It’s old news by now that Republican presidential candidate Ben Carson—despite his medical degree—has a tenuous relationship with science. So I didn’t exactly have great expectations for his campaign’s cybersecurity plan, modestly titled “Prescription for Winning the 21st Century Cyberspace Race.” To be honest, I wasn’t expecting a dedicated cybersecurity plan at all, much less an op-ed dedicated to the topic by Carson in Re/code this week.
The op-ed makes several not-very-interesting, not-very-original points: that our society is very dependent on computers, that a hypothetical large-scale attack on the power grid would be devastating, that cybersecurity breaches can have very high costs. (And also that no one has any idea what those costs really are—Carson cites the cost of identity theft as being “anywhere from $25 billion to $50 billion annually.” There are also, of course, identity theft cost estimates out there in the $5 billion and $10 billion range. Take your pick.)
All of this would be perfectly standard and even expected if Carson were selling a cybersecurity product or consulting service. Instead, he’s selling a cybersecurity policy plan—and that alone is pretty unusual for someone running for office.
We take for granted that presidential candidates to have economic plans and education plans and health care plans and foreign policy plans. (We may not want to hear about them in great detail, but it’s comforting to know they exist.) But the question of how people will deal with online threats has rarely—if ever—been a decisive factor in determining who wants to vote for them.
This is probably for the best, as it turns out, because not even Carson, with his eight-page plan, has any idea what he would actually do to deal with online security threats. But he offers a rousing nationalist (and largely nonsensical) analogy to the Soviet-era space race! (Andrea Peterson neatly picked it apart in the Washington Post.) His plan also includes no fewer than seven explicit references to “We the People” in a completely incoherent attempt to link cybersecurity back to the preamble of the U.S. Constitution. And he even has a name all picked out for a spiffy new government agency: the National Cyber Security Administration.
“This is not another federal bureaucracy,” Carson writes of the proposed NCSA (I think it’s safe to assume that it’s supposed to make you think of NASA), except that it would, of course, be another federal bureaucracy—on top of all the others currently vying to have their say on cybersecurity. (See, for instance, U.S. Cyber Command; the Department of Homeland Security National Cybersecurity and Communications Integration Center; the Department of Commerce; the Department of Energy; the Federal Communications Commission’s Communications Security, Reliability and Interoperability Council; and even the Food and Drug Administration, just to name a few.)
Carson claims that “the NCSA will consolidate inefficient government initiatives and offices, eliminating stovepipes and providing a central point for public-private cooperation.” That sounds great, except it’s almost exactly what the DHS NCCIC was intended to do when it was set up in 2009 to be a “central location where a diverse set of partners involved in cybersecurity and communications protection coordinate and synchronize their efforts.”
The weakness of the NCSA model might not matter so much were it not the only concrete thing Carson actually proposes to do about cybersecurity. Here are some of his other ideas: He wants us to “be prepared to defend not only our sensitive information, but also the networks, grids and servers that keep America running.” (Good call! Why hasn’t anyone thought of that before?) He also thinks we should “educate ourselves about the dangers which lurk online, and secyre [sic] our own computers against those who would take advantage of us,” and he’d like all of the government agencies to “work together, along with critical infrastructure providers, to protect not only their own systems, but the American people as a whole.”
Reading his plan, I have no clue how Carson intends to make any of that happen—and more than that, I fear he has no clue how many people, both within the government and outside it, have been working on exactly these issues for many years with relatively little success. I fear he has no sense of how hard it is to do the things he’s talking about. None of these are new ideas—except perhaps his proposal to establish a single phone number for people to call with any complaints or concerns about privacy and civil liberties; I can’t say I’ve heard that one before (or that a hotline sounds like a particularly inspired privacy solution).
Still, at least he has a centralized cybersecurity plan—or, more accurately, a centralized list of broad cybersecurity goals. Other candidates who talk about cybersecurity tend to do so in more modest and fragmented ways but are similarly vague on details. Hillary Clinton, for instance, mentions on her website, as part of her energy plan, that she wants to create a Presidential Threat Assessment and Response Team to help assess cybersecurity threats to the power grid. Her plan for regulating the financial sector also includes a nod to cybersecurity concerns, advocating for “regulators to consider cyber-preparedness as a significant part of their assessments of financial institutions” as well as better information-sharing and a greater emphasis on security in contracts with third-party vendors.
Donald Trump, to no one’s surprise, is the most vague of all when it comes to the specifics of his plan to address online threats from China. “China’s cyber lawlessness threatens our prosperity, privacy and national security,” his website states. “We will enforce stronger protections against Chinese hackers and counterfeit goods and our responses to Chinese theft will be swift, robust, and unequivocal.” (And that second sentence is bolded and underlined.)
So don’t bother voting based on the candidates’ cybersecurity positions because they’re all pretty much the same: Do a better job defending against online threats to critical infrastructure, intellectual property, and sensitive data—just as soon as we figure out how. Only one of them has promised a privacy hotline, however.