White House candidates: Where's your cybersecurity platform?
The author of this op-ed is President and Chief Operating Officer of Blue Coat, an enterprise-focused cybersecurity firm headquartered in Sunnyvale, California.
Although our presidential candidates dwell regularly on national security, few pay more than glancing lip service to cybersecurity -- although it is surely among the most ominous and vexing defense issues of the new century. It is high time they did.
On the stump in New Hampshire February 3, Hillary Clinton told a questioner "we will not tolerate" cross-border attacks on cyber infrastructure.
But she did not say what official intolerance might look like. Ben Carson called last month for a new National Cyber Security Administration. But no top contender -- not Clinton, nor Donald Trump, nor Sens. Bernie Sanders, Ted Cruz, or Marco Rubio -- gives the topic so much as a sentence in online issue-position summaries.
Fifty-five percent of information security professionals believe cybersecurity should be a key issue in the 2016 election, and the next president will face a swarm of cyber questions. Informed voters may not find it acceptable for presidential aspirants to dodge the subject, perhaps with the parry that they're "not that technical." None would duck the commander-in-chief aspect of the presidency because they can't personally fly a bomber. They need not be technologists to weigh in.
How can candidates theorize on strategies for defeating ISIS or going eyeball-to-eyeball with Russia in the physical world -- but shy away from discussing potentially crippling conflict in the virtual world?
Here are five important cyber questions for which every candidate should consider a clear position.
What constitutes war? When a state-sponsored cyberattack originates overseas and steals U.S. corporate assets, should the government retaliate, as Secretary Clinton suggests? With like-for-like digital aggression, or more? If critical U.S. infrastructure -- energy grids, financial networks, transit systems -- is incapacitated by an enemy using a keyboard, is that enough to justify a military response? The White House issued an "international strategy for cyberspace" in 2011 that called for confronting potential threats with enhanced military alliances and other partnerships.
But we have only embryonic norms and conventions to govern cyber conflict.
Which takes precedence, personal privacy or national security? It has grown fashionable to warn Internet users that "privacy is dead," but would our next president agree? How would he or she interpret the Fourth Amendment, which protects us against unreasonable searches and seizures, in a situation where wholesale digital surveillance might uncover and prevent terror attacks like those in Paris or San Bernardino?
What are our Internet rights? Do candidates concur with the Association for Progressive Communications that "Internet rights are human rights," and intrinsically linked to "economic, social, and cultural rights"?
Do they agree with the United Nations that disconnecting people from the Internet is a human rights violation and against international law?
If so, what responsibility does the U.S. (or any other) government have to keep people online?
Should the government regulate data residency? Data residency refers to the geographic location of your, or an organization's, private information. Cloud computing can give rise to data residency issues because the server you ping to check your flight reservation, or download your bowling team photos, could be anywhere on Earth -- and subject to the laws of its host country. It's growing more difficult for users to know where their sensitive stuff is housed. Should they have a right to know? Should U.S. policy require storage of sensitive data within U.S. borders?
Should Washington force private interests to do more on cybersecurity? A Senate bill introduced in December with bipartisan sponsorship would require a company to indicate in Securities & Exchange Commission filings whether it has a "cybersecurity expert" on its board -- and, if not, explain what protective measures it's taking.
Is that reasonable? The SEC said in 2015 it was reworking all its rules on cybersecurity incident disclosures.
Should private organizations be forced to reveal their Achilles heels in public? After all, they don't have to issue press releases about theft or incompetence that occur in the physical world. But if not, how can the public judge which are on top of their cybersecurity game?
Perhaps it's now clear why the candidates don't rush to answer questions like this. They're hard. They don't lend themselves to pat sound bites. Some are the very definition of dilemmas: no universally satisfying response is possible. Thoughtful answers might tax voter attention spans.
Yet cybersecurity issues have never lent themselves to pat answers. Today they are among the most urgent a president can face, and they will only grow more challenging. Our next president will have to wrestle with cyber policy. With primary season here, skeptical voters would be doing the candidates -- and the nation -- a great service by demanding more thorough cyber platforms.
The opinions expressed in this article do not necessarily represent the views of Blue Coat or its affiliates.