If You Can’t Protect Your Website, How Can You Protect The Country?

If politics is a contact sport, why do I expect that we will not hear the political argument, “If You Can’t Protect Your Website, How Can You Protect The Country?” Why do I think that is it unlikely to be used as a valid political attack in the public discourse within our current US election?

It seems to me that the main reason politicians stay away from using hacking as a political weapon is the ease at which it may be used against them at some point in the future. Politicians can’t change their public voting record, their former associations or last night’s speech (i.e., the past), but their website could be hacked in the future.

Imagine this scenario: candidate A gets hacked. Candidate B makes a big production about how this hack represents a deficiency in candidate A. Candidate B gets hacked. Candidate B is now in a weaker position than candidate A. If candidate B is not hacked over the course of the election, then they win this spin. Otherwise, the one who is hacked second becomes a weaker candidate. It’s a game of hypocrisy: “Candidate accuses me, but they can’t do it themselves…”

We can reframe our information security questions from candidate’s perspective:

  1. Will the hack cause voters to sway from my opponent’s party to mine?
  2. Does this website hack reflect of a larger political issue (such as a display of incompetence)?

In both cases, I think the answer is “No.” In the first case, it’s because there are more central issues regarding the health of our country. In the second case, website security is not a direct responsibility of the candidate, as such it is unlikely to reflect poorly on them should something go astray. (In short, there’s someone else to blame.) So, there really isn’t the incentive to risk using a hack as a political weapon.

In the analysis above, I only considered a website hack because this just happened to Obama and because it is clearly a public incident. There are other incident types to consider (which I’ll leave to the reader’s imagination).

I’ll also go on record and say that if the incident is large enough in scope — for example, a candidates entire campaign headquarters is compromised — that may have a significant political effect that could sway voter’s opinions.

When first starting out in computer security, I downloaded SATAN by Dan Farmer and Wietse Venema. Bundled in Farmer and Venema’s download was their classic paper, “Improving the Security of Your Site by Breaking Into it.” In it they write:

CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley. Purdue. Sun. You name it, we’ve seen it broken into.

Those words are as true today as in 1995. Consequently, I certainly wouldn’t stake my political career on a hack.

Post a Comment

Your email is never published nor shared. Required fields are marked *