Christopher W. Folk
This is to attempt to glean through both their words and actions what the principle candidates’ positions are on cyber security. Excluded here are any specific remarks that either candidate may have directed at the other candidate’s cyber security posture.
Hillary Clinton – The Democratic Nominee
Clinton has served in various political (appointed and elected) positions, and thus there is not only rhetoric but also a track record from her time in public service.
Cybersecurity
Clinton appears to be largely in favor of the policies begun under President Obama — namely promoting multi-factor authentication (MFA), credit card transaction security, and the creation of a Federal Chief Information Security Officer (a post created by Obama with the first appointment going to Brig. Gen (Ret.) Gregory Touhill, as announced on Sept. 8, 2016).[1]
Clinton made remarks in February acknowledging the threat posed by nation-states while also recognizing that rogue hackers potentially represent even greater threats.[2] This is significant in that it implicitly invokes the issues of asymmetry wherein one side has a much greater stake in the game. Consider, for instance, the dichotomy between life in the U.S. and a group of hackers using a satellite uplink, a generator and a room full of computer equipment in a remote, desolate location. In the US, any number of critical infrastructure components could be disrupted through a cyberattack with significant impacts. In contrast, levying a similar attack or even moving to conventional weapons would have a far lesser impact on those in the remote scenario.[3]
In the first presidential debate, the candidates were asked about recent cyber-attacks and Clinton responded by essentially re-iterating her remarks listed above — namely, that cyber security and cyber warfare are going to be some of the biggest challenges facing the next president and that they involve both independent groups as well as state-actors. Clinton said we will need to send a strong message but failed to elaborate on exactly what that message might be.[4]
Encryption
As far back as 2010, Sec. Clinton made remarks on internet freedom in which she espoused technology and its ability to provide communication outlets for oppressed people living under the thumb of authoritarian regimes while at the same time allowing terrorist groups to communicate in a free and unfettered manner, leveraging these same technologies.[5] Clinton went on to say that new technologies should not be used to punish peaceful political speech or religious minorities; although those that use technology to recruit terrorists or distribute misappropriated intellectual property should be policed.[6] The problem then becomes one of the “how,” as in how does one effectively differentiate between these two categories of uses without reviewing the actual content of messages? Is she advocating deep packet inspection of all Internet traffic to see whether the packets carry data to peaceful political activists or to terrorists? Clinton indicates that we need to attack criminal hacker and organized crime syndicates through international cooperation to aid in the prosecution of offenses.
Clinton shared the example of a program in Mexico developed to curb drug violence that allowed people to provide untraceable reports in order to avoid retribution. This is the closest reference we found to “encryption or obfuscation” in these remarks, but it seems that both would be needed in order to implement such a system. Similarly, Clinton indicated that in Pakistan, the “Our Voice” social mobile network was developed to allow Pakistanis to communicate outside the reach of violent extremism. [7]
Again, she made no actual mention of encryption nor the caveat that there are necessary trade-offs. If you develop obfuscated and encrypted communication channels you cannot control the users of these systems. So just as a Pakistani could communicate using “Our Voice” for political dissent or religious freedom, so too could they (and anyone else) communicate via this masked medium to plot terrorist activity or any criminal enterprise for that matter.
Clinton further discusses censorship and our deeply held belief that censorship is a bad thing.[8] Here too, one must recognize that censorship is content based and thus to decry censorship one must come to the conclusion that encryption is a technology that can defeat content-based restrictions by rendering the content indecipherable through the use of encryption technologies. Again, the flip side is that that if you cannot examine content then you cannot distinguish between higher-purpose communications (political discussions, the marketplace of ideas) and those of people who wish to do us or others harm (e.g. terrorism-related content).
Clinton then discusses the difficulty in balancing anonymity when used for “good” and anonymity when used for purposes such as intellectual property theft. Clinton says this is difficult and will need to be solved with the guidance of technology experts. We agree, this is a difficult and thorny issue.
