Originally published in TheHill.com on January 6th, 2016.
I want a nerd for president
Where has the national discussion been on cybersecurity? Certainly not in the debates. A recent review of the presidential debates shows that more time has been spent on cybersecurity in the latest episodes of “Madam Secretary” then in all of the debates combined.
There have been entire debates focused on singular issues like the economy and jobs. If a candidate didn’t have a jobs plans, they’d be rightly voted off the island. But almost every candidate is absent when it comes to having a plan for cybersecurity.
The Office of Personnel Management suffered the largest government data breach ever. More than 21 million records containing highly sensitive personal information used to grant security clearances were compromised, and the technology was so old the major systems holding the sensitive files were not able to use encryption to protect the data. “Yesterday’s technology tomorrow” used to be an inside joke. Now it appears to be an accepted way of life.
The threats we face today as a country have changed in ways never contemplated a decade ago. Ten years ago Facebook was only one and a half years old, Twitter didn’t exist and the iPhone wouldn’t be launched for another 18 months, followed over a year later by the first Android phone. Today, they form the integral tools of the most dangerous terrorist organizations we’ve ever faced.
We now know the attacks in Paris and San Bernardino, Calif., involved the use of encrypted communications and file storage. The FBI, state and local law enforcement investigations have been increasingly frustrated by the use of advanced encryption.
Our critical infrastructure is aging so fast, the chances of a catastrophic failure or attack are probably equal. We need look no further than Germany for a recent example of the potential consequences from an attack.
In December 2014, a report issued by Germany’s Federal Office for Information Security indicated attackers gained access to a steel mill belonging to ThyssenKrupp and then went into systems controlling plant equipment. The attackers disrupted control systems to such a degree that a blast furnace could not be properly shut down, resulting in massive damage.
Iranian hackers recently took credit for the cyberattack against the Bowman Avenue Dam in Rye, N.Y., an attack that happened in 2013. The group, SOBH Cyber Jihad, claims to have accessed the control systems. A Department of Homeland Security report says the attackers also accessed and read files, including user names and passwords. Nothing damaged — yet.
The Department of Homeland Security issued a bulletin more than a year ago describing a destructive Trojan horse malware program called “BlackEnergy” that has compromised much of our national critical infrastructure. BlackEnergy is clearly linked to a Russian cyber espionage group called Sandworm, and was earlier discovered in European energy and telecommunications companies.
Reports are now surfacing of successful attacks against the energy sector of Ukraine using BlackEnergy. On Dec. 23, blackouts occurred across the Ivano-Frankivsk region in what is proof of the capability of this malware. It doesn’t take much to connect the dots on which country has an interest in disrupting Ukrainian critical infrastructure.
The largest data breaches in history from healthcare to retail have occurred in the last two years. Identity theft is still the No. 1 consumer complaint at the Federal Trade Commission — 15 years in a row. No one is immune. The IRS, State Department and White House have all been breached.
The top tool for infiltrating government and private sector systems by advanced persistent threats remains spear phishing. Spear phishing is the use of email created by bad actors that impersonate a known company or individual that a user trusts. The user is duped into taking an action that results in the compromise of the targeted system. When’s the last time you heard a candidate talk about the need for training, technology and vigilance against spear phishing attacks? Exactly.
Russia, China and Iran are the top cybersecurity threats for a variety of military, economic, political and ideological reasons. What’s our plan for each? And this is just the tip of the digital iceberg. When do bits and bytes get bombs and bullets? When does a cyberattack constitute an act of war? How would we respond to an attack on our energy grid? Air traffic control? Water? 911?
How many presidential candidates have an economic plan on their website?
How many have a cybersecurity plan on their website?
One: Jeb Bush.
In March of 2016, FBI Director James Comey testified before the Senate Appropriations Committee on priorities for fiscal 2016. Preventing terrorist attacks is No. 1. Every candidate has a position on terrorism.
Another top priority, according to Comey, is “the sophisticated cyber threat from state-sponsored hackers, hackers for hire, organized crime syndicates, and terrorists. … An element of virtually every national security threat and crime problem the FBI faces is cyber-based or facilitated.”
It’s time for candidates to unleash their inner nerd and tell us exactly how they would protect and defend America in cyberspace.
Wright is a senior fellow at the Center for Digital Government and a regular cybersecurity analyst for Fox News, Fox Business, “The David Webb Show” and others. He has testified twice before Congress on the security and privacy of HealthCare.gov. Follow him on Twitter @morganwright_us.