2016 candidates will grapple with cybersecurity issues

The 2016 election could prove a turning point for presidential candidates on the issue of email security.

In recent weeks, the early frontrunners from each party — former secretary of State Hillary Clinton (D) and former Florida Gov. Jeb Bush (R) — have displayed a lack of awareness of standard email security and privacy procedures.

Although the incidents that enmeshed Clinton and Bush differ in many ways, experts say they both reveal a low prioritization of email security and privacy among officials, even those on the cusp of the White House.

“People just don’t even think about it,” said Darren Hayes, a digital forensics and computer security expert at Pace University. “It’s hard to think of a case where somebody got it right.”

{mosads}Clinton, the Democrats’ top White House contender, has faced growing criticism this week over revelations she used a private email setup. Many cybersecurity experts have expressed alarm at the system’s basic shortcomings.

Last month, Bush, a leading GOP candidate, was also criticized for lacking email privacy awareness. In an effort at transparency, Bush released a trove of emails from his private email server, which he used during his time as Florida governor. The dump contained citizens’ personal information, including Social Security numbers.

The incidents are thought to be spurring conversations among staffers for other potential White House seekers.

“Unquestionably,” said Jason Straight, chief privacy officer for UnitedLex, which advises corporations on cybersecurity practices. It’s “going to cause all the candidates right now to call whoever set up the email server in their closet and say, ‘You know, maybe we need to do something else.’ ”

Clinton’s system appears to have been designed with privacy in mind. But experts explained that it relied on generic encryption methods and inadequate system monitoring that potentially exposed all communications — personal or otherwise — to foreign states and hackers.

And while Bush kept his private server in his state office, not a personal home like Clinton did, the decision not to redact sensitive data was telling, experts said.

“Security takes a backdoor to other things,” Hayes said.

“I certainly hope this is the moment where we say, ‘Enough is enough,’” Straight said.

But analysts agree a wholesale change in approach is unlikely.

Email is ubiquitous and the lines between work and personal email are already hopelessly blurred, they say. Politicians can’t necessarily be condemned for mixing the two and coming up short on security matters.

“I think that the blame really needs to be leveled at the U.S. government as a whole, at [the Department of Homeland Security] and at the [National Security Agency] for not adequately warning political leaders and giving them secure methods of secure communications,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union (ACLU).

Once Bush and Clinton officially declare their expected presidential campaigns, both will almost certainly set up new private email services.

Many believe it’s unrealistic to expect these services to meet the high security standards that should apply to the communications of a politician potentially months away from the White House.

“It’s clear the campaigns themselves are not up to it,” Soghoian said. “That goes across party lines.”

In 2008, Chinese hackers infiltrated the networks for both the McCain and Obama campaigns, trolling for clues as to how the candidates would behave toward China if elected.

In 2012, Mitt Romney’s personal Hotmail account was infiltrated after a hacker was able to correctly guess his security question: “What is your favorite pet?”

“At some point you do become a target,” said Michael McNerney, a former cybersecurity policy advisor for the secretary of Defense and a Truman National Security fellow. “Maybe Clinton and Bush are at that level now and they should be afforded some type of security.”

Experts believe even a sophisticated, well-funded presidential campaign is going to have trouble staffing a robust security team.

“It’s very tough because how do you take somebody out of job where they’re in very high demand and ask them to be part of a political campaign?” Hayes said.

That leads some to wonder whether government needs to think about expanding the type of protections given to presidential candidates into the cyber realm.

“It’s certainly worth rethinking the rules,” McNerney said.

Soghoian points out that the Secret Service already provides official candidates with physical protection.

Perhaps the Secret Service should also offer “some forms of electronic security,” he said. The agency does already participate in cybersecurity criminal investigations.

Clinton and Bush’s email stumbles could be the instigator, McNerney added.

“I think this may cause that discussion to happen,” he said.