Online, we're all targets. When it comes to cybersecurity, changing outcomes is about unity of mission, not command, and here our government is often at odds with itself. The next president has a chance to change that.
The hack of the Democratic National Committee (DNC) made juicy headlines but it shouldn't have surprised anyone. There are two kinds of presidential campaigns in the United States: Those that have been hacked and those that have been hacked but don't know it.
If our next president is serious about preventing attacks, we need to stop waiting for the inevitable. The appointment of the nation's first chief information security officer and the new directive for cyber incidents is a start, but good cybersecurity policy should be proactive, not reactive.
Here’s how we can get ahead of the game:
1. End the government doublespeak
In February, President Obama took the first step of writing an op-ed in the Wall Street Journalto outline his strategy for strengthening the internet. He’s spending $3 billion to overhaul federal computer systems and fix government IT, which he characterized as "an Atari game in an Xbox world."
It is a bold plan and it shows cybersecurity is a top priority. However, other government actions and policies conflict with that goal. Just four months after the op-ed was published, a federal court in Virginia ruled that the government doesn’t need a warrant to hack people’s computers. The FBI battled Apple for months for a backdoor into the iPhone. And Microsoft is actually shipping its data to Ireland to avoid onerous subpoenas that would force it to comply with government data requests.
Those policies don’t just undermine security for companies, they weaken the very computers and systems government agents and officials use.
Everyone benefits from having hardened, secure systems. In order to change cybersecurity outcomes, the administration has to stop the doublespeak and get every government department on the same page.
2. Create a new cyber technology court
Many of the laws governing cybercrime are decades old and failed to anticipate today’s connected world. The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, for instance, criminalize research by ethical hackers designed to find security flaws before they can be exploited by criminals.
In the absence of new rules, courts are deciding how to govern this new space. At the moment they’re making some regrettable decisions. In Virginia, the federal court likened an unpatched server to "a house with broken blinds," in effect saying that owning an old computer means you’ve given up any right to security.
Typically, court cases are decided with little to no understanding of the technology and its implications. The judge in the recent Oracle-Google copyright battle taught himself Java programming so he could make a more informed ruling. We can’t expect all judges to be programmers or think like hackers, but we can certainly ensure they have the right information and expertise available to them. In the patent system, lawyers have special training and take a separate bar examination. We need a version of that model so the legal system can keep up with the fast-evolving technology industry too.
3. Internet security isn't a war; the government needs help
For a global power used to flexing its muscle to solve problems, the web can be a strange place and a great equalizer. Some of the best tech talent and tools are in the private sector.
The government is aware of this issue. In fact, the government has stepped up its efforts to lure people to D.C. from Silicon Valley specifically to help solve the cybersecurity problem. But it needs to be a two-way street. Officials could start by sharing the information they gather on the worst actors in cyberspace that threaten companies.
In most of the biggest issues that we expect our government to solve, there is no role for private companies. But when it comes to the internet, there’s no choice but for the government to cooperate. This upsets them and challenges their sense of authority. Changing the government’s approach to cybersecurity may not prevent the next DNC hack, but it would give security professionals clarity and the tools they need to keep us safer. The next president will need to balance that need for control with the need for progress.
Oren J. Falkowitz is a co-founder and the CEO of Area 1 Security. He previously held senior positions at U.S. Cyber Command and the National Security Agency focused on big data and computer network operations.
