The Good, the Bad, and the Cyber
As what is sure to be one of the more contentious presidential elections in recent memory approaches, The Cyber has become one of the dominant talking points for both candidates. Unfortunately, neither candidate seems to have a clear understanding of the basics of information security or a concrete plan for how to address the many security issues facing both consumers and businesses in the United States.
The technical aspects of information security are really difficult. Really, really, difficult. Some of the more intelligent people in the tech industry have been trying to make hardware and software defensible for decades, with a lot of failures and some notable successes. For example, it’s entirely possible to have a secure, unhackable computer today. All you have to do is not download anything. Or connect it to the Internet. Or turn it on. Actually, just a pen and paper. Then burn your notes.
In any case, the current evidence that we have of the candidates’ technical understanding is, shall we say, not strong. Let’s start with Hillary Clinton: email server. Moving on to Donald Trump. In his case, we have an actual document written, ostensibly, by someone involved with the Trump campaign (although we can’t rule out sabotage, given the contents of the document). There are only four actual tenets in Trump’s proposed policy, and two of them are fairly innocuous, though poorly thought out.
First, Trump proposes a review of “all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector.” Let’s say this review starts the day after the inauguration and runs around the clock. Given the size and complexity of the systems involved, the review should be about 17% complete by the next election.
Second, Trump would have the Department of Justice form a bunch of Joint Task Forces to “coordinate Federal, State, and local law enforcement responses to cyber threats.” This kind of coordination already exists and President Obama issued a Presidential Policy Directive in July that defines which agencies are responsible for which duties during incidents and investigations. The FBI, which is part of the DoJ, is the lead agency on investigations, and DHS and the intelligence community have well-defined roles, as well. So that’s sorted.
The third tenet in the document would require the Secretary of Defense and the Chairman of the Joint Chiefs of Staff “to provide recommendations for enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.” This is not a terrible idea, but somewhat confusing. Cyber Command is both an offensive and defensive unit already, and is run by the director of the NSA, an agency that has had a dual offense-defense role for decades. There’s always room for improvement, so a review can’t hurt, but the wording in the plan seems to show a misunderstanding of what Cyber Command already does.
The remaining point in Trump’s plan is where the real problem lies, though. Here it is, in the campaign’s own words: “Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”
Let’s start at the beginning. This sentence is predicated upon the idea that the U.S. needs to develop offensive cyber capabilities. As we’ve just established, the NSA possesses those capabilities and has for a very long time. It’s a fool’s errand to try and assess just how good any given nation’s offensive teams are, but an NFL-style power ranking would surely have the U.S. in the top two. And we have direct evidence of how good the NSA is at this task, in the form of Stuxnet, Flame, et al. And that’s just the NSA. So we’re covered on the offense thing.
The second part of the sentence is the most problematic, though. Trump is saying that the offensive capabilities he imagines we need to develop would have a deterrent effect on America’s adversaries. Mmmm, no. Nope. There is no evidence to suggest that deterrence exists in cyber attacks. The U.S. has demonstrated high-level offensive capabilities many times, and state-sponsored groups from other nations have continued to run rampant on American military, government, and private-sector networks. Foreign intelligence services are not cowering in a corner, paralyzed by the thought of retaliation. Far from it. And the cost of developing cyber weapons, however you want to define that term, is within reach of virtually any nation.
Whoever is in the White House in January will discover quickly that just throwing money and rhetoric at the problem won’t solve The Cyber. It requires careful thought and planning, not recycled thinking from the Cold War.