A citizen’s guide (or to sound smart at cocktail parties) Murica flag, cyber edition

While the first U.S. presidential debate included an open-ended, broad question about each candidate’s stance on cybersecurity, it accomplished little in helping citizens understand the candidates’ actual policy positions — nor why cybersecurity policies are relevant at all on the national scale. Saying “cybersecurity is important” for the U.S. today is like saying “having a military is important.”

But, it was also clear from the responses, such as bringing up Daesh’s use of the internet for recruitment or using the term “the cyber,” that there’s a lack of mainstream understanding of what cybersecurity actually means in a policy context (the argument against the term “cyber” and its derivatives is left for another day).

Here’s my best attempt at a definition as far as most citizens are concerned: cybersecurity at the national level includes 1) methods and resources to conduct geopolitical, intelligence-gathering, or offensive operations, and 2) methods and resources to defend against digital attacks that might threaten national security, individual liberties, or our economic viability.

Simply put, cybersecurity is the newest domain both for warfare and way of life, and thus has policy implications at a national scale. It would be a grave mistake to underestimate the importance of cybersecurity in geopolitical strategy and how much our “life, liberty and the pursuit of happiness” depends on it today.

So, without further ado, here are the three questions I think are worthy of being asked at the next two debates, as well as why you, as a citizen, should care about their answers. If you think a question is worth asking, vote for it by clicking the relevant link below. (Author note: after the conclusion of the debates, the question site was disabled – these now link to the relevant sections in the post).

  1. Do you support federally mandated encryption backdoors?
  2. How would you improve protection of critical infrastructure from cyber attacks?
  3. What balance would you strike between cyber deterrence and offensive cyber operations on other nations?

Code dripping over the White House

Do you support federally mandated encryption back doors?

What we’d learn

The way the candidates answer this question primarily will show to what degree they are aligned to constitutional rights plus the needs and desires of citizens vs. what “the powers that be” (primarily the FBI) say is necessary. Secondarily, it will show how open they are to listening to expert opinions in a particular area, as the overwhelming majority of cybersecurity professionals are vehemently and publicly against encryption backdoors.

The context

There have been multiple encryption debates throughout the years, but the most recent focuses on encryption backdoors. Let’s start with a basic definition of encryption: it’s a “process of ciphering information in such a way that only authorized parties can read it.” It’s not hyperbole to say encryption is part of everything you use online — from online banking, online shopping, email, electronic medical records to Facebook chat. It is a fundamental part of what makes the internet economy as we know work by adding in a layer of trust.

Now, what’s a backdoor? A backdoor is an intentionally-placed method of bypassing a security mechanism in software, and is most often used to gain unauthorized access to something. In the context of encryption backdoors, it is specifically to obtain the “plaintext” or raw data. For example, encrypted data might look like “IUFdjxi/FI8+2zv/WbEUq=M+b…” while the plaintext says “I like pizza.”

By way of analogy, an encryption backdoor is similar to designing a physical lock with a master key that can always open the lock if needed. It’d be naive to assume that only the designated owner of the master key (for example, the government) could unlock the lock. Someone else could examine the way the lock is designed, deduce how the master key looks, and create one on their own.

The implications for an encryption backdoor are even worse than that analogy — at least in the physical lock case, there’s a slight barrier in that physical proximity is still needed to use the master key. In the digital case, a hacker doesn’t even have to move in order to use the master key across a bunch of different digital “locks” in any location in the world.

The FBI has been the most notable proponent of encryption backdoors, as highlighted in their battle with Apple earlier this year. Further, in 2007, a backdoor was discovered in the encryption algorithm supported by the NSA, which would have meant that companies who adopted the NSA’s recommend encryption algorithm would have developed software susceptible to attack or data interception. The argument in favor of encryption backdoors generally rests on the use of encryption by criminals or other bad actors, and the worry that encryption allows them to “go dark” (i.e. make it harder for someone to intercept or access their data).

However, the overwhelming majority of cybersecurity experts are against backdoors, primarily because there’s absolutely no way to ensure that these “trap doors” aren’t discovered by hackers, criminals or combative nation-states and used against American citizens, corporations, banks, utilities, troops or the government itself. It cannot be stressed enough that the “harsh technical realities make a [lawful access only] solution effectively impossible.”

Requiring encryption backdoors also would place a huge financial and resource burden on private enterprises by requiring software developers to design systems in a way that allows law enforcement to gain access as needed — or desired. Further, no matter how you decide who is granted access to the “master key” for these backdoors, they immediately become an attractive and lucrative target for cyberattack — potentially pouring many millions of dollars of extra risk onto the shoulders of private enterprises.

