Why Aren’t Presidential Candidates Talking about Cybersecurity?
Some would argue that signs of what WW III might be like are already emerging … it’s just not visible to ordinary folks because it takes place online, often in the dark web, largely out of the public eye.
Just like generals and politicians, schooled in infantry-based warfare, weren’t prepared for tanks and airplanes in WW I, nor for Blitzkrieg, aircraft carriers, submarines, or long-range strategic bombing in WW II, politicians today do not understand that a nation state or individual can do severe harm to individuals, organizations, or entire countries without shedding one drop of blood as we explained in a recent interview with Zach Noble of “The Business of Federal Technology”.
In 2008, Chinese hackers in retaliation over the differences in control over the South China Sea, are suspected of having caused a power outage in the Philippines. In 2014, hackers attacked the U.S. energy grid 79 times. Or Israeli hackers attacking the Iranian nuclear centrifuges, the Iranians bringing down of an American drone, or the NSA’s cybersecurity practices revealed by the Edward Snowden leaks. Or the recent successes by a hacker called “Cracka,” demonstrating the insecurity of the CIA’s JABS system or the CIA director’s personal email.
However, the average person’s concern tends to be more around online privacy than security. Even if the latter is at the nation-stage level, the current field of presidential candidates, as well as senior appointed officials seemingly lack understanding of cybersecurity as reported in a recent Wired article is worrisome.
One problem is self-imposed, in that information security professionals are unable and sometimes unwilling to make online security and privacy issues accessible for decision makers and private citizens alike. Instead, cybersecurity often is explained in esoteric terms, making it difficult to relate to for those not in the know. Everyone understands or at least thinks they understand why lowering taxes is either a good or a bad thing. But, few understand the direct personal connections that cybersecurity issues would have on their lives, never mind that their online security may already be unknowingly compromised.
The dangers get sensationalized, and visceral fears of power grids being attacked or planes being hacked in-flight, as technically feasible as both of those unlikely scenarios indeed are. This distracts from more realistic and near-term cybersecurity issues such as the long tail of consequences the OPM breach may have, or the impact that feasible attacks on financial institutions would have weakening our trust in the banking system, resulting in runs on currency.
A third and most worrying reason for why the candidates don’t seem to care to devote precious air time to cybersecurity is presumably due to two principal factors (not counting their evidenced online security illiteracy as a possible third):
- But, perhaps more importantly, the primary reason is probably that voters don’t know enough yet to care about cybersecurity and there are bigger issues in peoples’ minds that warrant politicians spending costly TV air time on. I’m not endorsing that point of view, I am simply reporting the reality I see:
- https://www.epic.org/privacy/survey/ – It’s perhaps telling that most of the content of this site devoted to privacy is 5+ years old
For most people, including politicians, I sense there is still a massive cognitive disconnect around cybersecurity. It’s a bit like it was talking to folks smoking or drinking and driving 30 or 40 years ago: They agreed with you that it was bad while they were lighting another cigarette or were opening another beer, driving off in their cars without their seat belts on.
But just like with the above-mentioned WW I or II generals still fighting the precious wars, or unaware consumers in the 1950s, all too often there patterns is that not until the old strategies and ways of thinking seize to work will there be a mindset change. To bypass such crisis-driven learning given the urgency of the situation, the need to not only educate a still uninformed populace is immediate, and the necessity to learn how to face a group of 21st century online adversaries that are highly skilled in a new form of conflict is great.
A needed and confidence-inspiring first step would be demonstrating that they know how to find and protect the sensitive data they create and email around as that is precisely what the bad guys will be after. Which certainly includes not storing such sensitive data in unsafe, off-premise networks or distributing sensitive data via outdated email service providers.
In the meantime, we can only hope that our future leaders wise up to the privacy and security threats individuals and organizations as well as countries are facing, and evidence that they do so through their own conduct and superior online security hygiene and role modeling, such as safely storing and transmitting sensitive data at all times.