Preparations for the 2016 presidential election are fully underway, and as such, we're getting to see the candidates and familiarize ourselves with their politics. In televised interviews and debates, we've seen them answer questions about the standard platform issues – things like health care, taxes and immigration. But there's another issue that's increasingly occupying politician airtime which definitely hasn't enjoyed such a prominent role before: cyber security. This election cycle, candidates aren't just going to have to address how they'll defend the country, but also how they'll defend the cyber sphere.
In the years since the last presidential election, cyber attacks have grown to an extent that politicians have to get involved. After all, with the amount of power and organization that exists within the cyber criminal realm, defense against these malicious elements calls for the government to be an active participant in the effort. The consequences of not doing this will only get worse, as cyber criminals develop more sophisticated means of attack and hone in on higher-profile and harder-to-breach targets. But fortunately, the political climate as a whole seems to be embracing a proactive approach to cyber defense. The question now becomes: What's the best cyber strategy for politicians to leverage? And how big of a role can politics play in the fight against hackers?
Politicians taking a cyber stance
Jeb Bush is one of the leading Republican candidates, and for this reason he's spending serious time drafting various plans for how he'll handle issues if he's elected to office. Among Bush's plans? A five-point agenda on cyber security.
In a public statement that Bush put out on September 14, 2015, he wrote that the impetus for his creation of the plan stems from what he sees as a general neglect among politicians toward Internet security: "For all of the Internet's transformational power, its future rests in part on one critical factor - cybersecurity. If people have no confidence their information will remain safe online, they will - quite simply — be less willing to use the Internet, thereby jeopardizing future growth possibilities," adding later that recent high-profile cyber crimes "have demonstrated real vulnerabilities in government and private systems." Bush's plan, which is available for the public to read, breaks down to what he says are the steps to achieving a safer Internet. Among those steps are:
- Prioritizing cyber security as a national issue: This agenda item is unlikely to generate any criticism from either side of the aisle, since the threat posed by cyber crime is nationally acknowledged to be a pressing issue that needs to be tackled at the chief administrative level.
- Bolstering international collaboration: One of the key reasons why cyber criminals have achieved such success in recent years is that they've been able to transcend national borders and operate on an international scale. This global collaborative prowess on the part of hackers is only expected to evolve moving forward. Cyber defense, in stark contrast, has in many cases been marred by a lack of unification among different nations, which has impeded investigations into virtual crime efforts, thereby emboldening cyber criminals.
Bush's plan points to this problem and proposes a change in approach: "No one country can solve the cybersecurity problem, which is a global challenge. The need to protect sensitive systems from bad actors is a modern-day equivalent of securing the world's oceans for freedom of navigation, and just as nations came together to protect the seas, they should do so to secure the Internet." However, there are important examples of this unification that are beginning to take place already. The European Cybercrime Center (EC3), for instance, is one example of a cyber crime combat group that centers around cooperation between nations. Thanks to its ties to Europol, EC3 is able to function "as the central hub for [cyber] criminal information and intelligence" for EU member states.
- Forge public-private partnerships: The fight against cyber crime doesn't only call for cooperation among nations – it also demands work between governments and businesses. After all, the expertise needed to drive down cyber criminal activity exists within both public and private entities, and therefore in order to provide a maximum level of defense, both public and private need to be harnessed. Bush's program would have this happen by "reduc[ing] legal and technical barriers to cybersecurity information sharing between the federal government and private sector, and … promot[ing] best practices for the private sector, including voluntary cybersecurity standards."
But Jeb Bush is not unique in tackling cyber crime. While his plan represents a significant step in terms of the Republican candidates, there is already work being done at the executive level to deal with the problem of cyber crime. Within the current administration, President Obama has a cyber stance of his own – and as the chief executive, he's been able to put elements of that plan into practice over the past few years. As Tony Scott – U.S. chief information officer for the administration – stated in a July 31 blog post on The White House Blog, cyber security policy has been a priority of the current administration since 2009. In that time, the administration has been able to carry out concrete actions that demonstrate its commitment to better cyber defenses. Here's some of what the Obama administration has done in that regard:
- Evolution of Comprehensive National Cybersecurity Initiative: Toward the end of his presidency, President George W. Bush launched the Comprehensive National Cybersecurity Initiative (CNCI). When President Obama assumed office, he took the CNCI – which was then in its infancy – and outlined plans to drive it to the next level. Under Obama's leadership, the CNCI grew to take on some ambitious goals in the fight against cyber crime. Those goals include building "a front line of defense against today's immediate threats," "defend[ing] against the full spectrum of threats by enhancing U.S. counterintelligence" and "strengthen[ing] the future cybersecurity environment by expanding cyber education," among other efforts. These initiatives have served as the foundational elements in the administration's ongoing battle against cyber crime, which has only been gaining momentum.
