Russia’s information operations against the United States and the media’s Russian hacking-centered election after-party make clear that nothing is secure in our cyberworld. As the owner of a Maine cybersecurity company, I know that the list of hacked organizations is long and distinguished.
It’s personal for many of us. A few years ago, my security background investigations – updated every five years since the mid-1980s – were stolen from the federal government. That data, which included candid assessments about my character and habits from friends and acquaintances, is in the hands of the Chinese. To prevent blackmail in the future, I’m disclosing publicly that I love black coffee and am a Dallas Cowboys fan from way back. Let the fake news begin.
The Obama administration has been subject to some sharp critiques on its lackluster cyber initiatives. President Obama has focused on protecting critical infrastructure. What is “critical” ranges from things like electrical systems to more unexpected areas, like agriculture. While these efforts are important, much of the work has focused on organizing meetings and voluntary standards.
Protecting government systems also has moved slowly and is hobbled by familiar factors: old systems that must be replaced at great cost and a bureaucracy that rewards itself for programs instead of results.
President-elect Donald Trump has pledged to make cybersecurity a priority. We wish him luck, because there are technical, legal and organizational hurdles galore. They are often underpinned by a central fear: We want our cyberwarriors to be effective, but at the same time, we are wary of the tools that reach into our lives.
Are we comfortable with an Obama (or, soon, a Trump) administration being in charge of voting machine security and the integrity of the results, as was seemingly proposed by Homeland Security Secretary Jeh Johnson last fall? The phishing attack on Hillary Clinton campaign chair John Podesta was old art. But new threats are already here with the growing “internet of things.” Thermostats and other small devices are connected to the Web, but are poorly secured.
Their risk was highlighted recently when thousands of Chinese-built security cameras were hijacked and used to send data to cripple a major internet gateway. More unnerving was that the attack seemed to be fine-tuning its process, looking for just the right mix of data and devices needed to be debilitating. This was not Barron Trump and a can of Monster Energy drink.
Organizing an effective defense and response to activities as we’ve seen from Russia or China will be expensive and come slowly. But while we grapple with defending both our virtual homeland and our privacy, we should look to quick wins that can change the cybergame fundamentally.
• First, Washington should escalate its offensive cyber operations. These operations should be targeted against criminal elements outside the United States, who, conveniently for us and the rule of law, are often also in service of foreign governments. U.S. policy should be to apply the full weight of our intelligence and military services in the same way we did in the war on terror. There’s plenty of room at Gitmo now.
• Easier still, we should make the risk of identity theft a thing of the past. How? By placing the burden of fraudulent loans on lenders. To some extent, this system exists, but you or I have to prove that there was a fraud. This is stressful and time-consuming.
Credit cards provide a better model: When you claim a fraudulent charge, a simple form is usually all it takes to reverse it. Merchants and banks bear the cost of these reversals, but most importantly, it incentivizes their practices to prevent it. Our goal should be to return to the good old days when you just didn’t care who knew your Social Security number.
• Finally, an important policy that’s often overlooked is to avoid data collection altogether. You cannot steal money from an empty safe. We should establish laws and policies to aggressively restrict data collection and retention.
A prime threat I see frequently is the call to collect more and more student data. Under regulations enacted by the Obama administration, student data can be collected and provided – without your knowledge or consent – for a research purpose with only the flimsiest assurance of protection. And how prepared is your cash-strapped school to protect data from cybertheft?
I, for one, don’t count on such data being uninteresting. The potential for embarrassment alone – as seen in this political season – is priceless.