Last night’s presidential debate between Democrat Hillary Clinton and Republican Donald Trump had a surplus of strange moments, but few could top a sequence about cybersecurity that pivoted on who’s to blame for recent hacks of Democratic National Committee servers.
Clinton led off with the obvious—“cyber warfare will be one of the biggest challenges facing the next president”—and noted the importance of distinguishing between commercial and state-sponsored or state-executed attacks. The former Secretary of State suggested that Russia deserved close scrutiny and should possibly face counterattacks: “The United States has much greater capacity, and we are not going to sit idly by.”
Trump, however, shrugged off the idea that Russia was behind the DNC hacks. “It could be Russia, but it could also be China. It could also be lots of other people,” he said. “It also could be somebody sitting on their bed that weighs 400 pounds, OK?”
Trump’s who-really-knows take on “the cyber” continued with his complimenting his 10-year-old son Barron for being “so good with these computers, it’s unbelievable” but but then suggesting that “the security aspect of cyber is very, very tough.”
Trump’s grasp of the material seemed a whole lot thinner than Clinton’s — he’s definitely not ready to start giving keynote speeches at cybersecurity conferences — but neither candidate provided much clarity about what they would do to strengthen America against online attacks. For that to happen, we’d need a debate on cybersecurity issues that had time to get into more than one of them. These topics would make for a good start:
Clinton’s campaign has stayed squishy on the subject of how much of a problem it is for hardware and software developers to build encryption into their products that can’t be unlocked without the help of the user. Her latest contribution to this debate was suggesting that we study the problem further. Trump, meanwhile, departed from his usual vagueness to denounce Apple for its effrontery in not helping the FBI unlock the iPhone of one of the San Bernardino shooters, saying “who do they think they are?”
Last month, a group of hackers began selling tools to attack routers from Cisco Systems, Juniper Networks and other vendors — tools that exploited vulnerabilities that the National Security Agency had apparently known for years without disclosing them to the companies affected. We’ve traditionally accepted that the NSA can hang onto “vulns” to launch surprise attacks against targets in other countries, but how long should it be able to hoard them without advising US firms to patch their systems?
When a company loses your data to hackers — be they Russian pros or kids in their parents’ basements — how soon should it have to tell you about the exposure? Right now, there’s no nationwide law requiring any such disclosure by a vendor, leaving companies to deal with a patchwork of state laws. Should there be one? How long should it give companies to fess up?
(Such a law might affect Yahoo Finance’s parent company, Yahoo, which recently admitted to the hack of “at least 500 million user accounts” by a “state-sponsored actor” in 2014.)
Oversight of critical infrastructure
How much should the government scrutinize the digital security measures of operators of such key facilities as power plants and airports? Congress passed a law last year that encouraged companies to share more information about risks and vulnerabilities with the government; how well is it working? Should the feds take a more assertive role in checking up on what private firms are doing to secure their infrastructure, a strategy other countries have already adopted?
Computer Fraud and Abuse Act reform
Security professionals almost uniformly hate the Computer Fraud and Abuse Act, a law dating to 1986 that makes it illegal to access computing systems without permission. That both invites abuse by companies looking to make a federal case out of somebody violating their terms of service and threatens helpful security research. But CFAA reform has spent years stalled in Congress — because, I guess, it requires taking the side of green-haired hackers against businessmen in suits and their lobbyists. Does either candidate think that’s worth fixing?
Cleaning up the government’s own house
The platforms for both the Democratic and Republican parties this year urged better cybersecurity in the public sector — and both correctly agreed on the urgency of securing voting machines. I’d also like to see the candidates discuss the steps the government should be taking to secure its own systems against outside intrusion. But, realistically, such a debate would almost instantly spin out into an argument over Clinton’s use of a private e-mail server as Secretary of State.
Maybe that argument would take a more productive turn if the candidates instead discussed how quickly Barron Trump could break into a State Department server?
More from Rob: