Donald Trump actually made a valid point, securing the internet is hard

During the debates on Monday evening Donald Trump said something that wasn’t completely insane or laughable – securing the internet is hard work. He’s not wrong, and his comment is a point that both the government and private sector should remember.

The debates on Monday were a mess. Both sides were tossing around some questionable statements, or outright lies – and both came off looking so disconnected from the average voter, it’s hard to imagine either one of them as POTUS – but one of them will get into office. Let that sink in for a moment, one of them will be the next President of the United States.

Jobs were a big topic early on, and Trump started in with unemployment examples from Michigan and Ohio, where the actual unemployment rates in each state are lower than the national average according to the Local Area Unemployment Statistics at the U.S. Bureau of Labor Statistics.

Then Trump suggested that stop-and-frisk laws “worked very well in New York.” They didn’t. In fact, the New York Civil Liberties Union (NYCLU) published figures showing that black and Latino communities were the overwhelming targets of stop-and-frisk and in 90-percent of all stop-and-frisk incidents, the subject was innocent. There is a reason stop-and-frisk was ruled unconstitutional, and the Attorney General of New York said it made police-community relations worse in a 2013 report on the topic.

Later in the debates, Clinton and Trump were asked about “a twenty first century war…”

“…we want to start with a twenty first century war happening every day in this country. Are institutions are under cyber attack, and our secrets are being stolen. Who’s behind it, and how do we fight it?”

First, the question was just awkward. We’re not in a war. There are criminal hackers, doing criminal hacker things. Then on top of that, we have governments using hackers to do things that used to require fleets of spies and planted assets. But let’s look at how Trump and Clinton responded.

Clinton:

Well, I think cyber security – cyber warfare – will be one of the biggest challenges facing the next president, because clearly, we’re facing at this point two different kinds of adversaries. There are the independent hacking groups that do it mostly for commercial reasons, to try to steal information that they then can use to make money. But increasingly, we are seeing cyber attacks coming from states, organs of states. The most recent and troubling of these has been Russia. There is no doubt now that Russia has used cyber attacks against all kinds of organizations and our country, and I am deeply concerned about this.

Trump:

*Trump starts by bragging about endorsements, including one imagined endorsement from ICE (the Immigration and Customs Enforcement Agency)*

…As for as the cyber, I agree to parts of what Secretary Clinton said; we should be better than anybody else, and perhaps were not. I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean it could be Russia, but it could also be China. It could also be lots of other people. It could also be somebody sitting on their bed that weighs four-hundred pounds. You don’t know who broke-in to DNC…

[After discussing what was learned form the DNC data leaks]

…Now, whether that was Russia, whether that was China, whether it was another country, we don’t know; because the truth is – under President Obama, we’ve lost control of things that we used to have control over. We came and with the internet. We came up with the internet, and I think Secretary Clinton and myself would agree very much, when you look at what ISIS is doing with the internet, there beating us at our own game. ISIS.

So, we have to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son – he is ten years old. He has computers. He is so good with his computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester, and certainly, cyber is one of them.

So, let’s talk about the four-hundred pound cyber threat in the room.

It’s painful to admit this, but Donald Trump has a valid point, he’s right to say that security is hard work. Security isn’t as simple as ‘do this’ or ‘do that’ – it’s challenging and daunting at times. Trump got that fact right.

Patching is still a problem, because patching everything instantly doesn’t always align with business needs – so we’re stuck fending off attackers targeting MS08-067. Governments discover zero-day vulnerabilities in our networking gear and hoard them for more than a decade (thanks NSA!). Databases get owned left, right, and center because SQL Injection is now old enough to drink.

It’s frustrating, not only because many of the problems faced by security teams across the globe are solvable, but also because many times those solutions are dismissed or written-off as not important right now.

Think about it. A server the red team used to compromise your exchange system could have been patched, but payroll can only use one piece of older software to process legacy accounts, and patching the server breaks the program. Guess what hasn’t been patched since 2005?

Something else Trump said also made some sense, we don’t know who hacked the DNC. Clinton says Russia, a lot of people do, but are they right?

We have some guesses, but nothing that is proof positive. And yet, we may never see proof positive, leaving the public with nothing but guesses to work with. Is that enough? Sometimes, but not always.

Honestly, rarely will a hacked organization know exactly who did what when it comes to working incident response. Usually they get how and when, because most incidents leave behind some markers that help define those answers. When it comes to attribution, the ‘who’ and ‘why’ are just strong guesses, based on the other collected and verifiable data.

However, it’s a safe bet, whoever is working the incident response at the DNC has eliminated “other people” and “somebody sitting on their bed that weighs four-hundred pounds” as potential suspects. Hopefully.

The cyber question was just a blip during the whole debate, a blink and you miss it moment. This is unfortunate, because security is a major issue and here lately, something that has to be taken seriously.

Tony Gauda, CEO of ThinAir, shared some thoughts with Salted Hash.

“While both candidates in last night’s debate acknowledged the enormity of the threat posed by cyber attacks, in particular those carried out by state-sponsored agents, neither chose to extend the conversation beyond the moderators initial prompt,” Gauda said.

“Both Trump and Clinton focused on who perpetrated the DNC breach, they missed the larger point: It doesn’t matter if it was China, Russia, or the ‘400-pound hacker’ Trump mentioned who carried out the attack. What matters is the value of the data stolen, and how it’s being leveraged after being compromised. In the next debate, both candidates need to expand on their policies for mitigating cybersecurity threats that affect governments and private businesses (a conversation worth more than the 5 minutes granted by this debate).”

Side note: If you’re not familiar with ThinAir, their presentation at 2014’s DEMO (a conference series put on by IDG Enterprise) is rather interesting.