Last night at Hofstra University, at the first of three scheduled presidential debates in 2016, Lester Holt introduced a segment of questions on “Securing America”. While as an avid consumer of the news, I was determined to watch the entire debate, this segment engaged my personal and professional interests. Holt went right to the point of cyber security, a “21st century war happening every day”, and I was eager for a glimpse at the candidates’ vision of how the nation can protect its own secrets, as well as the operations of businesses, over the next four years. In my analysis, regardless of what the nation decides on November 8th, the message to American business is the same: “You’re on your own”.
Clinton opened by describing two parts of the threat: cybercriminals and nation states. For both candidates, the focus for the remainder of the segment was on nation-state attacks. Right away, this sends a clear message to businesses: cyber security is primarily seen at the highest levels as a matter of diplomacy. Unless a significant economic event is caused by cybercriminals, government efforts are going to be focused on cyber espionage and potential attacks on critical infrastructure. While you may be surprised by what businesses will be targeted by nation states for economic espionage and pure cybercrime, by and large, the cavalry is not coming to your aid regardless of who attacks you.
Clinton went on to describe one of the few clear policy directions in cyber security of the night: matching offense with offense. With the statement “We need to make it very clear -- whether it’s Russia, China, Iran, or anybody else – the United States has much greater capacity”, she is stating that the way to fight state actors is to develop and demonstrate the ability to attack and counterattack in a more effective and devastating way. This is deterrence, and has some value. Most of you reading know that I favor offense-oriented techniques for security. What’s missing, however, is what will become the responsibility of individual businesses: monitoring and defense. While the government attempts to intimidate nation states in the game of espionage, you will be left on watch: protecting yourself from cybercriminals and others that realize the game is asymmetric.
Trump, in response to Clinton’s discussion of Russia, waded into the topic of attribution. He states that it could as easily have been China that was responsible for the DNC hack, or any number of other actors. In what is already becoming a very popular quote among information security professionals, Trump states that “It also could be somebody sitting on their bed that weighs 400 pounds, OK?”. Attribution is challenging, and very interesting to this field’s professionals. There’s very compelling evidence that the DNC attacker, “Guccifer 2.0”, is part of a Russian intelligence operation. None of that matters, however, when your organization is under attack. Your paramount concerns are detection, response, and business continuity. While some amount of threat intelligence is valuable, you may not be able to afford the limited satisfaction that attribution will bring you.
Trump also steered the conversation on cyber security in the direction of reputation and image. Often the target of an attack becomes a victim of damaging leaked information. In the case of the DNC hack, confidential emails about Bernie Sanders were leaked, resulting them being pointed out by the republican candidate in a debate watched by millions. The damage that an attacker can cause to an organization can sometimes be difficult to measure in financial loss or downtime. The remainder of the discussion on cyber security involved ISIS’ strengths in recruiting and spreading propaganda through social media. Terrorists, criminals, and nation states alike all recognize the value of public image and the damage that can be caused to it by compromising systems and data. Your organization not only has to protect its resources and operations: it has to save face.
Ultimately, what’s missing from the discussion is what will be done for non-government-affiliated businesses. Unless serious and widespread economic damage is caused by an attack, cyber security will remain focused on espionage and state-on-state attacks in the eyes of the executive branch. This may seem reactionary, but until such a serious event occurs, there simply isn’t a dramatic enough and widely-recognized incident (like “Russians hack the DNC!”) to rally interest in a campaign season defined by bombastic statements and positions.
Even with an interest in business’ cyber security, the government can only accomplish so much without enacting regulations that would be derided as burdensome. So, for defense, you likely won’t have the support of the next four years’ government. What will you do, and who will you partner with to protect yourself, your clients, and your sensitive data?