There were more than four hours of debate, 20 top candidates, and dozens of tough questions on immigration, healthcare, and foreign policy in the first official debate for the 2020 elections just a few weeks ago. But there was at least one major omission: cybersecurity. It was a glaring gap that was not mentioned by any candidate or moderator in either night.
It’s a missed opportunity. We talk about protecting our elections systems – the foundation of our democracy – but candidates have been largely silent on equally important long-term task of defending our country’s critical infrastructure, citizens and residents and its private organizations against cyberattacks. These are important issues that will face any person – Democrat or Republican – elected President in 2020.
There is another opportunity to address this topic later this month at the second round of Democratic Presidential debates held in Detroit, though it remains to be seen if moderators will bring up the necessary topic.
The need for this type of conversation has only become more evident in recent weeks, with tensions heating up against countries like Iran. And these tensions are spilling over into the digital realm. Some security firms said they have already seen hackers associated with Iran increase their offensive attacks against the U.S. government and critical infrastructure. The U.S. also conducted attacks last week against an Iranian intelligence group and previously against Russia’s Internet Research Authority. Nation states are more and more turning to cyber as an offensive form of attack, rather than traditional boots on the ground. The question is: what is our defense?
Some candidates this cycle have talked about election security specifically, but too few have talked about the need to invest more broadly in cybersecurity across government and industry. A few even brought up the election security issue briefly, criticizing the Russian interference in the 2016 election and the threat it posed to national security. But the debate this week was a good time to drill down further than that. It was a chance to hear what cybersecurity policies, priorities, and investments strategies candidates believe make the most sense for the whole government for the years to come. But that didn’t happen.
In the three years since the last election, cybersecurity threats have only become a bigger issue. Data breaches continue to ravage private companies and all levels of government. Ransomware attacks are hobbling multiple cities and companies. Critical infrastructure networks, like those that support oil, gas, and electric utilities, are under attack. Some estimates say that data breaches are on track to cost companies $2.1 trillion by the end of the year. The CISOs and CIOs I talk to every day have a bigger job than ever before to keep up with all of this.
One of the areas facing attacks is the government itself. For instance, the well-known breaches at the Office of Personnel Management exposed sensitive information on more than 21 million federal employees and contractors. What’s more, a Congressional report this week detailed how many major federal agencies still struggle with even the basics of cybersecurity, including using outdated systems or not knowing what devices they have attaching to networks.
There should be a discussion about what else can be done. For instance, how do candidates feel about setting up a cabinet-level position for cybersecurity? Do they have opinions on the recent recommendations by a presidential advisory bodyto undertake a whole-of-nation cybersecurity “Moonshot” initiative? Do they have a plan to nurture more cybersecurity talent to be available to serve our government missions and meet private sector demands? These are questions that don’t necessarily have a right or wrong answer, but they are ones candidates should consider carefully.
Candidates should also consider how they would approach attacks outside of the federal government. For instance, the city of Baltimore was recently hobbled for weeks by a ransomware attack that took down its computer systems. The attack is expected to cost the city more than $18 million. And Baltimore isn’t alone. Ransomware attacks have hit multiple cities recently with major financial and operational impacts. We have also seen malware targeting critical infrastructure facilities, like those using the Triton malware. Recent warnings against the BlueKeep vulnerability could also render some of our nation’s most critical systems potentially vulnerable. And companies of all types continue to be under attack.
These types of threats are evolving quickly and, in many cases, have scarce precedent for how to deal with them at this scale. But it is clear they are not going away. Candidates should consider if they believe the federal government should have a role in helping these state governments or critical infrastructure facilities. Moderators in future debates could ask, for instance, how they could improve intelligence-sharing about cybersecurity threats between the public and private sectors? They could also ask candidates’ positions on spending federal money to assist states in modernizing their systems, especially for critical services, to ensure their resiliency.
Finally, future moderators could ask candidates to reflect on their own cybersecurity measures, which might give voters a sense of the level of seriousness they assign to this issue. Campaigns are a well-known target for hackers. Microsoft, for instance, said this month that its threat intelligence team has detected hackers targeting groups that may be affiliated with political campaigns. In the intensity of a hopeful campaign, you can see where cybersecurity might take a back burner.
For the next administration, cybersecurity is certain to become an even more urgent, complex national imperative. It may become the defining national imperative of the next administration. This is surely worthy of a few minutes during every debate to come.