Operations
9/27/2016
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Clinton, Trump Debate 'Twenty-First Century War' Of Cyberattacks

Lester Holt led with topic of cybersecurity as the first question on national security in Monday's Presidential debate.

A long-standing inside joke in the security community is to tweet "drink" when the word "cybersecurity" is uttered by the President at the State of the Union Address or by candidates during a Presidential debate. During Monday's televised debate between Presidential candidates Hillary Clinton and Donald Trump, there were plenty of opportunities to imbibe (um, tweet).

The very first question about the nation's security was about hacking. Debate moderator and NBC news anchorman Lester Holt posed the question to the candidates at the top of the third and final section of the debate, Securing America:

"We want to start with a twenty-first century war happening every day in this country. Our institutions are under cyberattack, and our secrets are being stolen. So my question is, who's behind it? And how do we fight it?" Holt asked.

Both Clinton and Trump stressed the importance of cybersecurity for the next administration. "Well I think cybersecurity … cyberwarfare, will be one of the biggest challenges to the next President because clearly we're facing at this point two different kinds of adversaries," nation-state actors and cybercriminals, Clinton said.

Clinton also called out Russia's recent hacking activity. "There's no doubt now that Russia has used cyberattacks against all kinds of organizations in our country and I am deeply concerned about this."

The US needs to "make it very clear" to nations who engage in cyberattacks against the US that "the US has much greater capacity and we are not going to sit idly by and permit state actors to go after our information: our private-sector information or our public sector information," she said. "And we're going to have to make it clear that we don't want to use the kinds of tools that we have. We don't want to engage in a different kind of warfare. But we will defend the citizens of this country, and the Russians need to understand that."

Hillary Clinton
Credit: Joseph Sohm
Credit: Joseph Sohm

Cracking down on hackers was also Trump's sentiment. "We have to get very tough on cyber and cyberwarfare. It is a huge problem," Trump said. "The security aspect of cyber is very, very tough and maybe it's … it's hardly doable."

But Trump disputed the conclusion that the recent cyberattack on the DNC and others came via Russia. "I don't think that anybody knows it was Russia that broke into the DNC ... It could also be China or it could also be lots of other people, or somebody sitting on their bed who weighs 400 pounds."

Both candidates to date have had some very public cybersecurity woes of their own: Trump with his Trump International Hotels data breach, and Clinton with the Democratic National Committee (DNC) breach and data dump that appeared to show favoritism of Clinton over Bernie Sanders as its candidate, as well as her use of a personal email server instead of the US Department of State's official email system.

Security experts say while cybersecurity got some time in the limelight in the debate, the candidates were slim on their policy details. "It was encouraging in terms of their discussing national security and that cybersecurity is at the forefront of those kinds of issues. Both … singled this out as a very strong priority of theirs," says Rob Sadowski, director of marketing and technology solutions at RSA. "However, when they started to get down into details, I don't think we saw any concrete indications of actions or recommendations on how they would handle this complex and nuanced issue."

Donald Trump
Credit: Albert H. Teich
Credit: Albert H. Teich

Still missing from the political conversation is a set of norms for cyber activity, he says. "We're already seeing nation-states or quasi nation-states or state-sponsored groups testing the limits on norms of behavior and potential policies out there. "It's very important for any of these candidates to set out 'What are the norms of behavior? What should we expect? What should the appropriate responses be?'" to activity by nation-states that violate those norms, he says.

Security expert Wesley McGrew, director of cyber operations at Horne Cyber, was disappointed that the candidates focused more on cyber espionage and nation-state activity rather than cybersecurity overall.

"Ultimately, what’s missing from the discussion is what will be done for non-government-affiliated businesses. Unless serious and widespread economic damage is caused by an attack, cyber security will remain focused on espionage and state-on-state attacks in the eyes of the executive branch," McGrew wrote in a blog post today. "This may seem reactionary, but until such a serious event occurs, there simply isn’t a dramatic enough and widely recognized incident (like 'Russians hack the DNC!') to rally interest in a campaign season defined by bombastic statements and positions."

Still, in many cases the lines are blurring between cybercrime and cyber espionage, notes RSA's Sadowski. "Where do you draw the line between" cyber espionage, cybercrime, and hacktivists, he says. "Nation-state attacks … are not just limited to the government or private industry. They are into the public sector" as well, he says.

That in turn clouds the issue of what responsibility if any the government will take to help protect the private sector from cyberattacks, he says.

The hope is that the candidates will drill down on their policy details in one of the next two debates – security defense, offense, and everything in between.

"In the next debate, both candidates need to expand on their policies for mitigating cybersecurity threats that affect governments and private businesses (a conversation worth more than the five minutes granted by this debate)," says Tony Gauda, CEO of ThinAir. "Our generation's battlefront will be digital, and we must make sure the right tools are being deployed to prevent sensitive documents from being leaked and used against American interests.”

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ted90
0%
100%
ted90,
User Rank: Guru
9/29/2016 | 12:59:38 PM
192.168.1.1
I was looking for this information, good job guys, thanks for the post!
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
9/28/2016 | 11:36:07 AM
Caution
I disagree with McGrew's sentiments.  Short of legislating adoption of widely accepted, strong security standards (e.g., PCI-DSS, which Nevada already mandates), I want less government control/regulation related to private-sector cybersecurity -- not more.  I have difficulty fathoming anything the federal government can do regulatory-wise or law-wise that will make things better (and most things I can imagine would make things worse).  This kind of thinking is what gave us CISA, after all.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.