Analysis — Clinton:
Much of Clinton’s remarks are consistent over the years, as she has long touted the need to spread internet access as a basic human right and has also stated that technology offers a voice and a medium for political discourse and a way for the oppressed to be given an anonymous and uncensored platform for their dissent. This, however, is contrasted with various activities undertaken while Clinton served as Secretary of State, such as the use of a personal e-mail server through which government e-mails were routed, and the use of a personal blackberry. It is interesting that Clinton made remarks back in 2010 concerning the “Our Voice” social mobile network in Pakistan and Mexico’s technology program to protect the identity of informants and yet even with this apparent knowledge of censorship, attribution, and retribution Clinton failed to employ any of the technology she hopes to expand under her administration. In her own administration at the Department of State, she did not use encryption, multi-factor authentication and the use of technology experts to tackle our cyber problems. Consequently, irrespective of where one falls with regard to the culpability of an official routing classified materials through unsecured off-site, personal servers, surely one can agree that engaging in activities of this sort indicates a general failure to take cybersecurity seriously. However, it should be noted that having endured this and the aftermath, it is quite likely that Clinton is now far more aware of the need for a strong cybersecurity posture than she was prior to this.
Overall, Clinton’s approach seems like a continuation of the Obama approach: engage in talks with Nation-states (such as China), acknowledge the issues we face, and talk at a very high level about changing our approach and being safer and stronger in the cybersecurity realm. While we have had some successes — some public, some not — overall we face increasing challenges in cybersecurity. We have seen some very high-profile data exfiltrations and hacks across the private as well as public sectors. It seems clear that rhetoric is not solving this particular problem.
Donald Trump – The Republican Nominee
Donald Trump’s position on cyber security was relatively unknown, though this seems to have been fleshed out somewhat and specifically in remarks that Mr. Trump made on Monday, Oct. 3, 2016, in speaking with the Retired American Warriors PAC in Herndon, VA.[9]
Cybersecurity
Trump indicated that cyber security is one of the most important aspects of America’s national security framework and that cyber needs to be a top priority for the government and private sector. Trump equated cyber theft with the rise of the mafia and our success in controlling their advances and mitigating their reach through a joint coordinated effort between the Department of Justice, the DEA, the FBI, as well as state and local police and prosecutors. Trump indicated that as President he would charge the DOJ with creating a joint task force to work domestically and in partnership with international forces to thwart cyber crime.
Additionally, Trump indicated he will task the Secretary of Defense and Joint Chiefs with the development of recommendations for making Cyber Command (CYBERCOM) stronger and more relevant to increase its offensive and defensive capabilities. Specifically, Trump indicated he would like CYBERCOM to develop the ability to launch “crippling cyber counter attacks. And I mean crippling, crippling.”[10] Previously, in the first debate, when Trump was asked about cyber security he indicated that we should do better than anybody else. We have to be tough on cyber and cyberwarfare, even though the security aspect of cyber is very difficult.[11] Some good observations but a little light on substance.
Trump indicated that US cyber security issues/areas include the following:
- Government
- Business
- Trade secrets
- Citizen’s sensitive information
- Attacks such as JPMorgan Chase, eBay, and Target
- Trump alluded to the OPM hack and the extensive data that was contained within the SF-86 forms
- Trump equated data related to FBI background checks that was exfiltrated during this attack is a veritable “treasure trove” of information
- Also indicating that this data can serve as the basis for blackmail and “other reasons by the enemy”
- Identity theft
- Financial laundering
- Ransom and ransomware
While not directly mentioning the ongoing issue with attribution, Trump did say that the US must develop the ability to track down and incapacitate those responsible for cyberattacks.[12] Trump further stated that a team should be created that includes the best civilian, military and private cyber security experts to review our cyber security systems and technologies. Said team would begin with the most sensitive systems, eventually analyzing as much as possible and then securing all of these systems. This review, assessment, and hardening would include internal monitoring, attack and penetration testing, investigations into suspected hacks or rogue employees, and identity protection services for government employees. Part of this will be accomplished by developing continuing education and training programs so that cyber security experts stay up to date and users also remain abreast of the latest developments.
Encryption
It seems there is very little to go on here, save some remarks that Trump made back when the FBI was trying to get Apple’s assistance in unlocking an iPhone used by the San Bernardino terrorists (see the embedded video above). Trump said that Apple should be boycotted until they decrypt it or help the Feds.
