In the first US Presidential debate, held on the evening of September 27, 2016, one of three topics on the agenda for the candidates was "Securing America." Debate moderator Lester Holt lead off this portion of the program with the following:
"We want to start with a 21st century war happening every day in this country, our institutions are under cyber attack, and our secrets are being stolen. So my question is, who's behind it, and how do we fight it?"
First, let's acknowledge that the first question on national security focused not on terrorism or various conflicts being fought primarily through conventional means around the world, but cyber issues. It clearly shows how dependent we have become on the digital world and how our confidence in its security is one of defining issues of our time. It's also very encouraging that both candidates agreed that national cybersecurity is an important issue and a priority.
Unfortunately, though, given the impact that security incidents have had on this election cycle, it's disconcerting that neither candidate offered a more detailed plan of how they would address the problem, and how multifaceted it is. Like most of the debate, the candidates focused on tangential elements of the issue, not the core. In the case of cyber, the focus was on attribution of cyber attacks. Not only is attribution of attacks notoriously difficult, it should not be the primary concern when dealing with damaging incidents. Instead, the focus should be on developing a proactive strategy to identify the critical assets a malicious actor may target, and building or improving the required capabilities to protect them, so that we can reduce the risk to the organization when similar attacks happen again. The current focus on critical infrastructure protection through the NIST Cybersecurity Framework is an excellent first step, but there is clearly more than can be done.
We should call on the candidates to articulate a more detailed plan for how they would work to harden our cyber defenses, and how they would appropriately balance physical and cyber protection. As this first debate showed, this is a substantive issue that will have far reaching consequences on not only our national security, but our national economy, and our political process.