Encryption & Key Management , Enterprise Mobility Management / BYOD , Governance & Risk Management
Analyzing Clinton's Positions on Cybersecurity, Privacy
Proposals Aplenty, But Details Are LackingAs Democrats gather in Philadelphia this week to nominate Hillary Clinton for president, it's a good time to look at the positions Clinton and the Democratic Party offer on cybersecurity and online privacy.
See Also: How to Take the Complexity Out of Cybersecurity
The convention kicks off with an untimely leak, for Democrats, of nearly 20,000 emails, including some showing an alleged bias by top party officials against Clinton's primary challenger, Sen. Bernie Sanders (see Leaked DNC Emails Show Lax Cybersecurity).
Last week, I looked at the Republican platform, which took a hard line against Chinese and Russian hackers (see A Look at GOP Cybersecurity Platform). The GOP platform also seems to advocate using hack back - a form of online retaliation - as a way for enterprises to defend themselves (see GOP Platform Suggests 'Hack Back' a Suitable Cyber Defense).
The Democratic Party platform doesn't offer anything as daring as hack back. It promises to protect industry, infrastructure and government from cyberattacks as well as to seek to establish global norms in cyberspace and impose consequences on those who violate the rules. All this would be accomplished, the platform contends, while protecting American citizens' privacy and civil liberties.
"We will protect the privacy and civil liberties of the American people - standing firm against the type of warrantless surveillance of American citizens that flourished during the Bush administration," the platform states. "We support recent reforms to government bulk data collection programs so the government is not collecting and holding millions of files on innocent Americans."
The platform's position on cybersecurity and privacy parallel those found on the Clinton campaign website; Trump's campaign website is virtually silent on cybersecurity and online privacy matters.
"Overall, [Clinton's] published plans go further than the plans I've seen from other politicians for privacy and information security," says Rebecca Herold, a privacy expert who goes by the moniker the Privacy Professor. "Of course, there is still more that could be done. However, I was pleasantly surprised to see the breadth of topics she covered within it, and the stated goals for privacy and security."
Clinton's website says she "rejects the false choice between privacy interests and keeping America safe."
Encryption Bypass Dilemma
Though the Clinton campaign website and party platform itemize a number of positions, merely stating them doesn't necessarily mean the candidate and party offer detailed solutions (platforms rarely go into detail).
Take, for instance, Clinton's stand on whether law enforcement should be able to bypass security safeguards such as encryption to access data on suspected criminals smartphones. Clinton says she understands law enforcement's need to collect evidence from devices of suspected criminals. At the same time, she sees the benefits of encryption to ensure the privacy of individuals. "This is one of the most difficult dilemma's we're faced with," Clinton said at a town hall meeting earlier this years (see Presidential Candidates All But Ignore Cybersecurity). "I see both sides, and I think most citizens see both sides."
Hillary Clinton
Clinton's solution, according to her website: Bring the public safety community and technology companies together to find a way to address the needs of law enforcement while protecting Americans' privacy and security to use technology. She supports a legislative proposal by Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, to establish such a commission (see House Committee Seeks Crypto Calm).
A Copout?
An overwhelming number of cybersecurity and encryption experts see creating an encryption bypass as a black-and-white issue, contending it's impossible to make exceptions for law enforcement to bypass safeguards without permitting others to do the same. "You can't have a world where the good guys can spy and the bad guys can't," says cryptographer Bruce Schneier (see Experts Blast Encryption 'Backdoor' Plan). "All we can get is where everyone can spy or nobody can spy."
Is Clinton's stand calling for a commission a copout? It seems to be a political stand, not one based on facts as described by Schneier and others.
"The stand of the U.S. president matters greatly," says Herold, who sees circumventing encryption as weakening individuals' privacy. "The leaders and citizens of other countries take notice. ... Encryption is not an enemy of homeland security, but instead a tool that is vital for protecting personal data from the exponentially increasing occurrences of privacy breaches."
Prioritizing Multifactor Authentication
The former secretary of state says, as president, she would prioritize the enforcement of well-known cybersecurity standards, such as multifactor authentication, as well as the mitigation of risks from known vulnerabilities. Clinton says she'd encourage government agencies to consider innovative tools, such as bug bounty programs. And, she says, she'd bolster the government's ability to test its own defenses by increasing the capacity of elite, cleared government red teams to help agencies find and fix vulnerabilities before hackers exploit them.
Martin Libicki, a cybersecurity scholar at the think tank Rand Corp., assesses Clinton's cybersecurity beliefs: "Multifactor authentication is important, but it only addresses one vector of attacks; it doesn't do much for attacks that insert malware into computers because someone has, as they inevitably do, despite training, opened a document or visited a web page. Bug bounties are really cost-effective, but that's largely because they are very inexpensive. Red teams are a better idea if agencies are funded to fix the problems such red teams encounter and assuming that the threat model used by the red teams conforms to the true threat model."
Affirming Strong Consumer Protections
Noting the rise of big data and the Internet of Things that will yield "transformative benefits to people" as well as raise important questions about privacy, Clinton's campaign site says her approach to privacy "will affirm strong consumer protection values through effective regulatory enforcement in an adaptive manner, encouraging high standards in industry without stifling innovation." But the statement doesn't provide details on what is effective regulatory enforcement in an adaptive manner or how to do so without stifling innovation.
Clinton's website says she supports expanded investment in cybersecurity technologies, as well as public-private collaboration on cybersecurity innovation, responsible information sharing on cyberthreats and accelerated adoption of best practices such as the National Institute of Standards and Technology cybersecurity framework. To ensure a coherent strategy across federal agencies, the campaign site says she'd build on the Obama administration's Cybersecurity National Action Plan, especially the empowerment of a federal Chief Information Security Officer, the modernization of federal IT and upgrades to governmentwide cybersecurity (see Obama Creating Federal CISO Post).
"What I saw was anodyne: information sharing, strengthening federal cybersecurity, balancing privacy with law enforcement, etc.," Libicki says of the Clinton cybersecurity plan. "There's nothing on bolstering the security of private enterprises, notably, no regulation to that effect."
Silence on Email Server Ruckus
Absent from the website statement and the platform is any mention of Clinton's use of private email servers as secretary of state, which FBI Director James Comey and the State Department inspector general contend exposed classified information to hackers, though no proof exists that her computers were breached (see Debating Hillary's Email Server: The Missing Element).
Clinton's actions in that matter demonstrated, at the very least, her ignorance of common cybersecurity practices. Let's hope Clinton learned a valuable lesson about IT security from the email server fiasco.