Why you should care

If you’d include yourself among people who care about the following, you should be strongly against requiring — or the even existence of — encryption backdoors:

  • The First Amendment, free speech and freedom of the press
  • The Second Amendment (encryption software has historically been classified as a munition — a military weapon — by the government, which means that citizens arguably have the right to use encryption to defend their personal data, without it being rendered ineffective due to a backdoor)
  • The Fourth Amendment (keeping data safe in event of an “unreasonable search and seizure”)
  • Criminal justice reform
  • Eliminating discrimination
  • Stopping people from stealing your personal data or assets
  • Stopping people from stealing corporate data or assets
  • Protecting critical infrastructure
  • Protecting hospital systems and medical devices
  • Keeping our troops safe
  • and many other things, but I have a tendency to ramble as-is

As you can recognize from the list, this isn’t a partisan issue.

Many people use the “I have nothing to hide” argument when first hearing about the encryption debate. That also happens to be irrelevant — given the prevalence of digital communications in our modern lives, encryption is essential in preserving our constitutional rights.

But it’s also way beyond that. As I mentioned above, encryption is used in nearly everything you do online these days, and not just your communications. Purposefully backdooring encryption leaves an open hole for hackers to get your healthcare data, personal pictures of your kids, drain your bank account, run up your credit card, or steal your identity. The vibrant, useful, trillion-dollar internet economy as we know it would not and could not exist without encryption.

As Matt Blaze, a leading expert on encryption, said in his recent testimony before Congress:

This is not simply a matter of weighing the desires for personal privacy and for safeguards against government abuse against the need for improved law enforcement… [Backdoors] will provide rich, attractive targets not only for relatively petty criminals such as identity thieves, but also for organized crime, terrorists, and hostile intelligence services. It is not an exaggeration to understand these risks as a significant threat to our economy and to national security.


Power lines, but with code on them for some reason

How would you improve protection of critical infrastructure from cyber attacks?

With the follow-up: “Would you include election and electronic voting systems under the definition of critical infrastructure?”

What we’d learn

Each candidate would outline their plans for for the federal government’s role in protecting critical infrastructure. Additionally, we’d hear each candidate’s proposals for addressing and solving some of the key challenges in protecting critical infrastructure in order to judge how much they recognize the threat and how effective they’d be in preserving our national security, economy and way of life.

The context

Critical infrastructure, as per the Patriot Act, is defined as:

systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems or assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters

The NIST Cybersecurity Framework suggests a host of industries fall under this label, including agriculture, water, public health, emergency services, government, defense, information & telecommunications, energy, transportation & shipping, banking & finance, chemicals & hazardous materials, post, national monuments & icons and critical manufacturing.

Many would argue that the list should also include election and electronic voting systems, as they are a vital component of maintaining democratic elections (and I personally would agree). Particularly in light of the recent revelations that Russian actors hacked the DNC as well as the Illinois and Arizona election systems (and attempted to hack many more), the plea by information security experts to have the security of voting systems be taken more seriously is steadily gaining legitimacy.

The reason why federal-level protection of critical infrastructure from cyber attacks is up for debate is that, currently, the onus is primarily on the private sector to defend itself. However, the same isn’t true for physical threats such as potential terrorist attacks — should the owner of the World Trade Center have conducted their own anti-terrorism operations and had fighter jets ready to escort a hijacked plane? Of course not.

If the federal government is in charge of protecting national security, then it’s logical to suggest that they should also take the lead on all national security, including securing national infrastructure. However, given the complexities of our physical and virtual infrastructure, and consequently the large number of industries that fall under the critical infrastructure label, there is disagreement over the extent to which the federal government should help bolster their cybersecurity. We, as citizens, should hear what the candidates respective positions are on this important issue.

Additionally, the how to do it is potentially more subjective and could include anything from recommending minimal security standards (which is the default, albeit ineffective, strategy) to imposing fines on software vendors for vulnerabilities or conducting cyber deterrence (which I dig into more in the last question). I, for one, would like to know the candidates ideas on the “how to” as well.

Why you should care

If you care about our national security, you should care about this question. It’s safe to say it’s a bipartisan desire for the local power plant not to blow up, to avoid a food crisis or not have our financial system come to a standstill.

The reason why you should care about each candidate’s specific answer to the question is because the level of cybersecurity in critical infrastructure is, in general, alarmingly poor, increasing the likelihood and severity of devastation of a cyber attack on critical infrastructure at any time. While I don’t condone FUD (fear, uncertainty and doubt as a media strategy), I will say that it’s far better to act now to reduce the probability of a calamitous digital attack on our critical infrastructure than keep our fingers crossed that it won’t happen.

There are a few cybersecurity challenges faced by these industries, though. First, there’s a massive shortage of talent, and those who are practitioners generally go to industries who can pay the most (like tech and financial services). Perhaps workers in declining industries could be given incentives to retrain with cybersecurity skills. Second, critical infrastructure systems usually are complex and a lot of infrastructure software is old, and it’s difficult to install or integrate security measures after the fact.

