To The Next President: Get A National Cybersecurity Strategy

In the first presidential debate, since cybersecurity is rarely a topic for political debate, I was surprised when moderator Lester Holt questioned the candidates about cybersecurity strategy. Specifically, Holt asked, “We want to start with a 21st century war happening every day in this country. Our institutions are under cyber-attack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?” 

 The first couple of sentences of Hillary Clinton’s response sounded as if she was going to establish a position on cyber-attacks, but then she segued into an attack on Donald Trump, and her answer just fell apart. The most coherent part of Clinton’s statement was: “…. We need to make it very clear — whether it’s Russia, China, Iran or anybody else — the United States has much greater capacity. And we are not going to sit idly by and permit state actors to go after our information, our private-sector information or our public-sector information.” 

That statement sounded as though she was advocating a strategy to hack back, or counter-attack, but then she said: “And we’re going to have to make it clear that we don’t want to use the kinds of tools that we have. We don’t want to engage in a different kind of warfare. But we will defend the citizens of this country.” So – maybe she would hit back, maybe she would not. Who knows? As far as Trump’s position, once he got past his own counter-attack on Clinton, he also failed to outline a specific plan, 

“We should be better than anybody else, and perhaps we’re not…. So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem…. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.” I am not surprised the candidates could not state coherent positions for responding to cyber-attacks or on cyber warfare. Physical warfare is as old as mankind; we have had a really long time to develop strategies and positions there. Even with more modern types of warfare, such as air, space, nuclear, and bio-chemical warfare, in the twentieth century, we developed strategies and regimes of treaties and international agreements.

 However, until now there has not been a major war where offensive cyber power was as dominant an element as land, sea, or air power. We have certainly been getting close though. As early as 1999 in the Kosovo war, cyber-attacks on Serbia’s air defense systems may have been used to enhance the effects of the NATO bombing campaign. In 2010, the world’s first documented digital weapon, Stuxnet, began its systematic destruction of Iranian nuclear enrichment capabilities.

 In June 2015, it was revealed that Chinese hackers had accessed over 20 million personnel records and security clearance data at the U.S. Office of Personnel Management, and the director of national intelligence testified that the hack led the CIA to pull personnel from Beijing. On December 23, 2015, Russian hackers shutdown portions of the power grid in the Ukraine, leaving 1.4 million people without power for up to six hours. 

And in recent months, Russian hackers have hacked state voter databases and emails from the Democratic National Committee, perhaps with the goal of seeding uncertainty in the electoral process in the minds of voters ahead of the American presidential election.. 

These attacks illustrate a shift in nation-state cyber strategies, from spying and surveillance to active use of offensive capabilities to attack critical infrastructure, national security assets, and even the political system itself.