understand what they're talking about. Here is a quick primer on what anyone running in the US Presidency race really should know when it comes to cybersecurity.

Cyberwar Is Not Like Traditional Conflict

When Huckabee exhorted that the United States should be firing back at China in cyberspace, he pushed an approach of deterrence through aggression. “The way you deal with a bully on the playground is to punch them in the face and put them on the ground because the only thing they respect is power,” he said according to The Hill.

But if the purpose of these actions is actually to prevent further hacks of US systems, that’s the wrong approach, according to Jeffrey Carr, author of Inside Cyber Warfare, and CEO of cybersecurity company Taia Global. In an op-ed published in The Christian Science Monitor, Carr notes that a solid defense is possible, but it doesn't come from repeatedly smacking your bully in the face. Instead, “It comes from enabling security protocols that make sensitive or valuable data so hard to steal that the effort isn’t worth the reward,” he writes. “The goal of deterrence isn’t to keep bad guys out of a network, it’s to make it next to impossible for them to acquire the assets that they’re targeting. Technically, that’s already possible.”

Besides, it seems very unlikely that the US isn't already aggressively launching its own campaigns against China, Russia, and a host of other countries. US intelligence services engaged in 231 offensive operations throughout 2011, according to the Snowden documents, and it is now obvious that those attacks have done little to dissuade other countries from targeting the US. In order to bring about policies that will genuinely protect the nation and its data, politicians need to get over the intuition that simply firing as many zero-days as possible is the best way to go. The best offense is a good defense, after all.

Encryption Is There To Help, So Please Don't Break It

The renewed debate around the benefits and harms that encryption may provide to society is reaching fever pitch. If companies such as Apple continue to provide high-quality encryption on their devices, or messaging apps allow a user's communications to be truly private, the country's intelligence services are going to go dark, we are told.

That debate, particularly when it comes to criminal cases, will continue for some time. But if the presidential hopefuls really consider the cybersecurity of businesses to be a national security issue, as some seem to, they should support the adoption of true, end-to-end encryption.

“Such an encryption system would protect individual privacy and business information from exploitation at a much higher level than exists today,” a slew of intelligence experts wrote in the Washington Post, including Mike McConnell, former director of the National Security Agency. They pointed to a recent MIT paper which shows that creating duplicate encryption keys for government access fundamentally weakens the security of any system, allowing sophisticated criminals, or more likely state-sponsored hackers, an avenue of attack.

Encryption is there to help. It exists to safeguard systems and data, and should be seen as an essential tool for protecting national security interests of the United States.

Information Sharing Might be Bad for Security Overall

As the Pentagon recovers from a recent flurry of state-sponsored hacks allegedly attributable to Russia and China, the controversial Cybersecurity Information Sharing Act (CISA) is making its way through the Senate.

Sharing more data between agencies sounds like an obvious way to gain more intel about incoming attacks, but nominees should be cautious, as this approach may increase the area available to hackers.

“Information-sharing bills like Cisa would make us even more vulnerable by dramatically expanding the amount of private data the US government keeps in its databases and the number of government and law enforcement agencies who would house that data,” Evan Greer from Fight for the Future told The Guardian.

They Need to Gain Basic Cybersecurity Awareness

On top of all this, anyone running for office in 2016, or working as an official (or really anyone, period) needs a basic grasp of good privacy and security practices. In February, Jeb Bush dumped a huge cache of his governmental emails onto the web in the name of transparency. What his office forgot to do, however, was redact the personal information of anyone included within that dump—such as the social security numbers of some Florida residents. And as an investigation into Hilary Clinton's private email server gets underway, it's worth remembering that although the server might have been a secret to the public, it's unlikely that it would have been hidden from any sort of state-level adversary, possibly putting any classified information inadvertently routed through it at risk.

If more politicians are going to tackle issues of cybersecurity, making sure that they have even the most basic awareness of the dangers of mishandling information would be a solid start.