After two full weeks of constant political speechifying, you would think that both Democrats and Republicans would have clearly articulated their positions on each and every issue at hand. Nope. Both parties are guilty of being long on rhetoric and short on details in numerous areas.
Take an issue near-and-dear to my heart, Cybersecurity. President Obama made cybersecurity one of his key issues in 2008. After being elected, the President had his share of cybersecurity starts and stops, but moving into the November election, his position is pretty clear. The President believes that the cyber threat is real, has the potential to be extremely damaging to our country, and fully support cybersecurity legislation such as the Cybersecurity Act of 2012 (which was voted down by Senate Republicans in early August). Mr. Obama spelled out his position fairly succinctly in a Wall Street Journal Op-Ed piece on July 19 of this year.
Given my interest and involvement here, I wanted to understand what Republican candidate (and my former Governor) Mitt Romney had to say about cybersecurity. After poking around the web for several days, I’m still unclear what his position is here, so allow me to speculate based upon what I did discover.
It’s likely that candidate Romney would default to the Republican platform created at the recent convention. There isn’t much substance in this platform but there is a fair amount of condemnation. For example, the Republicans call Mr. Obama’s cybersecurity strategy, “costly and heavy handed,” and say that it will “increase the cost and size of the federal bureaucracy and harm innovation in cybersecurity.” It also claims that the President’s approach has been “overly reliant on developing defensive capabilities,” and that there is no “active deterrence protocol.” Ultimately, the Republicans recommend a policy based upon public/private security intelligence sharing similar to the privacy-challenged SECURE IT Act proposed by Senator John McCain.
Okay, so I get the politics here – criticize the other guy in a way that fits your agenda. Thus it’s not surprising that the Republicans play the costly big government card when reviewing the President’s cybersecurity approach. Aside from this point, the Republican platforms seems like it was crafted by people who really don’t understand the issues here. “Harm innovation in cybersecurity?” How? By cooperating on best practices? By funding NSF grants and increasing investment in information assurance education programs?
And what about the statement that the President’s position is “overly reliant on developing defensive capabilities,” and that there is “no deterrence protocol.” What the heck does that mean? Have these guys looked at their own NIST-800 best practices on risk management which are heavily weighted to defensive capabilities? Have they seen what the regulatory-averse credit card industry demands for defensive capabilities with PCI DSS? And what should we do in terms of deterrence? Bomb data centers if we discover an attack coming from a hosted server? C’mon guys.
While I’m troubled by this ‘high on criticism/low on substance’ cybersecurity platform, I’m even more concerned that I couldn’t find anything specific on cybersecurity from the Romney campaign itself. The only thing I did uncover was a reference to a white paper on foreign policy titled, “An American Century – A Strategy to Secure America’s Enduring Interests and Ideals.” Apparently Mr. Romney discusses the importance of cybersecurity in this paper and claims it is one of eight actions for his first 100 days in office. The paper says that Mr. Romney would “order a full interagency initiative to formulate a unified national strategy to deter and defend against the growing threat of militarized cyber-attacks, cyber-terrorism, cyber-espionage, and private-sector intellectual property theft.”
So here’s my problem: We know we face an unprecedented cyber threat landscape. We know about cyber weapons like Stuxnet. Our infrastructure is vulnerable and our businesses are losing money every day to sophisticated cyber criminals, identity thieves, and fraudsters. We have a very good understanding about where we are weak and we know the best practices and technology safeguards needed to better manage risk. We don’t need lip service or more study here in the first 100 (or so) days of a new administration. We need a plan, we need action, and we need it as soon as possible.
If I were advising Mr. Romney, I would tell him that his cybersecurity position is extremely weak and makes him seem like a technology neophyte. This will likely make him look naïve and foolish when this issue comes up (and it will) – especially in light of the fact that the Republicans are supposed to be strong on Military and Defense. If I were advising Mr. Obama, I’d tell him to make this a campaign issue as quickly as he can. As of now, the Republican platform and Mr. Romney’s cybersecurity intransigence could give the President a distinct and visible advantage.