Politicians are hitching their wagons to the star of cybersecurity.
Earlier this year, President Obama called for a cybersecurity summit at Stanford University, using the occasion to push for new legislation and announce new executive orders. Presidential hopeful Rand Paul raised his profile recently by filibustering a key portion of the Patriot Act on the Senate floor. And Jeb Bush has gotten in on the act, calling out what he deems the nation’s digital defense failings in a post on the social blogging platform Medium.
Bush’s thousand word proclamation—titled “The President Must Prioritize Cybersecurity”–is mostly rhetoric. In it he praises the economic potential of the Internet and admonishes attackers that have burglarized businesses and the public sector. He lauds Estonian ingenuity and decries the leadership of the Obama administration. He blasts defense budget cuts and defends the oft-vilified snoop work of the U.S. National Security Agency.
In word, he plants his flag. And that flag bears the distinct marks of hawkish heraldry.
“We have allowed these adversaries to threaten our citizens’ inherent right to a trusted, free and open internet,” he writes, censuring the attackers that have lately targeted retailers, health care companies, federal agencies, and others. “It doesn’t have to be this way.”
Bush’s statement sets his political platform into motion on the digital front. Using the example of the bleeding edge electronic reforms of the post-Soviet state Estonia, he says, “if you rely on the internet, you need to invest in protecting it.” And he asserts of the Internet and its central role in U.S. commerce: “Something so important must be a priority for the U.S. government, and yet it is not.”
He’s not wrong. Government has the poorest record of any industry sector when it comes to fixing software vulnerabilities, according to a recent report by the application security company Veracode. It also scores the lowest in adopting commonly accepted web application security measures. In an interview with Fortune, Veracode CTO and chief information security officer Chris Wysopal said: “The government sector—it shouldn’t be a surprise—is actually the worst over all industry vertical we looked at. Worse than retail.”
Still, there’s no denying that cybersecurity has become a top priority for the Obama administration, which has presided over a nation wracked with revelations of NSA leaker Edward Snowden; beset by endless cyberattacks; and left limping after embarrassing breaches of federal data. President Obama unprecedentedly named, shamed, and sanctioned North Korea for its role in hacking Sony Pictures Entertainment at the end of last year. He also passed executive orders boosting federal power to impose economic sanctions against hackers overseas.
But Bush points to the recent data breaches at the Office of Personnel Management as “emblematic of the cultural failure of the Obama Administration to take these threats seriously.” Then he uses the opportunity to pile on with a barrage of rhetorical questions:
What use is it that President Obama issued an Executive Order or gave a thoughtful speech about cybersecurity if his own Office of Personnel Management — the human resources department of the entire US Government — failed to take basic steps to protect the sensitive personal information of millions of its employees?
Where is the accountability? What consequences will there be for political appointees or bureaucrats who failed to heed warnings and adequately protect these key databases? What will happen to Katherine Archuleta who served as the National Political Director For President Obama’s 2012 reelection campaign before assuming her role as OPM Director? What message will it send to other managers throughout the government — and private sector — if there isn’t accountability?
Bush falls just short of calling for Archuleta’s head. He stands opposed, he says, to the current leadership’s policies. Never mind that Bush supports increased cybersecurity information sharing between the corporate world and government—a position he shares with president Obama, even if the latter disagrees with the Republican-backed bill that’s now wending its away through Capitol Hill.
In general, Bush asks a lot of questions but doesn’t answer many. That’s probably because the answers are tough, technical, and to be determined. As far as a plan goes, the only concretely stated one is to increase investment and spending in cybersecurity. But one should keep in mind that it’s not necessarily more money—more defense, military, and intelligence agency spending—that will beget better cybersecurity. After all, the U.S. spends more on defense than any other country by a long shot. It’s just as important to infuse the culture with better processes and practices.
Bush also takes a moment to side with the controversial work of the NSA. “The NSA is critical to our defense against foreign cyber-threats, and yet the political class in Washington has been more interested in treating the NSA as an enemy of the state rather than its defender,” he says. “We need to preserve and enhance the capabilities of the U.S. intelligence community and law enforcement to identify, deter, and respond to cyber-attacks.”
Overall, Bush’s post sets out to differentiate his position from competitors like Democratic presidential hopeful Hillary Clinton, who, aside from being a former member of the Obama administration, has been skewered for her unsecure email practices. And his stance puts him in direct opposition to contenders such as the libertarian Kentucky senator Paul, who have come down hard on NSA spying and on military spending.
Jeb Bush’s record, of course, isn’t blemish-free. Earlier this year he accidentally exposed nearly 13,000 social security numbers when making the contents of his email archive public. (In his defense, the Florida Department of State had reportedly approved the cache for publishing.) But the point is: Poor security is endemic to the Internet. And while it may be convenient to lambast the opposition for an ever escalating spate of hacking catastrophes, cybersecurity should be a nonpartisan issue. No doubt there will be a high hurdle for any politician to convince the public that there’s a simple solution to the nation’s security woes.