With the recent news regarding Yahoo’s massive data breach and the continuing posting of Clinton Foundation emails by Wikileaks, cybersecurity policy is beginning to get the discourse it is due. Secretary Clinton’s campaign was swift to publish a lengthy briefing on her cybersecurity policy agenda when she declared her candidacy. Much of it focuses on investment and development in science and technology. In a speech in August Clinton called for cyber-attacks to be treated as an assault on the country and should require “a serious political, economic and military response.” However, the plurality of Secretary Clinton cyber proposals would likely continue much of the Obama Administration’s own cybersecurity policy.
Mr. Trump had no cybersecurity platform available or had even discussed a policy platform until a recent speech to the Retired American Warriors PAC in Virginia in early October. Prior to the speech Trump had said little other than to admonish the failure of U.S. cybersecurity policy. In his speech, Mr. Trump outlined cybersecurity as “an immediate and top priority” for his administration and put forward his plan for strengthening American cybersecurity. At the core of Mr. Trump’s policy suggestions was a panel of “our best military, civilian and private sector cybersecurity experts.” This Cyber Review Team would undertake a “comprehensive review” of U.S. cybersecurity systems and technologies. Among its responsibilities would be to “establish detailed protocols” and “remaining current on evolving methods of cyber-attack.”
What’s the issue with this seemingly harmless and possibly efficient idea?
President Obama had the idea first and it’s already underway. In February of this year the White House issued the Cybersecurity National Action Plan. The first order of business was the creation of a “Commission on Enhancing National Cybersecurity.” Like Trump’s, this commission would also be formed of public and private sector thinkers and a bipartisan congressional delegation. The commission’s mandate is to “make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors.” The commission members who were announced in April 2016 include: Tom Donilon, former National Security advisor, General Keith Alexander, former Director of the NSA and former Director of U.S. Cyber Command, Joe Sullivan, Chief Security Officer of Uber and former Security Officer of Facebook, Annie Antón, Professor and Chair of the School of Interactive Computing at Georgia Tech, and Ajay Banga, President and CEO of Mastercard. These are only a selected few examples of the twelve member commission but the commission clearly represent military, civilian and private sector experts in cybersecurity.
Other than his Cyber Review Team, Mr. Trump hasn’t offered any other solid cybersecurity recommendations. Neither major party candidate is offering real solutions to a critical crisis that is unfolding. Hackings and intrusions will not dissipate but will only grow in size and aggression barring any serious attention by the federal government. At least in this element Secretary Clinton and Mr. Trump agree: cyber is of increasing importance for U.S. national security, infrastructure and business and should be taken much more seriously. This understanding is not enough to prevent potentially debilitating attacks in the future.
Cybersecurity is a dynamic and fast-paced policy realm. Technology is ever-changing and requires almost constant attention and modernization. The federal government’s bureaucratic nature prevents any meaningful progress, both in establishing policy and enacting it. Because of this much of federal level policy making is playing catch-up. Cybersecurity needs greater attention at the executive level. The federal government needs a greater understanding of cybersecurity’s ever evolving nature and a determination to lead the field. These principles apply to whomever becomes the next President.