Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/27/2016
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Clinton, Trump Debate 'Twenty-First Century War' Of Cyberattacks

Lester Holt led with topic of cybersecurity as the first question on national security in Monday's Presidential debate.

A long-standing inside joke in the security community is to tweet "drink" when the word "cybersecurity" is uttered by the President at the State of the Union Address or by candidates during a Presidential debate. During Monday's televised debate between Presidential candidates Hillary Clinton and Donald Trump, there were plenty of opportunities to imbibe (um, tweet).

The very first question about the nation's security was about hacking. Debate moderator and NBC news anchorman Lester Holt posed the question to the candidates at the top of the third and final section of the debate, Securing America:

"We want to start with a twenty-first century war happening every day in this country. Our institutions are under cyberattack, and our secrets are being stolen. So my question is, who's behind it? And how do we fight it?" Holt asked.

Both Clinton and Trump stressed the importance of cybersecurity for the next administration. "Well I think cybersecurity … cyberwarfare, will be one of the biggest challenges to the next President because clearly we're facing at this point two different kinds of adversaries," nation-state actors and cybercriminals, Clinton said.

Clinton also called out Russia's recent hacking activity. "There's no doubt now that Russia has used cyberattacks against all kinds of organizations in our country and I am deeply concerned about this."

The US needs to "make it very clear" to nations who engage in cyberattacks against the US that "the US has much greater capacity and we are not going to sit idly by and permit state actors to go after our information: our private-sector information or our public sector information," she said. "And we're going to have to make it clear that we don't want to use the kinds of tools that we have. We don't want to engage in a different kind of warfare. But we will defend the citizens of this country, and the Russians need to understand that."

Hillary Clinton
Credit: Joseph Sohm
Credit: Joseph Sohm

Cracking down on hackers was also Trump's sentiment. "We have to get very tough on cyber and cyberwarfare. It is a huge problem," Trump said. "The security aspect of cyber is very, very tough and maybe it's … it's hardly doable."

But Trump disputed the conclusion that the recent cyberattack on the DNC and others came via Russia. "I don't think that anybody knows it was Russia that broke into the DNC ... It could also be China or it could also be lots of other people, or somebody sitting on their bed who weighs 400 pounds."

Both candidates to date have had some very public cybersecurity woes of their own: Trump with his Trump International Hotels data breach, and Clinton with the Democratic National Committee (DNC) breach and data dump that appeared to show favoritism of Clinton over Bernie Sanders as its candidate, as well as her use of a personal email server instead of the US Department of State's official email system.

Security experts say while cybersecurity got some time in the limelight in the debate, the candidates were slim on their policy details. "It was encouraging in terms of their discussing national security and that cybersecurity is at the forefront of those kinds of issues. Both … singled this out as a very strong priority of theirs," says Rob Sadowski, director of marketing and technology solutions at RSA. "However, when they started to get down into details, I don't think we saw any concrete indications of actions or recommendations on how they would handle this complex and nuanced issue."

Donald Trump
Credit: Albert H. Teich
Credit: Albert H. Teich

Still missing from the political conversation is a set of norms for cyber activity, he says. "We're already seeing nation-states or quasi nation-states or state-sponsored groups testing the limits on norms of behavior and potential policies out there. "It's very important for any of these candidates to set out 'What are the norms of behavior? What should we expect? What should the appropriate responses be?'" to activity by nation-states that violate those norms, he says.

Security expert Wesley McGrew, director of cyber operations at Horne Cyber, was disappointed that the candidates focused more on cyber espionage and nation-state activity rather than cybersecurity overall.

"Ultimately, what’s missing from the discussion is what will be done for non-government-affiliated businesses. Unless serious and widespread economic damage is caused by an attack, cyber security will remain focused on espionage and state-on-state attacks in the eyes of the executive branch," McGrew wrote in a blog post today. "This may seem reactionary, but until such a serious event occurs, there simply isn’t a dramatic enough and widely recognized incident (like 'Russians hack the DNC!') to rally interest in a campaign season defined by bombastic statements and positions."

Still, in many cases the lines are blurring between cybercrime and cyber espionage, notes RSA's Sadowski. "Where do you draw the line between" cyber espionage, cybercrime, and hacktivists, he says. "Nation-state attacks … are not just limited to the government or private industry. They are into the public sector" as well, he says.

That in turn clouds the issue of what responsibility if any the government will take to help protect the private sector from cyberattacks, he says.

The hope is that the candidates will drill down on their policy details in one of the next two debates – security defense, offense, and everything in between.

"In the next debate, both candidates need to expand on their policies for mitigating cybersecurity threats that affect governments and private businesses (a conversation worth more than the five minutes granted by this debate)," says Tony Gauda, CEO of ThinAir. "Our generation's battlefront will be digital, and we must make sure the right tools are being deployed to prevent sensitive documents from being leaked and used against American interests.”

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ted90
0%
100%
ted90,
User Rank: Guru
9/29/2016 | 12:59:38 PM
192.168.1.1
I was looking for this information, good job guys, thanks for the post!
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
9/28/2016 | 11:36:07 AM
Caution
I disagree with McGrew's sentiments.  Short of legislating adoption of widely accepted, strong security standards (e.g., PCI-DSS, which Nevada already mandates), I want less government control/regulation related to private-sector cybersecurity -- not more.  I have difficulty fathoming anything the federal government can do regulatory-wise or law-wise that will make things better (and most things I can imagine would make things worse).  This kind of thinking is what gave us CISA, after all.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14905
PUBLISHED: 2020-03-31
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...
CVE-2020-11441
PUBLISHED: 2020-03-31
phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page.
CVE-2020-1712
PUBLISHED: 2020-03-31
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sen...
CVE-2019-10180
PUBLISHED: 2020-03-31
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could...
CVE-2019-14880
PUBLISHED: 2020-03-31
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.