• United States




Hillary or Donald: Who is more cybersecurity savvy?

Nov 02, 20168 mins
CybercrimeData BreachElection Hacking

Both Presidential candidates say they support cybersecurity, but what do their actions reveal?

How could two candidates be more different? When was the last time a non-political candidate became a Presidential nominee? It was 1928 and the candidate was Herbert Hoover! Anyway let’s look at what each candidate has to say about security and privacy and more important, what do their actions tell us? 

Clinton said the following at a town hall meeting in February.

Cyber-security is one of the most important challenges the next president is going to face because the advances, the offensive advances by nation states that we know are very technically sophisticated — namely Russia, China, next level Iran, next level North Korea — are going to just accelerate…We have to be operating on both of these levels, making it very clear to Russia, to China, that not only that what their government does through various entities, but also if they outsource the work to hackers, they will pay a price.

Hillary has no official data security platform but here is what we know. Secretary of State Hillary Clinton addressed her thoughts on China on her national security policy page by saying: Hillary will work with allies to promote strong rules of the road and institutions in Asia, and press China to play by the rules — including in cyberspace, on currency, human rights, trade, territorial disputes, and climate change — and hold it accountable if it does not, while working with China where it is in our interest.

[ MORE ON THE CANDIDATES: 10 cybersecurity questions Trump and Clinton should answer ]

It appears Hillary likes Obama’s national cyber security plan and wants to build on it, but what about her actions?

According to The Washington Post , for the four years she was Secretary of State, Clinton operated and used a private email server with an insecure private email account. That wouldn’t normally have been an issue if she hadn’t used it for official government business, instead of her official, email address. Nobody noticed until the State Department responded to a request for documents from congressional investigators, only to find emails sent to and from a personal, non-State Department email address for Clinton. Clinton claims the whole affair was because she didn’t like carrying two devices, one for work email and one for personal email, but still wanted to get work done. Hillary Clinton appears to ignore security when convenience and usability is at stake.  I have found in my career as an IT audit consultant that if you make security painful then it will likely be circumvented or ignored.

Clinton has repeatedly claimed the State Department allowed private email servers, a fact refuted by the State Department Office of Inspector General. In the end, the FBI decided that Clinton’s actions were “careless,” but not illegal, and decided not to recommend charges. Was the FBI pressured by the DOJ under a presiding Democratic President? Only President Obama and Hillary Clinton know for sure.

Beyond that, the AP reported last year that Clinton’s State Department cabinet was horrible at sticking to security standards, criticism that the State Department was, to its credit, willing to accept:

The State Department was among the worst agencies in the federal government at protecting computer networks…. But wait the formerly closed FBI Clinton investigation was just reopened by FBI Director James Comey. Why? Because congressman Weiner’s indirect association with the Clinton campaign. His wife Huma Abedin who was a top Clinton aide shared a laptop with the congressman who is in trouble for sexting.

One look no further then the OPM data breach to see yet another government agency fail at what it’s suppose to excel in: protecting security clearances of its prized government employees and DoD contractors. OPM failed in cybersecurity which resulted in over 20 million security clearances compromised, even FBI director Comey’s file was compromised. 

In summary: Hillary has said all the right things about cyber security but in practice if you look at her private email server and the careless sharing of those government emails by her top aide Huma Abedin that were just found an Anthony Weiner’s laptop, Clinton and her teams actions don’t support the policy statements of someone truly practicing cyber security best practices. These careless actions speak louder than any political speech or publicized policy.

Hillary’s political webpage statements on cybersecurity

Enter Donald Trump, not having ever been in the role of government service, we have a billionaire with a successful company that has had its ups and downs. Trump is now a Presidential candidate, so what can we now put together about his private practices relating to cyber security? First his official policy on cyber security can be found here.

  • Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector.
    • The Cyber Review Team will provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats, and will followed up regularly at various Federal agencies and departments.
    • The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on evolving methods of cyber attack.
    • Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.
    • Order the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.
    • Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.

The New York Times captured the following in an interview.

First off, we’re so obsolete in cyber. We’re the ones that sort of were very much involved with the creation, but we’re so obsolete, we just seem to be toyed with by so many different countries, already. And we don’t know who’s doing what. We don’t know who’s got the power, who’s got that capability, some people say it’s China, some people say it’s Russia. But certainly cyber has to be a, you know, certainly cyber has to be in our thought process, very strongly in our thought process. Inconceivable that, inconceivable the power of cyber.

Well Trump, we do know that it’s in fact Russia and China, and many more cyber gangs across the globe if you are really following this issue. On the Apple FBI issue Trump stated that we should boycott Apple until they cooperate with authorities by providing the encryption keys to help solve the San Bernardino mass shootings. Trump as a successful businessman seems to have a great instinct about not trusting anyone.

I think it’s safe to assume that his success has been built by not letting his competition know his next move. So far so good, but Trump often says things in public he must certainly later regret like: The time he asked Russia to hack Hillary Clinton’s email servers and once asked hackers to look into Obama’s college records. Donald has also gone on record on Fox and Friends stating the NSA hacker Ed Snowden should be punished by execution as he was a traitor. Trump has also gone on record saying he always errs on the side of security and he assumes all his phones are being monitored. 

Trump’s political webpage statements on cybersecurity.

In summary: We have Clinton a career politician and former corporate lawyer who has been in the public eye for decades and has mostly done a good job keeping things like government documents and communications private up till she decided to use the same private email server for her State Department job as she uses for her personal life. She no doubt will always regret this huge mistake.

On the other hand we have Trump who really appears to practice cyber security or at least knows how to keep his corporate information secret. He however has no public track record on working with and protecting state secrets. This could have been an advantage for Clinton if it weren’t for those State Department emails found on her private server that made it onto Anthony Weiner’s laptop.

Trump’s problem appears to be he often says things in public without much thought. In the age of 24 x 7 news and social media this can either help or hurt your cause depending on just what exactly you say in the moment. One thing is for sure whether it’s something you said or something you did last week or long ago, the opposition will always seize the opportunity and use it against you — especially if the stakes are as high as the office of the President of the United States.

Only time will tell just how either candidate handles cybersecurity as the President. One thing is certain, It’s all up to you America, stand up and be counted in this very important election!


A senior security and compliance specialist, George Grachis has over 25 years’ experience in the tech sector. Some of his experience includes over a decade supporting the Space Shuttle program for Computer Sciences Corporation & Grumman Aerospace, security management for CFE Federal Credit Union, IT auditing & consulting for Deloitte and serving as Chief Security Officer for Satcom Direct.

George holds both the CISSP, and CISA certifications. George received the ISSA fellow Designation in 2016 and is currently an active senior board member of ISSA. George has been interviewed by WFTV ABC TV and Fortune Magazine. When not working he enjoys spending time with family & friends, Big Brothers Big Sisters, Playing the Drums, motorcycling, fitness, and writing articles for his blog, Virtual CISO.

The opinions expressed in this blog are those of George Grachis and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.