- Advances toward better information sharing: There are necessary walls that exist between private businesses and the government, as well as between different industries. However, both political sides tend to agree that the fight against cyber crime won't be complete without the help of private organizations – and that means information sharing. While this information sharing is a key step, it's also understandably generated conversations and apprehension among businesses. In an effort to assuage that tension and move toward the kind of seamless, cyber security-based information sharing that will prove indispensable to the overall battle against hackers, President Obama issued an executive order "to encourage the development of Information Sharing and Analysis Organizations (ISAOs)." What these ISAOs will do is "serve as the hubs for sharing critical cybersecurity information and promoting collaboration for analyzing this information both within and across industry sectors." The creation of these hubs represents a key step toward galvanizing public/private collaboration, since the hubs have the potential to effectively mediate tensions that might otherwise arise from information sharing.
- Working toward passage of key cyber security bill: Politics is not an arena where decisions tend to be made quickly. For the Obama administration, the delays in getting concrete cyber-based legislation passed were impeding the deployment of an optimally effective national cyber effort. The tide seemed to turn toward action in April, however, when the House of Representatives passed – by a large margin of 307 to 116 – a bipartisan cyber security bill "that would push companies to share access to their computer networks and records with federal investigators," according to The New York Times. The landslide victory in the House for the bill came on the heels of a series of high-profile corporate breaches which seemed to affirm, in the public eye, the need for government collaboration.
As information sharing expert Paul Kurtz – who's had experience with politicians on both sides of the aisle – told The New York Times, "The gravity of the emergency we have in cyberspace is setting in with lawmakers. They now understand that companies can no longer fight the bad guys individually."
But the momentum that the bill experienced stemming from its landslide passage in the House ran into a roadblock in August, when the Senate decided to table a decision on the bill until later. This kind of stalling is by no means unique: As far as legislation goes, delays happen all the time. In the case of this cyber security bill, the delay had to do with amendments.
Waiting for the next steps
While individuals like President Obama and Jeb Bush can take strong stances in terms of cyber security, ultimately, political moves in that regard must go through the often long and drawn-out legislative process. This process is being best exemplified in the cyber security bill, which looked like a clear "yes" based on the House's vote, but is now facing the huge roadblock brought on by amendments in the Senate. The problem is that while the delay is underway, the cyber criminal sphere is not slowing down, and in the interim before the Senate's decision, another breach of the kind the bill is attempting to prevent could occur. Here's a general breakdown of what's been happening to the bill in the Senate:
- Amendments galore: As The Washington Post reported, the bill already has 22 amendments to its originally written form. Because of this large number of amendments, the process of vetting the bill is guaranteed to take much longer, since each amendment has to be evaluated individually.
- Privacy concerns: The sheer number of amendments is creating a roadblock to an expedient passage, but the content of the amendments themselves also promises to be a source of significant delay. One key concern outlined in an amendment by Sen. Ron Wyden is privacy. Wyden is concerned with the inherent privacy issues that arise from information sharing, and his proposed amendment reflects that concern. His amendment text, as The Washington Post reported, calls for companies to "remove, to the extent feasible, any personal information of or identifying a specific individual… that is not necessary to describe or identify a cyber security threat."
- Questions about corporate responsibility: According to its original text, the passage of the bill would ensure that breached enterprises – such as the Sonys, Targets and eBays of yesterday's headlines – will have to share information with the government as part of the effort to recover from the incident. But this call for information sharing begs the question: How liable should enterprises be that share information? That is, should businesses that share information with Secret Services or the FBI be granted legal cover based on the fact that they shared in the first place? Or should their sharing be a legally risky act in which they can face significant culpability? This is a contentious issue, and one around which there is no consensus yet in terms of the bill. On the Republican side, Sen. Tom Cotton (R-Ark.) is arguing the businesses that share data should be granted cover. A group of democrats that includes Sens. Al Franken and Patrick Leahy disagree, however, and have put forward an amendment that would ensure corporate accountability.
A responsibility for businesses
As cybersecurity occupies an increasingly central role in politics, this attention should shed light on the importance of business cyber security. For companies, the visibility that cyber security is getting at the political level should affirm the importance of having a business cyber strategy. Unlike in the political arena, businesses have the benefit of being able to implement proactive measures immediately in the fight against hackers. The problem is, not enough businesses are taking advantage of this. That's because it takes work – but it's absolutely necessary work. For enterprises, a pivotal step toward cementing a solid strategy comes from pursuing the kinds of enterprise security solutions that not only improve cyber security, but also drive up business as a whole. For more information on how cyber security and critical infrastructure intersect, check out Trend Micro's "Report on Cybersecurity and Critical Infrastructure in the Americas."