Third, a single private entity won’t have the same level of information about potential digital threats as the federal government, nor the resources to prevent against every possible scenario. By leveraging the U.S. intelligence community’s data, private entities in critical industries could be given a “heads up” on potential threats and guidance on the tactics, techniques and procedures of groups likely to target them in a cyberattack.


AFB Central Control facility

What balance would you strike between cyber deterrence and offensive cyber operations on other nations?

With the follow-up: “What role do you think cyber deterrence plays in cyberwarfare?”

What we’d learn

The candidates’ answers to this question should reveal:

  1. How they’d invest in and preserve our advantage in the “cyberwar” arena — from technology to human capital
  2. How they’d use offensive cyber operations — would it be covert geopolitical influencing or upfront display of capability? Would we be the first-movers on offense or focused on attacking back?

The context

The domains of warfare were traditionally Land, Sea, Air and Space, but Information Operations (i.e. the digital domain) became the fifth dimension for the U.S. Military in 1995. Since then, information operations, or “cyberwarfare” as dubbed by the media, has become a crucial component of military strategy due to the proliferation of digital systems globally and their importance in all areas of modern life.

The two main types of cyberwarfare are espionage and sabotage. Espionage is used for spying purposes to gain intelligence; for example, the hack of the Office of Personnel Management (presumably by China) was to gain intelligence on people who work for various U.S. government agencies. Sabotage is used to disrupt adversaries’ systems for geopolitical or military gain. For example, rather than conducting some sort of strike on Iran’s nuclear facilities, the U.S. leveraged its offensive cybersecurity capabilities to covertly disrupt Iran’s nuclear program in an attack later dubbed “Stuxnet.”

Cyberwarfare is particularly reliant on intelligence (part of why the NSA has expanded so much over the past two decades), and thus most operations tend to fly under the radar. It would reduce a government’s advantage to reveal capabilities or methods, since then adversaries could better thwart attacks or repackage the attack for their own use.

This highlights the difficulty of cyber deterrence. Being able to attribute cyber attacks to a specific nation-state requires revealing, in part, how you were able to figure out who did it. If you don’t present evidence, it can be dismissed as a baseless accusation, which isn’t great for geopolitical maneuvering. Even then, attribution is notoriously difficult since attackers can attempt to mask their digital tracks, including by making it appear that their attack originated from a different location or by using a different language than their own.

In any case, to dissuade adversaries from attacking us, the U.S. has to make it clear that the intelligence community will figure out who is behind any attacks against us, retaliate swiftly and inflict significant damage…all without revealing the extent of our capabilities.

Why you should care

It is evident that the U.S. currently has a decisive advantage in the nation-state cybersecurity arena — anyone suggesting otherwise, as seen in this election, is misinformed. We began preparing for, and conducting, offensive cyber operations about a decade before others, giving us a significant head start.

Further, the dominance we have over global digital infrastructure is extremely difficult to replicate and that fact makes our cyber operations smoother to conduct. For example, as revealed by the Snowden leaks, the U.S. taps into undersea fiber optic cables that serve as the fundamental communication rails of the internet — giving access to any data that is transmitted over these cables.

To be clear, Russia, China and Iran all have highly intelligent and capable cybersecurity teams (to varying degrees of size and sophistication). But we can conduct offensive cybersecurity operations on a bigger scale. We not only can perform equally as sophisticated attacks, but we also possess a formidable information advantage to better craft attacks and anticipate attacks against us.

This doesn’t mean we’ll never be attacked, due to the aforementioned abilities of our adversaries — though the cyber deterrence strategy is meant to dissuade others from attacking us by showing our muscle. While we currently have superior offensive cybersecurity capabilities that give us a geopolitical advantage, this does not make us invulnerable to the potentially devastating effects of cyberattack against us by a capable nation-state.

On the other hand, an offensive operation presents the risk of being caught, which might be viewed as a declaration of war — thus leading to retaliation against us (which isn’t ideal). So, we have to be judicious in how we leverage our offensive cybersecurity capabilities to balance optimizing our foreign policy goals while protecting our own national security.


Map of the USA but with code on it

Conclusion

Do I think these questions will be asked at the debates? No (but fingers crossed). I don’t think there’s a sufficient public understanding of the multifarious policy issues presented by cybersecurity — largely because the media coverage of cybersecurity is notoriously terrible.

However, raising voter awareness of these issues still is critically important. Real change won’t happen if it’s just the information security or privacy community who is concerned…and it really shouldn’t just be them, since cybersecurity issues affect all citizens.

Cybersecurity’s importance in our nation’s ecosystem only will grow, so starting the discussion of these issues now means there’ll be a deeper consciousness of them among voters in the next election — and a greater ability of “the people” to ensure their rights and security are preserved as we march past the point of no return into digital dependence.