The US Presidential race is in its final stages, and it's not hyperbolic to suggest the outcome could affect the rest of the world. If you work in IT or simply value your online privacy, it's worth taking a close look at the security policies of both candidates. While we might not have the ability to influence the outcome here in Australia, it definitely pays to be prepared for what might be in store...
Every day it seems like there's another hack, password theft, or leak. Both government agencies and private companies are regularly attacked, either by intruders looking for sensitive data to sell or foreign actors looking for valuable information. That alone is reason enough for a US Presidential candidate to at least have an educated, informed cybersecurity policy. Let's take a look at their platforms to see if they do.
Hillary Clinton's Cybersecurity Policy
Clinton has been knee-deep in security issues for a long time now. Between the recent DNC hack and the controversy surrounding Clinton's private email server, and perhaps because she seems to be a magnet for hacks, Clinton has gone on the record extensively about information security. Clinton recognised the importance of data security in a town hall meeting back in February that sets the tone for both candidates in this election pretty well:
[Cybersecurity is] one of the most important challenges the next president is going to face because the advances, the offensive advances by nation states that we know are very technically sophisticated — namely Russia, China, next level Iran, next level North Korea — are going to just accelerate...We have to be operating on both of these levels, making it very clear to Russia, to China, that not only that what their government does through various entities, but also if they outsource the work to hackers, they will pay a price.
Clinton's primary approach to information security is one that focuses on US national security interests. Calling out Russia, China, Iran and North Korea specifically gives you a glimpse into her general plan, and her data security priorities.
What Hillary Clinton Has Officially Outlined
Clinton has no official data security platform, or position document. Instead, she outlines her policies in a couple of different places. On her national security policy page, she lays out her thoughts about China, which gives us a general sense of her security position in a more official way then her town hall comments above:
Hillary will work with allies to promote strong rules of the road and institutions in Asia, and press China to play by the rules — including in cyberspace, on currency, human rights, trade, territorial disputes, and climate change — and hold it accountable if it does not, while working with China where it is in our interest.
Granted, none of that translates to "I will do X to accomplish Y," but Clinton also indirectly talks about certain similar positions in her technology platform, listing these security issues as some of her core tenants:
- Promote Cyber-Security: Hillary will build on the U.S. Cybersecurity National Action Plan by empowering a federal Chief Information Security Officer and upgrading government-wide cybersecurity.
- Safeguard the Free Flow of Information across Borders: Hillary supports efforts like the U.S.-EU Privacy Shield to find alignment in national data privacy laws and protect data flows across borders.Commercial Data Protection: Advances in computing like the rise of "big data" and the Internet of Things is yielding transformative benefits, but raising important questions about privacy. Hillary's approach to privacy will be to encourage high standards — and affirm strong consumer protection — through regulatory enforcement in an adaptive manner that doesn't stifle innovation.
- Protect Online Privacy as well as Security: Hillary supports creating a national commission on digital security, so that the technology and public safety communities can work together on solutions that address law enforcement needs while preserving individual privacy and security
The main takeaway here is pretty simple: Clinton likes the basics of President Obama's Cybersecurity National Action Plan and wants to build on it. The plan calls for pushing multi-factor authentication awareness, credit card transaction security, and the creation of a new high-level position, the Federal Chief Information Security Officer.
Most of the new internet security initiatives in the plan fall under the Department of Homeland Security, and are a general push for better security in government and consumer institutions. Aside from that, Clinton's plans build on what President Obama has already started, with no hard specifics just yet.
Hillary Clinton's Cybersecurity History Is Complicated to Say the Least
Looking back over her time as Secretary of State, the private email server controversy, and what she's said publicly in interviews, it's clear that Clinton's above policy is "do as I say, not as a I do."
Let's start with Clinton's private email servers. As The Washington Post lays out in detail, for the four years she was Secretary of State, Clinton operated and used a private email server with an insecure private email account. That wouldn't normally have been an issue if she hadn't used it for official government business, instead of her official, state.gov email address. Nobody noticed until the State Department responded to a request for documents from congressional investigators, only to find emails sent to and from a personal, non State Department email address for Clinton. Clinton claims the whole affair was because she didn't like carrying two devices, one for work email and one for personal email, but still wanted to get work done.
Clinton has routinely claimed the State Department allowed private email servers, a fact refuted by the State Department Office of Inspector General. In the end, the FBI decided that Clinton's actions were "careless," but not illegal, and decided not to recommend charges. Even so, when it comes to information security, carelessness can have serious repercussions.
Beyond that, the AP reported last year that Clinton's State Department cabinet was horrible at sticking to security standards, criticism that the State Department was, to its credit, willing to accept:
The State Department was among the worst agencies in the federal government at protecting computer networks...The State Department's compliance with federal cybersecurity standards was below average when Clinton took over but grew worse in each year of her tenure, according to an annual report card compiled by the White House based on audits by agency watchdogs.