It seems somewhat paradoxical that the self-proclaimed quintessential “businessman” would openly call for a boycott of a bellwether U.S. technology company; That, however, is a topic better suited to a different style of blog. From a strictly legal standpoint, using something such as the all-writs-act to compel Apple to render assistance would likely have a greater Constitutional and statutory basis and may have been a more appropriate path to take versus advocating a boycott of a private U.S. company.
Analysis — Trump:
Trump mentioned a number of issues directly and alluded to several more. One of the key aspects of cyber security defense and counter cyber-operations is the ability to tackle the attribution problem. The ability to definitively identify the source and identity of a cyber attack is of paramount importance and is much more difficult than in traditional warfare. The ability to leverage encrypted tunnels and IP spoofing and masking (amongst other means) allows state and non-state actors to obfuscate their source addresses thereby making it extremely difficult to ascertain exactly “who” is behind any given attack. Furthermore, in the world of cyber, even if signatures and styles give clues as to the “who”, it may not allow you to pinpoint the geographic location of the attacker(s). Merely being able to say that “we believe this attack may have originated from China” is insufficient to then state that something was a state action versus a non-state action and to further isolate the attack to a specific region, let alone a specific office, home, or government building.
Attribution then is one of the greatest issues we face in the realm of cyber, if you cannot identify the source of an attack, then having extensive offensive capabilities is of no consequence. Once you couple the issues of attribution with the asymmetric world in which we live, the problem intensifies. Even if you do solve the attribution enigma you are still faced with the prospect that offensive cyber or conventional weapons have little to no deterrent effect based on the source of many of the “rogue” attacks. Of even greater significance may be the ability of developing nation-states to rely on multi-pronged attacks wherein the first wave consists of a debilitating cyber-attack followed by conventional warfare. Imagine if China, Russia, North Korea, or Iran were to launch a cyberattack against our critical infrastructure, and in the days and weeks following that launched more conventional forms of warfare. We would likely be ill-equipped to deal with a crippled infrastructure and a conventional battle simultaneously.[13]
Here too, it seems there are a lot of comments and ideas at a very high level with no real form nor substance. Building greater offensive cyber capabilities is wonderful but that does not help deterrence when facing the issues of asymmetrical cyber warfare. It would be nice to see a solid plan that includes understanding the limitations of technology and realizing that attacks ranging from ransomware to malware, to spoofing, all too often turn on the human element. Thus, until we engender better knowledge transfer we are going to continue to fall victim to attacks, some of which are technologically sophisticated and some of which rely almost solely on social engineering.
Overall
It is difficult to reconcile the two candidates. One speaks of lofty ideals in the realm of cyber and public discourse while acknowledging the fact that some technology users are focused on nefarious activities. The other candidate talks about striking back and getting tough on cyber, without ever developing a process through which malfeasors can be properly identified.
Neither candidate talks candidly about the hundreds of thousands of unfilled cyber security jobs and a clear plan to invest in and push cyber education in the K-12 framework (although Clinton has indicated that STEM programs should be bolstered and that every child should be given the opportunity to complete coursework in computer science – but not specific to Cyber security).[14] Each candidate has some talking points on cyber security, but, as is often the case with high-level politics, there is little actual substance.
From the one candidate’s perspective, it would be difficult during the campaign to outline tangible cyber security activities since anything proposed is likely to be contrasted with practices which were actually employed while in public service. Meanwhile, the other candidate has little incentive to do a deep dive, because cyber security is so poorly understood that it lacks mass appeal beyond merely uttering the words “cyber security.”
Consequently, the salient points seem to be that we have an unknown unknown and a known unknown. Trump’s actual cyber security practices, as well as any that he might implement if elected, are nebulous at best. We know neither what he has done, or what he will do, and have very little in terms of concrete proposals. Clinton’s track record on cyber security has received significant attention; what is unclear is what, if any lessons were learned from that and which would be applied towards a national directive on cyber security were she to be elected.
