GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
As candidates hit the campaign trail, NPR looks at four major issues the next president will face from Day 1 in office.
When President Obama took office back in 2009, “cybersecurity” was not a word that everyday people used. It wasn’t debated. Then, mega-breaches against consumers, businesses, and the federal government changed that.
The latest came Tuesday, when the Internal Revenue Service said criminals used an online service provided by the agency to access the information of more than 100,000 taxpayers.
Now, the 45th president will have to come into office with a game plan for how to protect us online. The plan could shape up any number of ways because our digital lives — and the attacks against our digital lives — are pretty new. But it’s something people care a lot about.
With Edward Snowden, American citizens learned we’re the target of a mass surveillance program we didn’t know about, and that the National Security Agency, a military agency, is porous, vulnerable to insiders hacking and stealing.
With the Sony attack we saw how security breaches can bring big companies to a screeching, embarrassing halt.
And let’s not forget the new era of garden-variety crime. Credit card fraud, a la Target, set off a credit monitoring frenzy. And Anthem demonstrated that no institution is sacred. Criminal attacks against health care are the new normal, according to a recent Ponemon Institute study.
(How do hackers even make money from stolen medical records?!)
And then of course, there are the digital crimes of passion we’re committing against each other. Take revenge porn, a national concern that some states are taking onindividually.
Is this starting to feel…overwhelming?
When it comes to “cybersecurity,” the next president of the United States has tough choices to make: before even getting to solutions, what are the most important problems? And where should the federal government weigh in, or leave it to states or companies. Turns out Americans don’t have all that much confidence in any of them.
Back in the 1990s, “we didn’t need to worry about security because the market would take care of it,” said Jim Lewis, a senior official at the Departments of State and Commerce during the Clinton era. “Consumers would demand security and companies would provide it.”
Turns out they were wrong, he says. “That hasn’t happened.”
Under Clinton, the Internet went from a Pentagon project to a place for companies to play, experiment. And under Obama, we saw the smartphone revolution. Lewis says we’ve got to step back and, “just as we have energy policy and space policy and defense policy, maybe we need cyber policy.”
It’s very hard to regulate technology that’s unfolding before our very eyes.
Lewis — who’s now a senior fellow with the Center for Strategic and International Studies in Washington DC — names one key issue: consumer protection. And, he says, it’s a foreign policy issue.
Certain countries are sanctuaries for cybercriminals. That’s often where our personal data is flowing. “Finding out that someone in the Russian mafia has all your credit card information and your social security number doesn’t make the average voter happy,” he said.
Cybersecurity expert Bruce Schneier, a fellow at Harvard’s Berkman Center, says another way to protect consumers is corporate accountability.
“What government can do about data breaches is increase the penalties,” he says. “Right now your data is not very well protected because the cost of losing it isn’t very high to the companies that have it.”
Schneier wants to see the next president take on privacy too — what should police be able to access without a warrant, and what should companies be allowed to store. So far, we’ve just kind of assumed the answer is … everything.
For example, the company Uber published a light-hearted blog, called “Rides of Glory,” about people using Uber to have flings. Basically they looked at rides happening at night from point A to point B, and rides happening the next morning by the same person back.
Now, Uber didn’t publish the names of the people. It was aggregate, Big Data (and interestingly, the company took down the post as well).
But Schneier said, without a federal law on commercial privacy, they could have. “Right now under US law they could do whatever they like with that data. And it is just them being nice that makes them not publish it or sell it to people trying to market to you.”
The cybersecurity game plan could tackle any number of topics — data encryption,structural reform of the NSA, the role of Homeland Security. And that’s not even counting lightning-rod issues, like whether the next president’s Supreme Court nominee believes in changing passwords regularly.