After the Wikileaks release of nearly 20,000 private emails gathered in a hack of the Democratic National Committee, new reports indicate the hack may have targeted and compromised even more people and organizations.
The FBI and the Justice Department are both investigating, but so far discussion has centered around identifying the culprits (some reports point to Russian-based hacking groups). What isn’t surfacing is why the attack worked and what our response should look like to discourage similar debacles in the future.
{mosads}Given the impact of this attack, and the heat it’s generating, I expected to see meaningful strategies for cybersecurity issues in the Democratic and Republican party platforms.
Spoiler alert: There weren’t. Each platform has a section on cybersecurity, but neither will do anything to prevent future intrusions into our institutions and infrastructure.
The 2016 Democratic Party Platform Cyber Strategy (read the complete platform text here)
Long on confident aspirations, this platform asserts that the “Democrats will protect our industry, infrastructure, and government from cyberattacks. We will strengthen our cybersecurity, seek to establish global norms in cyberspace, and impose consequences on those who violate the rules.”
President Obama’s Cyberspace National Action Plan (CNAP) is mentioned, and there is a repeated statement that privacy will be guaranteed while public safety and law enforcement officials are empowered. The strategy ends with a promise to advance both national security and global competitive interests.
Aside from its debilitating vagary, my biggest objection to this strategy is that it completely ignores the known, existing, critical weakness of our Federal infrastructure. All the forward-looking stuff is great, but there is no urgency to fix what is known to be broken at a time when Democratic leaders are seeing their private messages on the nightly news. “Global norms” and “imposed consequences” are codewords for accepting the vulnerability of our systems.
I support the President’s CNAP goals, but they’ve had little effect. A recent survey of “Federal Cyber Executives” shows most executives believe the federal government cannot detect ongoing attacks, doesn’t know how it can be breached, and that the 2015 CyberSprint did not improve security. The plank ignores these existing weaknesses, leading me to believe the platform creators will not admit, or do not understand, the security holes that could permit a repeat break-in during this, or some future, election cycle.
The 2016 Republican Party Platform Cyber Strategy (read the complete platform text here)
If you thought there was going to be better news on the Republican side, I’ve got nothing for you. The Republican platform focuses on cyber warfare — “We must stop playing defense and go on offense to avoid the cyber-equivalent of Pearl Harbor” — and retaliation — “ [Cyber attacks] will continue until the world understands that an attack will not be tolerated — that we are prepared to respond in kind and in greater magnitude.” According to the platform, responding isn’t even just a government responsibility — “… users have a self-defense right to deal with hackers as they see fit.” Yikes.
I was boggled by: “We must stop playing defense…” Does anyone think that the DNC or any of the widely publicized government breaches succeeded because they overcame excellent cyber defenses? The reams of stolen government data and published reports on our gaps scream the opposite: We must, in fact, start playing better defense.
Worse yet is the direction to respond in kind against presumed attackers. With experts like those at CrowdStrike pointing to Russian techniques and attackers, should the U.S. government take some reciprocal “action” against the Russian government? Of course not. Every technologist knows that specific and non-repudiable attribution is impossible because of anonymized ransomware, hacked third-parties, and forged IDs. In those cases where location is known, terrorists and hacktivists are nearly indistinguishable actors from state-sponsored professionals.
Private companies are even less capable of managing this. The term “self-defense” is used, but the right to self-defense does not include retaliation. Self-defense ends once the attack is stopped, and cyber attacks are usually stopped as soon as they are seen. Corporate retaliation is a horrible idea for a number of reasons, from the low probability of success, to the cost, the likely liability, and others. Just a bad idea.
In Summary, and Instead
The outsized impact of cyber events this election season is raising awareness, and potentially support, for cybersecurity issues in party platforms.
A useful plank would consider the following points:
- We must understand our weaknesses at least as well as our enemies do.
- We must ensure that our national cyber infrastructure is at least as secure as the healthcare and financial services systems that depend on it.
- Any new project that connects to the national infrastructure must be required to attest to their protection of it.
- Any nation that wishes to freely connect to the US online must agree to a common definition of unacceptable and criminal behavior, else their connections will be limited.
These attacks will continue throughout our lives. Our major political parties need to tell voters what they are going to do about it.
Jack Danahy, CTO and co-founder of Barkly.
The views expressed by authors are their own and not the views of The Hill.