Clinton has endorsed an NSA reform bill that would roll back mass surveillance, but publicly spoken against Edward Snowden's leaks. She's also noted that while she supports NSA reform, she doesn't want it to go too far. Clinton told Fresh Air's Terry Gross that, "collecting information about what's going around the world is essential to our security." Even more recently, she called for more surveillance after the terrorist attack in Brussels.
Clinton has also called out China as a security threat and commented last year that most pending security legislation doesn't go far enough to coordinate and share information between public and private organisations. To that point, in one of the Democratic debates Clinton said she doesn't support forcing companies to build backdoors or release encryption keys to law enforcement. Instead, she supports a kind of "Manhattan Project" to help law enforcement break encrypted communications on their own. She also seems to imply that companies should want to help the government break encryption when needed, but doesn't think they should have a legal obligation to do so.
Clinton did not vote on the updates to the Patriot Act or the FISA Amendments Act. She never commented on the Cybersecurity Information Sharing Act (CISA), which was basically a revised version of the reviled CISPA, a security bill that would have forced private companies to turn over personal data to the government when asked.
Despite how she's handled things in her own office, Clinton's tone has been politically moderate with regard to security. She seems to want a stronger security for public and private organisations and better security tools for law enforcement that won't intrude on personal privacy. It's a tall order, and she doesn't do a great job of outlining exactly what that would mean, or how it would work, if it even could.
Donald Trump's Cybersecurity Policy
Since Donald Trump has never held a position in public office, and doesn't have a formal position on internet security, it's difficult to get an idea of what his policies might look like if he ends up in the White House. He does, however, talk a great deal, so it's not difficult to collect an overview of his opinions.
What Donald Trump Has Officially Outlined
Trump has no official statement, policy page, or document that outlines his stance on information security or personal privacy. His position statements make no mention of anything related to the internet, data security, or national security in any way. In short, he's outlined nothing.
Donald Trump's Public Stance on Cybersecurity
As has been the theme with Trump's campaign, his cybersecurity positions seem to be seat of the pants. His most direct response to internet security questions comes from an interview with the New York Times:
First off, we're so obsolete in cyber. We're the ones that sort of were very much involved with the creation, but we're so obsolete, we just seem to be toyed with by so many different countries, already. And we don't know who's doing what. We don't know who's got the power, who's got that capability, some people say it's China, some people say it's Russia. But certainly cyber has to be a, you know, certainly cyber has to be in our thought process, very strongly in our thought process. Inconceivable that, inconceivable the power of cyber.
And again, even more recently with the New York Times:
SANGER: Would you support the United States' not only developing as we are but fielding cyberweapons as an alternative?
TRUMP: Yes. I am a fan of the future, and cyber is the future.
These are the best two looks we've had at Trump's potential security policies, but we can piece together a little more from his comments over the years.
In an interview with Hugh Hewitt back in 2015, Trump says he "errs on the side of security," continuing, "I assume when I pick up my telephone people are listening to my conversations anyway, if you want to know the truth." He finishes by saying he would be "fine" with restoring provisions of the Patriot Act that allow for bulk data collection. Trump has declined to address CISA.
How much he errs to the side of security might best be revealed by his call for a boycott of Apple earlier this year. Trump wanted Apple to give up encryption keys for the iPhone owned by the shooter in San Bernardino (even though that wasn't possible, and it wasn't what the FBI requested), saying:
Boycott Apple until such time as they give that information... Apple ought to give the security for that phone, OK. What I think you ought to do is boycott Apple until such a time as they give that security number. How do you like that? I just thought of it. Boycott Apple.
It's not clear whether Trump thinks the government should have used legal tactics to pressure Apple, or if boycotting Apple would have made them change their position. Speaking of leaning on companies though, Trump has also called for Bill Gates to work on "closing the internet in some way," despite the privacy, First Amendment, and logical problems that might entail.
In his 2011 book, Time to Get Tough: Making America #1 Again, Trump's homeland security policy revolves around the idea that "all freedoms flow from national security," and one of his seven core principles of foreign policy is to, "See the unseen. Prepare for threats before they materialise." Another one of those principles is to, "Keep the technological sword razor sharp," which seems to echo his belief that cyber is the future.
As for the Edward Snowden leaks, in an interview in 2013 with Fox and Friends, Trump called him a traitor and suggested executing him.
Finally, there's also the fact that Trump (supposedly jokingly) asked Russia to hack Hillary Clinton's email servers (and has more than a few alleged ties to Russia) and in 2014 Trump asked hackers to look into Obama's college records for place of birth, both of which suggest that whatever security policy Trump ends up with, he seems to take the idea of security lightly.
Trump's plan (or lack thereof) seems to call for a general increase in security, in the context of national security and defence, but not necessarily in terms of public organisations, government agencies, or private entities. His comments imply this is also potentially at the cost of privacy and freedom of speech, while also calling for an increase in what law enforcement can force private companies to do. Ultimately, his policy is unclear, and will remain so until his campaign publishes something substantial.
Illustration by: Angelica Alzona