A long-standing inside joke in the security community is to tweet "drink" when the word "cybersecurity" is uttered by the President at the State of the Union Address or by candidates during a Presidential debate. During Monday's televised debate between Presidential candidates Hillary Clinton and Donald Trump, there were plenty of opportunities to imbibe (um, tweet).
The very first question about the nation's security was about hacking. Debate moderator and NBC news anchorman Lester Holt posed the question to the candidates at the top of the third and final section of the debate, Securing America:
"We want to start with a twenty-first century war happening every day in this country. Our institutions are under cyberattack, and our secrets are being stolen. So my question is, who's behind it? And how do we fight it?" Holt asked.
Both Clinton and Trump stressed the importance of cybersecurity for the next administration. "Well I think cybersecurity … cyberwarfare, will be one of the biggest challenges to the next President because clearly we're facing at this point two different kinds of adversaries," nation-state actors and cybercriminals, Clinton said.
Clinton also called out Russia's recent hacking activity. "There's no doubt now that Russia has used cyberattacks against all kinds of organizations in our country and I am deeply concerned about this."
The US needs to "make it very clear" to nations who engage in cyberattacks against the US that "the US has much greater capacity and we are not going to sit idly by and permit state actors to go after our information: our private-sector information or our public sector information," she said. "And we're going to have to make it clear that we don't want to use the kinds of tools that we have. We don't want to engage in a different kind of warfare. But we will defend the citizens of this country, and the Russians need to understand that."
Cracking down on hackers was also Trump's sentiment. "We have to get very tough on cyber and cyberwarfare. It is a huge problem," Trump said. "The security aspect of cyber is very, very tough and maybe it's … it's hardly doable."
But Trump disputed the conclusion that the recent cyberattack on the DNC and others came via Russia. "I don't think that anybody knows it was Russia that broke into the DNC ... It could also be China or it could also be lots of other people, or somebody sitting on their bed who weighs 400 pounds."
Both candidates to date have had some very public cybersecurity woes of their own: Trump with his Trump International Hotels data breach, and Clinton with the Democratic National Committee (DNC) breach and data dump that appeared to show favoritism of Clinton over Bernie Sanders as its candidate, as well as her use of a personal email server instead of the US Department of State's official email system.
Security experts say while cybersecurity got some time in the limelight in the debate, the candidates were slim on their policy details. "It was encouraging in terms of their discussing national security and that cybersecurity is at the forefront of those kinds of issues. Both … singled this out as a very strong priority of theirs," says Rob Sadowski, director of marketing and technology solutions at RSA. "However, when they started to get down into details, I don't think we saw any concrete indications of actions or recommendations on how they would handle this complex and nuanced issue."
Still missing from the political conversation is a set of norms for cyber activity, he says. "We're already seeing nation-states or quasi nation-states or state-sponsored groups testing the limits on norms of behavior and potential policies out there. "It's very important for any of these candidates to set out 'What are the norms of behavior? What should we expect? What should the appropriate responses be?'" to activity by nation-states that violate those norms, he says.
Security expert Wesley McGrew, director of cyber operations at Horne Cyber, was disappointed that the candidates focused more on cyber espionage and nation-state activity rather than cybersecurity overall.
"Ultimately, what’s missing from the discussion is what will be done for non-government-affiliated businesses. Unless serious and widespread economic damage is caused by an attack, cyber security will remain focused on espionage and state-on-state attacks in the eyes of the executive branch," McGrew wrote in a blog post today. "This may seem reactionary, but until such a serious event occurs, there simply isn’t a dramatic enough and widely recognized incident (like 'Russians hack the DNC!') to rally interest in a campaign season defined by bombastic statements and positions."
Still, in many cases the lines are blurring between cybercrime and cyber espionage, notes RSA's Sadowski. "Where do you draw the line between" cyber espionage, cybercrime, and hacktivists, he says. "Nation-state attacks … are not just limited to the government or private industry. They are into the public sector" as well, he says.
That in turn clouds the issue of what responsibility if any the government will take to help protect the private sector from cyberattacks, he says.
The hope is that the candidates will drill down on their policy details in one of the next two debates – security defense, offense, and everything in between.
"In the next debate, both candidates need to expand on their policies for mitigating cybersecurity threats that affect governments and private businesses (a conversation worth more than the five minutes granted by this debate)," says Tony Gauda, CEO of ThinAir. "Our generation's battlefront will be digital, and we must make sure the right tools are being deployed to prevent sensitive documents from being leaked and used against American interests.”