This week, the Republican Party meets to nominate the Republican candidate for president. The Democrat Party, similarly, will meet at the end of this month to do the same for the Democrat candidate. Given the unique tenor of this presidential campaign, there may yet be surprises for the candidates, but each party has already drafted their platforms.
A political platform is a summary of policies that define the priorities for the party, should they achieve power. While the outsiders (Mr. Trump and Sen. Sanders) in this campaign have driven changes to both parties’ platforms, such as a more cautious approach to free trade, the platforms are largely creations of political insiders – the much maligned “establishment.”
Interestingly, both parties’ platforms address the threat of cyber security this year. The Democrats devote a paragraph in their typical terse style stating, “Democrats will protect our industry, infrastructure, and government from cyberattacks. We will strengthen our cybersecurity, seek to establish global norms in cyberspace, and impose consequences on those who violate the rules.”
The Republicans are a bit more loquacious, offering three paragraphs under the heading of “A Twenty-First Century Threat: The Cybersecurity Danger.” Much of the commentary focuses on criticism of the current administration, but there is agreement with the Democrats on a need to deter adversaries who participate in “cyber-related aggression.”
Both admit that the US government can and should be doing more to reduce the burden of securing digital business. Perhaps the next president, regardless of which party wins, can find a way to make progress on these wish list items.
Get better at deterring cyber crime
Reducing the impact of cyber crime includes deterring individuals from pursuing it. Because cyber crime can be perpetrated across borders, prosecution is subject to jurisdictional issues even in the best circumstances and safe havens have erupted to protect the guilty.
Yet, there must be greater prosecutorial success for deterrence to take effect. The president and State Department can drive greater cooperation with allies, encourage faster adoption of laws that keep pace with threats (in all jurisdictions) and strengthen extradition agreements for cyber crime. This will require a willingness to leverage trade deals, foreign aid or other incentives and penalties creatively. The impact of cyber crime is a tax on corporations that creates a drain on the economy, justifying the greater use of leverage.
Exact a price for state-sponsored cyber crime
We know that state actors are targeting government data as a form of espionage. Whether it’s personnel records at the Office of Personnel Management, the designs for the latest stealth fighter, or attacks on power grids, state-sponsored attacks are growing. And state-sponsored attacks against businesses, such as Anthem or Sony Pictures, are also on the rise. The question then arises, what is the appropriate response to what is effectively a cyber act of war?
The Cold War was fought in part through espionage that had its own set of rules. In this new cyber cold war, a similar development of rules appears to be in progress. These rules need refinement, as there are challenging questions to be addressed.
For example, should the US government or even businesses get involved in retaliation (hacking back) against sovereign states? What is the potential of escalation into an actual shooting war?
There is an international framework, developed in 2011, called the “International Strategy for Cyberspace” that affirms that existing international law applies to states as it relates to their conduct in cyberspace. But when these laws are transgressed, it is dependent on other nations to hold the transgressor accountable. The standards for consequences remain nebulous.
Reduce barriers that prevent or deter sharing cyber threat information
This is a specific part of the Republican platform, stated as, “We believe that companies should be free from legal and regulatory barriers that prevent or deter them from voluntarily sharing cyberthreat information with their government partners.” It begs the question, though, what are those barriers?
The Cybersecurity Information Sharing Act of 2015 (CISA), which was enacted on December 18, 2015, creates a voluntary process that encourages public and private sector entities to share cyber information without the threat of litigation while protecting privacy. It is a good step in this direction, but according to the law firm of White and Case, there are issues that remain.
While sharing information under CISA offers attractive protection from liability, it may also expose a company to identification of vulnerabilities that could be used by an attacker. It also might be used by a regulator as evidence that the company should have known how to prevent the attack.
We’ve come a long way in gaining the attention that cyber security deserves, but it remains an imperfect science and will be for the foreseeable future.
The political parties at least are paying lip service to the issue in their platforms. What would your wish list for them include? Let us know in the comments.
Related: The “Executive” IT Security Problem – Lessons Learned from Hillary Clinton