Who is the information security preferred candidate? A look at presidential election 2016

Tomorrow, much of the country will be at the voting booths. Many organizations have endorsed a candidate, while others are forbidden. For example, most 501(c)(3) organizations are forbidden according to IRS rules to directly or indirectly participate in any political campaign on behalf of or in opposition to a candidate for public office.

So which of the two leading candidates is best from an information security perspective? Should a CISO prefer one over the other?

Before I get into the specific candidates, there’s a lot of bright minds in the security community discussing election 2016 and its implications. There’s also a lot of friendships (both on-line and off) that have been severed due to the partisanship in this election cycle.

[ ELECTION HACKING: What are the myths and realities of the election being hacked? ]

An important point made by Gal Shpantzer, a Washington, DC-based independent security consultant is that whoever is elected must remember that computer network attacks by American intelligence agencies, especially those that target physical infrastructure, are not necessarily helpful to the private sector or even the rest of the US government. This is due to the fact that the majority of US critical infrastructure is owned and operated by the private sector, much of which is barely capable of fending off damaging DDoS (e.g. Dyn) and ransomware (e.g. MedStar Health) attacks from profit-oriented cyber-criminals.

If we see a global escalation in computer network attacks between the US and other countries with professional offensive capabilities, effecting physical and economic damage at scale, the US may be at a defensive disadvantage, given its reliance on our own vulnerable infrastructure.

Ariel Silverstone, vice president of Security Strategy, Privacy and Trust at GoDaddy, said it is important that any president will take a real look at the current state of affairs, including risks not foreseen in the recent eight years and adjust information security priorities accordingly.

Christina Ayiotis, Esq. is a cybersecurity consultant and notes that in comparing what the respective campaigns have posted and spoken publicly about regarding cybersecurity and technology innovation, she believes the Clinton campaign has taken a proactive and comprehensive approach to addressing cybersecurity. This is crucial given it continues to be one of the most important issues affecting not just our government but the overall economy.

 As to Ayiotis’s observation, one thing the next president will have to do is fix the damage done by the NSA spying scandal. There is an eroded public trust in government, in addition to Cisco seeing a huge drop in export sales because of fears that the NSA could be using backdoors in its products.

The truth be told, it’s not really about the candidate, it’s about who the candidate will empower to put cybersecurity policy into effect. Neither candidate has spoken in detail about information security specifics such as data-breach disclosure, encryption, and critical infrastructure security.

In February of this year, President Obama announced a Cybersecurity National Action Plan (CNAP) which takes both short- and long-term actions to improve the cybersecurity posture within the federal government.

The CNAP also created the role of a Federal CISO, which in September was a role taken over by Ret. Air Force Gen. Gregory Touhill. The notion that there is a Federal CISO is a surprise to many in the private sector. For many people, they simply didn’t know of the role, and have not heard of Touhill.

Cybersecurity experience

Let’s cut to the chase, neither candidate has a significant understanding of cybersecurity. Neither understands how IT works and how cybersecurity must be deployed. Both candidates know the key talking points and how to attack the other, but that’s about it.

While she won’t be sitting for the CISSP certification anytime soon, after spending over 30 years in the government, Clinton knows about information security, security regulations, encryption and the like. While the jury is still out just how much she has complied with necessary information security requirements, she certainly understands its importance — from the corporate level to that of government and international security.

Kevin Mitnick of KnowBe4 thinks that since Clinton was the victim of the DNC attacks, she now has a much greater personal interest in information security. She has skin in the game at this point and may take it more seriously.

Trump made his name in real-estate and business dealings. His forays into the technology sector have been limited. With that, it’s unclear how much Trump knows about core information security concepts. At the corporate level, as of late summer 2016, the Trump organization did not have a dedicated CISO, or someone in that capacity.

Advantage: Clinton

Information security platform

Neither candidate has a detailed, formal or comprehensive cybersecurity platforms.

In early October, Trump promised immediate action on cybersecurity for his administration. Of the two candidates, only Trump has a page directly addressing information security. There he addresses his vision for cybersecurity and details five key issues.

Clinton’s technology and innovation page states that as president, Clinton will advance America’s global leadership in technology and innovation by promoting cyber security at home and abroad. But she does not detail any specifics on how she will do that.

Advantage: Trump

Understanding of information security

Neither candidate has spoken significant about information security. In the September debate, moderator Lester Holt asked the candidates: Our institutions are under cyberattack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?

To that question, neither candidate replied with a highly detailed or substantial answer. Clinton attempted to attribute attacks to Russia, which in turn she said Trump was an ally of Putin.

Trump did not offer any specifics, except to say that he didn’t think attribution was yet possible.

Advantage: Clinton

Breach victimization

Each candidate knows what it feels like to be the victim of a data breach.

For Clinton, be it the DNC hack, her email server fiasco, WikiLeaks disclosures, and other attacks, a huge amount of damaging information has come to light. For most candidates, but one of those would spell doom. For Clinton, it certainly has hurt, but not derailed her presidential aspirations.

As for Trump, Brian Krebs reported in April that the Trump Hotel Collection, a string of luxury properties tied to Trump, appeared to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year.

Advantage: Trump

And the winner is

For a statistician, sample size is crucial to get a meaningful confidence level. With that, neither candidate is a shoe-in from a cybersecurity perspective.

For either candidate, it’s unclear how they’ll interact with the Federal CISO. But the fact that cybersecurity is still not a cabinet-level position in 2016 is an issue that leaves both candidates, and every US Citizen at a significant disadvantage.