Cybersecurity and Metaphor in the Age of Donald Trump

To tackle growing threats to digital security, business and government must confront the danger directly.

Internet User Protection

Internet User Protection Concept Photo. Men Showing Tablet Computer Mobile Device with Internet Security Concept Illustration on the Display. Safety in the Internet.

With the rise of the Internet of Things, our world is becoming ever more interconnected. This is mostly positive. It means that every sort of relationship — among humans, among nation-states — will be altered by new abilities to communicate and to transmit information. Productivity will rise. Rote tasks will be minimized by automation.

But the benefits of greater interconnectedness come at a price: In past years we have feared the threat of identity theft, but more and more it is our autonomous vehicles, home security systems, and other very material things that are at risk.

Cybersecurity, especially the need for public sector improvements, is an issue with bipartisan support. It is something that elected officials on both sides of the aisle — including Donald Trump, inaugurated as president today — can agree on. Outgoing president Barack Obama phrased the challenge of government digital security well: “It is no secret that too often government IT is like an Atari game in an Xbox world,” he wrote in a Wall Street Journal editorial published in early 2016. Obama’s concern for America’s cybersecurity proved prescient, given what came later that year with the purportedly Russian hack of the Democratic National Committee.

Trump himself is a hawkish proponent of tougher cybersecurity. In October, prior to his election, he said the U.S. should have “unquestioned capacity to launch crippling cybercounterattacks. And I mean crippling, crippling.” He reiterated this point again a few weeks ago when he told reporters that no computer is safe. “The whole age of [the] computer has made it where nobody knows exactly what’s going on,” Trump added. “We have speed, we have a lot of other things, but I’m not sure you have the kind of security that you need.”

In response to these calls, the cybersecurity field has seen a resurgence over the past several years. The industry’s constituents include smaller start-ups like ProtectWise, big defense names such as Raytheon and Northrop Grumman, and next-generation tech players like Proofpoint and Symantec. (You can track the public companies with the Kensho Cyber Security Index.) Though there’s no easy solution, these companies are working to secure our collective cyberspace, both public and private.

Apart from private sector efforts, there are public policy changes that can help make our digital lives more secure. The new U.S. administration should, for example, prioritize a reimagining of the overly harsh Computer Fraud and Abuse Act (CFAA).

Enacted in 1986, amending a prior version passed in 1984, the CFAA has the draconian character of that tough-on-crime era. The legislation criminalizes accessing protected computers and networks, but its language is so broad that even actions taken in good faith can be construed as criminal activity.

For instance, the law could be used against someone who finds and responsibly discloses a weakness in a company’s website — it penalizes mere access to unauthorized computer systems. It’s like charging the person who finds your keys in your driveway and tries to return them by knocking on the front door.

The CFAA, which was at the heart of the case involving the late political activist Aaron Swartz, should be reworded and made more specific, carving out an exception for responsible reporting. This is crucial because cybersecurity is everyone’s duty, and the tech-savvy individuals who discover holes in computer systems should not be penalized for informing an owner in a timely and responsible fashion.

In 2015, then-president Obama called cyberspace the new “Wild West.” Although this may be an appealing metaphor, it breaks down when you consider the subtleties of cyberspace. It is only the Wild West for companies and other organizations that fail to implement security best practices, because well-known types of flaws, such as those publicized by nonprofits like the Open Web Application Security Project (OWASP), often prove to be the most dangerous. (OWASP’s list of top ten flaws has remained much the same through recent years.)

When it comes to cybersecurity, it is better not to take metaphors too far — especially when they attempt to limit blame, like the Wild West analogy does. This is too serious a matter.