A major attack on key information systems could create havoc throughout the United States and severely damage the ability of our government, economy and society to function properly. Yet, as voters around the country begin the process to elect the next president, cybersecurity as a campaign issue is virtually nonexistent.
See Also: Ransomware: The Look at Future Trends
"There really hasn't been much serious discussion of any issue, much less national security or foreign trade," James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, a Washington think tank. "Wait until the campaigns get hacked again, then they'll start paying attention."
"Wait until the campaigns get hacked again, then they'll start paying attention."
Cybersecurity isn't part of any of the candidates' stump speeches. Indeed, the topic doesn't seem to register much with the candidates. "Let's face it, candidates for president do not come from the ranks of technologists," says Surviving Cyber War author Richard Stiennon. "It may be another generation before a Bill Gates or Steve Jobs has a chance to apply their knowledge of the cyber world to govern."
It's the Economy, Stupid
The economy remains the dominant issue, and some IT experts say it's understandable why cybersecurity has been barely mentioned by the candidates. " I don't necessarily see this as an issue which will energize the base of either party," says Karen Evans, who served as the de facto federal chief information officer in the George W. Bush White House. "Right now, it is about the economy and jobs. And, trying to explain cybersecurity and how it relates to the economy and jobs has to fit on a bumper sticker."
Chris Buse, the Minnesota's state chief information security officer who has worked under Republican and Democratic governors, says others issues are more important to the electorate such as jobs and wars. "Rather than worry about whether presidents or candidates thump their chests with broad cyber pledges, I would rather spend my time watching how top cyber executives like (White House Cybersecurity Coordinator) Howard Schmidt are already working with other federal and state cybersecurity leaders to move us from a coordinated strategy down to real world activities that we can measure."
Jim Harper, director of information policy studies at The Cato Institute, a libertarian think tank, goes further, saying politicians are terribly unqualified to address cybersecurity so they shouldn't. "It's better that they remain silent rather than mislead and frighten the public," he says. "Our massive federal debt is a far greater threat to the well-being of the country, and U.S. militarism is a strategic error that produces more danger to the country than any of our cyber weaknesses."
No doubt, few if any of the candidates truly understand the mechanics needed to secure critical IT. Then again, how many of them understand the workings of nuclear armaments? Yet, we expect our presidents to articulate a nuclear arm's policy. The same can be said about cybersecurity, which the incumbent president - sounding authoritative - has declared a national security priority. Cybersecurity needn't be a dominant campaign issue, but it shouldn't be buried under rhetoric emanating from the current crop of candidates. Hearing what the candidates say about cybersecurity will help us vet what kind of leader we want to elect.
As to Harper's concern about frightening the public, so be it. Right or wrong, it wouldn't be the first time candidates use scare tactics to garner votes; it's as American as apple pie. And, cybersecurity experts through the media and rival candidates can point out the fallacies of spurious claims. It's how our democracy works.
Briefly Debated, Sort of
Cybersecurity, so far, has been raised only briefly during the campaign, most notably during two Republican debates held in November.
On Nov. 22, when a journalist asked the candidates to identify unexpected security threats of the future, former House Speaker Newt Gingrich and businessman Herman Cain responded cyberattacks. "That's something that we do not talk enough about, and I happen to believe that that is a national security area that we do need to be concerned about," said Cain, the then-candidate who holds a master of science degree in computer science from Purdue University and once served as a ballistics analyst for the Navy Department.
Texas Gov. Rick Perry responded China, but said somewhat convolutedly during the debate: "Communist China is destined for the ash heap of history because they are not a country of virtues. When you have 35,000 forced abortions a day in that country; when you have the cybersecurity that the PLA (Chinese army) has been involved with, those are great and major issues, both morally and security-wise that we've got to deal with now." Perry made a similar comment 10 days earlier at another debate, adding "fighting this cyberwar I would suggest is one of the great issues that will face the next president of the United States and we must win."
At that Nov. 12 debate, in discussing China, former Massachusetts Gov. Mitt Romney referred to hackers from China intruding government, military and corporate computer systems to steal secrets and intellectual property, suggesting as president he would stop that.
Cybersecurity hasn't gained any momentum on the hustings because it's an issue that hasn't stirred the emotions of the electorate. It also hasn't been a partisan issue. "Cybersecurity has been - and I hope continues to be - among the few issues on which there seems to be bipartisan support and a willingness to work across the aisle," says Franklin Reeder, founder of the Center for Internet Security, a group promoting online security standards, who spent 20 years in the White House Office of Management and Budget.
Articulating a Cybersecurity Policy
Will it remain a bipartisan issue? Not necessarily. Romney and Perry, on their campaigns' websites, outline how they'd approach cybersecurity if elected president (if the other candidates have cybersecurity policies on their sites, they weren't evident). And, their statements have overt, partisan tones.
At 200 words, Romney's approach (see page 38), was the more detailed: During his first 100 days in office, he pledged to order full interagency reviews to develop and deliver a unified strategy to bolster America's cybersecurity. Then, after outlining the devastation a cyberattack could cause, Romney's cybersecurity statement reads:
"President Obama has taken some positive steps to confront this problem, but he has not yet updated our national cybersecurity strategy, promulgated in 2003, an eternity ago in the rapidly evolving digital world. And his efforts so far have not adequately engaged our defense and intelligence resources."
Perry's cyber policy statement says cyberattacks can be as damaging as physical attacks: "The Obama administration has failed to implement a coherent approach to cybersecurity, and the existing and pending defense cuts threaten any future capability. ... We must have both defensive and offensive coordinated cyber capabilities so the Chinese, as well as others, know there will be repercussions if they continue this aggression." Perry promises to secure all of our borders, including our cyber borders.
Many in the Obama camp would argue the administration has done much more to enhance cybersecurity than these two GOP rivals give him credit. The administration has announced many IT security initiatives since the president outlined his cyberspace policy in May 2009, which followed a review much like the one Romney promises to conduct if he's elected.
The president's campaign site does not provide any detailed policy regarding cybersecurity, though Obama's IT security record - at least from his perspective - is well documented on an official White House website.
Has Obama done enough to secure the government's and nation's critical IT infrastructure? That's up for debate and should be debated during the campaign. It's too important of an issue to ignore.