Operations
9/27/2016
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Clinton, Trump Debate 'Twenty-First Century War' Of Cyberattacks

Lester Holt led with topic of cybersecurity as the first question on national security in Monday's Presidential debate.

A long-standing inside joke in the security community is to tweet "drink" when the word "cybersecurity" is uttered by the President at the State of the Union Address or by candidates during a Presidential debate. During Monday's televised debate between Presidential candidates Hillary Clinton and Donald Trump, there were plenty of opportunities to imbibe (um, tweet).

The very first question about the nation's security was about hacking. Debate moderator and NBC news anchorman Lester Holt posed the question to the candidates at the top of the third and final section of the debate, Securing America:

"We want to start with a twenty-first century war happening every day in this country. Our institutions are under cyberattack, and our secrets are being stolen. So my question is, who's behind it? And how do we fight it?" Holt asked.

Both Clinton and Trump stressed the importance of cybersecurity for the next administration. "Well I think cybersecurity … cyberwarfare, will be one of the biggest challenges to the next President because clearly we're facing at this point two different kinds of adversaries," nation-state actors and cybercriminals, Clinton said.

Clinton also called out Russia's recent hacking activity. "There's no doubt now that Russia has used cyberattacks against all kinds of organizations in our country and I am deeply concerned about this."

The US needs to "make it very clear" to nations who engage in cyberattacks against the US that "the US has much greater capacity and we are not going to sit idly by and permit state actors to go after our information: our private-sector information or our public sector information," she said. "And we're going to have to make it clear that we don't want to use the kinds of tools that we have. We don't want to engage in a different kind of warfare. But we will defend the citizens of this country, and the Russians need to understand that."

Hillary Clinton
Credit: Joseph Sohm
Credit: Joseph Sohm

Cracking down on hackers was also Trump's sentiment. "We have to get very tough on cyber and cyberwarfare. It is a huge problem," Trump said. "The security aspect of cyber is very, very tough and maybe it's … it's hardly doable."

But Trump disputed the conclusion that the recent cyberattack on the DNC and others came via Russia. "I don't think that anybody knows it was Russia that broke into the DNC ... It could also be China or it could also be lots of other people, or somebody sitting on their bed who weighs 400 pounds."

Both candidates to date have had some very public cybersecurity woes of their own: Trump with his Trump International Hotels data breach, and Clinton with the Democratic National Committee (DNC) breach and data dump that appeared to show favoritism of Clinton over Bernie Sanders as its candidate, as well as her use of a personal email server instead of the US Department of State's official email system.

Security experts say while cybersecurity got some time in the limelight in the debate, the candidates were slim on their policy details. "It was encouraging in terms of their discussing national security and that cybersecurity is at the forefront of those kinds of issues. Both … singled this out as a very strong priority of theirs," says Rob Sadowski, director of marketing and technology solutions at RSA. "However, when they started to get down into details, I don't think we saw any concrete indications of actions or recommendations on how they would handle this complex and nuanced issue."

Donald Trump
Credit: Albert H. Teich
Credit: Albert H. Teich

Still missing from the political conversation is a set of norms for cyber activity, he says. "We're already seeing nation-states or quasi nation-states or state-sponsored groups testing the limits on norms of behavior and potential policies out there. "It's very important for any of these candidates to set out 'What are the norms of behavior? What should we expect? What should the appropriate responses be?'" to activity by nation-states that violate those norms, he says.

Security expert Wesley McGrew, director of cyber operations at Horne Cyber, was disappointed that the candidates focused more on cyber espionage and nation-state activity rather than cybersecurity overall.

"Ultimately, what’s missing from the discussion is what will be done for non-government-affiliated businesses. Unless serious and widespread economic damage is caused by an attack, cyber security will remain focused on espionage and state-on-state attacks in the eyes of the executive branch," McGrew wrote in a blog post today. "This may seem reactionary, but until such a serious event occurs, there simply isn’t a dramatic enough and widely recognized incident (like 'Russians hack the DNC!') to rally interest in a campaign season defined by bombastic statements and positions."

Still, in many cases the lines are blurring between cybercrime and cyber espionage, notes RSA's Sadowski. "Where do you draw the line between" cyber espionage, cybercrime, and hacktivists, he says. "Nation-state attacks … are not just limited to the government or private industry. They are into the public sector" as well, he says.

That in turn clouds the issue of what responsibility if any the government will take to help protect the private sector from cyberattacks, he says.

The hope is that the candidates will drill down on their policy details in one of the next two debates – security defense, offense, and everything in between.

"In the next debate, both candidates need to expand on their policies for mitigating cybersecurity threats that affect governments and private businesses (a conversation worth more than the five minutes granted by this debate)," says Tony Gauda, CEO of ThinAir. "Our generation's battlefront will be digital, and we must make sure the right tools are being deployed to prevent sensitive documents from being leaked and used against American interests.”

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ted90
0%
100%
ted90,
User Rank: Guru
9/29/2016 | 12:59:38 PM
192.168.1.1
I was looking for this information, good job guys, thanks for the post!
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
9/28/2016 | 11:36:07 AM
Caution
I disagree with McGrew's sentiments.  Short of legislating adoption of widely accepted, strong security standards (e.g., PCI-DSS, which Nevada already mandates), I want less government control/regulation related to private-sector cybersecurity -- not more.  I have difficulty fathoming anything the federal government can do regulatory-wise or law-wise that will make things better (and most things I can imagine would make things worse).  This kind of thinking is what gave us CISA, after all.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.