Why Don’t We Know More About Trump’s and Clinton’s Cybersecurity Policies?

Hillary Clinton and Donald Trump leave the stage after the first presidential debate.

Timothy A. Clary/AFP/Getty Images

Has personal cybersecurity ever been more political? So much of this presidential campaign has focused intense scrutiny on the security precautions taken to protect Hillary Clinton’s personal email server. But on Monday, the story changed a little (albeit temporarily), when security architect Kevin Beaumont tweeted that Donald Trump’s corporate email servers were running an outdated operating system and unpatched web server.

Vice Motherboard picked up the story on Tuesday, quoting a computer science professor who called the Trump server configuration “somewhat less than ideal” and also noting that Microsoft stopped providing security updates and support for the Windows Server 2003 operating system that Trump’s organization uses more than a year ago, in July 2015. Meanwhile, a Trump Organization representative told Vice: “The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.” (Let’s all take a moment to appreciate the art of boasting about 24/7 monitoring in computer security, as if to suggest there’s an army of tech professionals who stare intently at the packets moving across the network all night long, instead of a bank of machines that are never turned off.)

The security of Clinton’s personal and Trump’s corporate email servers matters, even if they delegated decisions about the day-to-day logistics to IT employees. But if you’re going to vote based on cybersecurity concerns—and, for the record, this is not an approach I recommend—then surely you’re more interested in how the candidates plan to reshape cybersecurity policy, right?

But cybersecurity policy—how the candidates would try to secure networks and data for the entire country, not just for themselves—has barely come up during the campaign. In August, the Washington Post asked experts to compare the two candidates’ cybersecurity policies, and perhaps the most striking thing about the commentary was how many of them said they needed to know more in order to do so. Former CIA and NSA Director Gen. Michael Hayden, for instance, said he “hadn’t seen enough from either campaign to evaluate their overall cybersecurity strategies.”

We know perhaps a little more now than we did in August. Clinton has said she’d like to continue building on existing initiatives, like the U.S. Cybersecurity National Plan. According to her website, she’ll “build on the Obama Administration’s efforts to stop China’s cyber-enabled economic espionage.” She also plans to “harden” federal networks by enforcing “well-known cybersecurity standards, such as multi-factor authentication,” encouraging government agencies to initiate bug bounty programs, and wants to support “expanded investment in cybersecurity technologies, as well as public-private collaboration on cybersecurity innovation, responsible information sharing on cyber threats, and accelerated adoption of best practices.”

There’s nothing wrong with those plans—multifactor authentication and bug bounty programs both have real benefits, and who could be against best practices? (The Trump Organization, you’ll recall, is also fond of using best practices.) But for a self-styled policy-focused campaign, they’re awfully light on the detail and completely sidestep the truly controversial issues, so we’re left to mine the WikiLeaks-released emails of her campaign staffers to try to pick up clues about what she really thinks should be the policies governing encryption.

On the other hand, Donald Trump takes vagueness and evasion of controversial topics to even greater heights on his website, where he explains he plans to “order an immediate review of all U.S. cyber defenses and vulnerabilities”; create Joint Task Forces to “coordinate Federal, State, and local law enforcement responses to cyber threats”; develop “offensive cyber capabilities”; and “order the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command.”

I, of course, would like to see more detail from both candidates about what they would actually, concretely, do on these issues if elected. But it seems pretty clear that that’s not what the final weeks of this election will focus on. Instead, especially during Wednesday’s debate, we’ll hear a lot more about Clinton’s email, and read about a lot more of her staffers’ leaked emails, and blame Trump for egging on Russia in its theft of those emails. Maybe we’ll get lucky and get to hear a little about the cyber, but it’s not likely.

It’s tempting to suggest we’ll be using these candidates’ personal cybersecurity practices as a proxy for their actual (often lacking) policy statements on cybersecurity. But what’s really striking about this election is not that we’ve focused on individual cybersecurity choices and decisions over cybersecurity policy. Rather, it’s that we’ve apparently decided individual cybersecurity choices and decisions are so important, so indicative of a person’s character, that they rank up there with all the other individual choices and decisions that are brought up in presidential campaigns—decisions about who to sleep with or how to resolve marital struggles or how much to pay in taxes—as emblematic of a person’s intelligence, integrity, and fitness to be president.