[Dailydave] Cyber Politics By Other Means

Dave Aitel dave at immunityinc.com
Fri Jan 27 11:42:20 EST 2012

Dear DD - attached is some red meat. :>


It is, of course, very possible that hackers will get to help choose
America's next president. Possibly not in the most direct way (aka,
attacking the electoral system directly, the candidates, or the super
PACs that support their campaigns), although this did happen to some
extent last time around
But also, of course, indirectly in that cyber security is a beach ball
used by the candidates and addressed by the candidates during their
campaigns. So at some level it is interesting to compare and contrast
the campaigns on the issue.

Cyber security is a part of the overall Internet and high-tech policy of
each of the campaigns, touching upon copyright, patents, regulation,
free speech, foreign policy, and other issues. But as it is rising in
importance in the world at large, it is also becoming an increasingly
visible part of each campaign's strategy and message. Below I split each
of the campaigns out and share my opinions (as someone who has worked in
cyber security for over a decade both as part of the Government and in
the private sector) on their strengths and weaknesses.

  Newt Gingrich

Wired has an article
<http://www.wired.com/dangerroom/2012/01/newt-goes-to-cyberwar/> on Newt
Gingrich on this issue out recently - and it is suitably hawkish on
cyber security (or Cyber War, cyber security's bigger, scarier cousin).
Newt Gingrich has the significant advantage of being a science geek and
thus can speak to the cyber security population in their own language.
For example, he can quote Dune or other science fiction, and thus is
less likely to trip over his words or have a "series of tubes" moment.
Although he is by trade not technical, he is able to at least sound like
he gets it. For example, his language in the Republican debates
regarding SOPA <http://www.politico.com/news/stories/0112/71697.html>
was exactly what the technical community wanted to hear - and more
eloquent on the subject than the other candidates on the issue. Only Ron
Paul met with similar approval in the technical community (by saying he
was against it from the beginning) and Rick Santorum was clearly on the
opposite side of the issue from the technical community. In one of the
early debates, the moderator asked the candidates what they saw as some
of the biggest threats against America that were going unaddressed, and
both Herman Cain and Newt Gingrich
listed cyber attack. That said, his positions have some nuance in the
and it's not clear who is advising him on cyber security, if anyone.
However, he never comes across as sounding uninformed on the subject in
his public interviews (the meat of thecoffeeandmarkets piece
is 16 minutes in or so and worth a listen).

  Rick Santorum

While in the Senate Rick Santorum served as co-chair of the critical
infrastructure protection committee, and he has been involved in
cyber-security issues.
hard to say that he's made much use of this experience on the campaign
trail, however. He may find it difficult to connect with the technical
community because of his stance on social issues. (More on that later).

  Mitt Romney

One way to find out how a candidate is going to move is to look at who
advises them. Two of Mitt Romney's senior advisers have given keynote
speeches at BlackHat, the largest information security conference in the
world - Cofer Black and Michael Hayden. Both are well known in the
community, and although neither is particularly technical, they both
have well formed and forceful opinions based on long experience - a sort
of hacker osmosis, if you will. To be specific, they both see a
<http://www.youtube.com/watch?v=pKZDYgj0KTA> clear and present danger
from foreign cyber espionage
against the economic and security interests of the United States. Mitt
Romney appears to use the phrase "cheating" when referring to these
issues (although in an early debate he was more specific), lumping them
a bit with larger copyright and trademark issues and almost entirely in
relation to China.

  Ron Paul

There's a large libertarian streak among hackers and cyber security
professionals, and it's evident in how many of them support Ron Paul
(sometimes in funny ways
That said, he does not always agree with the tech community's latest
drives. For example, he is not pro-net-nutrality
<http://www.youtube.com/watch?v=yCM_wQy4YVg> (see 52 minutes in).
Hacking is, in many ways, the discipline of studied iconoclasty, and no
candidate is more iconoclastic than Ron Paul. Hackers also tend to have
a lot of spare money, and no doubt some of that money is flowing to the
Ron Paul campaign. In the first debate in Florida, you'll notice
Gingrich was careful to avoid seeming inimical to Ron Paul's ideas on stage.

  Barack Obama

The White House's position on SOPA, which threaded the needle between
Hollywood and the tech community
<http://www.politico.com/news/stories/0112/71445.html>, was an example
of some of the different cards the current administration may play in
the upcoming campaign. While supporting Google as much as probably
possible against the Chinese cyber espionage attempts, the White House
has also taken positions on many other cyber security issues
, some of which have been widely criticized in the cyber security
community <http://news.cnet.com/8301-13578_3-10320096-38.html>. And the
industry has not exactly shrunk
under Obama - experiencing a robust boom even in times of otherwise
tight belts in the defense community. Administration efforts such as the
Cyber Fast Track <http://www.politico.com/news/stories/1211/70016.html>
have also received positive acclaim. When you have a member of the l0pht
running part of DARPA and Jeff Moss has a place advising DHS
<http://www.dhs.gov/files/committees/editorial_0858.shtm#16>, you've
built inroads to the community. It remains to be seen whether these
inroads are highlighted by the campaign.

If any Republican is to attack the current administration's policies on
cyber, it will probably have to be on "Effectiveness". I.E. It's all
well and good that the DHS has a new marketing campaign to increase
cyber security awareness
<http://www.dhs.gov/files/events/stop-think-connect.shtm>, but how does
that stop hackers from actually hacking into our water plants
with seeming ease? Unfortunately, this would essentially be a call for
further regulation, which seems like a hard argument for a Republican
candidate to make at the moment. You get this sense during some of the
debates, where Republican candidates call for more covert action against
Iran, and then have to circle back to "You know...things like Stuxnet".

  Social Issues

Taken as a whole, cyber security professionals are, like any other large
population, quite diverse. However there are some strong general trends.
For example, the overall population has a tendency to be quite
atheistic, libertarian, pro-gay-rights, and international. This may
swing hackers as voters (and donors) more towards Obama than the
eventual Republican nominee. You may remember Obama being bashed for
including "non-believers" <http://www.youtube.com/watch?v=twoXZE9U0Io>
in his 2008 inaugural address, for example.

So there are two future questions that bear thinking about as the
campaigns develop:
1. What, if any, influence will cyber security have on the presidential
2. What will change in cyber security if one of the Republicans wins?

I would opine that Mitt Romney's choice of advisers presents the
clearest indication not just that he will use cyber in his campaign, but
as to what his positions as a President would be. That is, strongly
hawkish against the ongoing economic cyber espionage conducted by the
Chinese and other countries against US Firms. Cyber security has been in
the news a lot this year, and I'd say there's a strong chance that
either he, or Newt Gingrich who is immersed in high tech culture more
than any other nominee, uses cyber security as a differentiation during
an upcoming debate. It has the advantage of being both suitably hawkish,
and having an impact on the most magic of words this year: "Jobs".

INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120127/29c07c4b/attachment.html>

More information about the Dailydave mailing list