Ultimately, one need only skim the myriad news articles over the past several months to conclude that we face a pervasive cyber security issue. As we move to the Internet of Things (IoT), and technology permeates every aspect of our lives, the asymmetrical issues increase exponentially. We are becoming increasingly dependent upon technology for every facet of our daily lives. We often consider the implications of losing the grid, or loss of internet connectivity. Imagine if we were merely to lose the ability to use GPS location data. How many millennials are unable to navigate using actual maps, or merely by ascertaining their positional data through geographic features and landmarks? The more dependent we become on technology, the easier it becomes to launch a crippling attack from which many of us lack the skills and wherewithal to persevere. We should introduce basic cyberhygiene practices in the K-12 system and simultaneously teach traditional skills (something as innocuous as being able to locate true North could prove useful). This might also have the advantage of showing people that as convenient as technology makes our everyday lives, it is possible to exist in the absence of it. Perhaps a more holistic approach to life will help people to consider their digital footprints and the reasons and rationale for safeguarding their personal data — a small step, but a step nonetheless in the right direction. After that, we can work on cyber weapons so we can launch crippling cyber attacks.[15] We also believe that encryption should not be viewed in a binary fashion as either good or evil. If one views privacy as a fundamental right, then it seems mutually exclusive to indicate that you are in favor of the Constitution and also in favor of encryption back-doors or law enforcement workarounds. As we shift into a more tech-focused world we seem to be moving away from conventional intelligence gathering and investigative tools. Once we allow a government intrusion into our data via weak or “master-key” encryption we negate the safeguards put in place to protect us from the very authoritarian regime from which the revolutionaries broke. In a digital world, we depend on encryption to ensure our most basic functions, and providing a mechanism through which law enforcement can crack our encryption moves us closer and closer to the type of state that from which our founder’s sought to distance themselves. Bad people will use good to further their goals, that is an axiom as old as humankind itself. We cannot abdicate our personal liberties and our rights to privacy, for in so doing we may prevent some attacks but we will have already lost the war.
[1] Thorin Klosowski, Hillary Clinton and Donald Trump’s Cybersecurity Platforms, Compared LifeHacker (Aug. 4, 2016), http://lifehacker.com/hillary-clinton-and-donald-trumps-cybersecurity-platfor-1784790979.
[2] Katie Bo Williams, Clinton: Cybersecurity will be challenge for next president TheHill (Feb. 3, 2016), http://thehill.com/policy/cybersecurity/268121-clinton-cybersecurity-one-of-the-most-important-challenges-for-next.
[3] Richard A. Clarke & Robert K. Knake, Cyber War: The Next Threat to National Security and What to do About it 226 (EPub Edition, March 2010).
[4] Chris O’Brien, Here’s what Trump and Clinton had to say about cybersecurity and cyberwarfare in the debate VentureBeat (Sep. 27, 2016), http://venturebeat.com/2016/09/27/heres-what-trump-and-clinton-had-to-say-about-cybersecurity-and-cyberwarfare-in-the-debate/.
[5] Hillary Rodham Clinton U.S. Sec’y of State, Remarks on Internet Freedom, http://www.state.gov/secretary/20092013clinton/rm/2010/01/135519.htm (Jan. 21, 2010).
[6] Id.
[7] Id.
[8] Clinton, Remarks on Internet Freedom.
[9] Daniel White, Read Donald Trump’s Remarks to a Veteran’s Group (Oct. 3, 2016) Time, http://time.com/4517279/trump-veterans-ptsd-transcript/.
[10] Id.
[11] O’Brien (Sep. 27, 2016).
[12] Id.
[13] See Christopher Folk Cyber Round Up: Iranian Cyberattack on NY Dam was “Shot Across the Bow” (Mar. 16, 2016) CyberSecurity Law and Policy http://blog.cybersecuritylaw.us/2016/03/16/cyber-round-up-iranian-cyberattack-on-ny-dam-was-shot-across-the-bow-possible-amex-data-breach-are-data-breaches-on-the-rise/.
[14] Hillary Clinton’s Initiative on Technology & Innovation (last accessed Wed., Oct., 5, 2016 at 10:08 P.M), https://www.hillaryclinton.com/briefing/factsheets/2016/06/28/hillary-clintons-initiative-on-technology-innovation-2/.
[15] Christopher W. Folk, Input to the Commission on Enhancing National Cybersecurity (Sep., 9, 2016) https://www.nist.gov/sites/default/files/documents/2016/09/15/c.folk_rfi_response.pdf (All levity aside, I actually responded with some comments on potential actions we might want to consider in the context of cybersecurity).
