Why candidates are missing the point on cyber

In a Republican debate that focused on the economy, a threat that could destroy the U.S. economic system barely came up.

Cybersecurity was little mentioned in the Nov. 10 GOP presidential debate in Milwaukee, and when it did come up, candidates went for aggressive applause lines instead of truly constructive strategies.

Ohio Gov. John Kasich made a passing reference to conducting retributive cyberattacks on China, and New Jersey Gov. Chris Christie pledged to hit China hard after years of Chinese hacking of U.S. organizations.

"If the Chinese commit cyber warfare against us, they are going to see cyber warfare like they have never seen before," Christie promised.

He also referenced a tactic that others have floated: hack the Chinese government and display sensitive information to the Chinese people.

"That is a closed society in China, where they're hiding information from their own people," Christie said. "Real fun in Beijing when we start showing them how [the Chinese government is] spending their money in China."

But China is not the only threat, and experts have warned that retributive hacking could be ineffective or could even backfire.

Offense is not the best defense

"Never, ever stoke the bear," warned Johannes Hoech, chief marketing officer at Identity Finder and former WhiteHat Security executive.

Plenty of criminal hackers are sociopaths who will ramp up their hacking if they get pushback, Hoech said. A smart defense is the way to deal with hacking threats, he added.

"This is not World War II, where you can drop a nuclear bomb and it's over," Hoech said, calling Kasich's and Christie's comments "electioneering grandstanding" that does not show any real understanding of cybersecurity threats. "If you think that the way to handle cybersecurity is to go on the offense, you fundamentally don't understand what you're up against."

Both parties' candidates are guilty of cybersecurity failures, he added.

Democratic frontrunner Hillary Clinton ran an unsecured personal email server while secretary of State, and former Florida Gov. Jeb Bush included thousands of Social Security numbers in email messages he released to the public in the name of openness.

What should voters be asking about cyber?

Much of the American public has become desensitized to data breaches, Hoech said, because they've been insulated from the direct costs of breaches. But that won't last.

Future hacks could cripple the financial system by exposing credit card numbers or SSNs at such a scale that payments can't be processed, Identity Finder CEO Todd Feinman warned. And the massive amounts of stolen data already available to bad actors, including the information taken during the Office of Personnel Management breach, could be used for long-haul malfeasance, the likes of which we can't necessarily fathom yet.

Feinman called the one or two years' worth of credit monitoring for breach victims "just a PR stunt. That's useless" because hackers will sit on data for a long time before using it.

In the interest of protecting the nation's infrastructure, voters ought to be interrogating presidential candidates on important cybersecurity issues, he added.

Feinman said voters ought to ask: "What are you going to do to hold organizations accountable when they have a data leak?"

SSNs, in particular, are widely used and stored. Presidential candidates should consider ways to limit organizations' demands for those and other sensitive pieces of data, and work for the safe storage or secure destruction of sensitive data when companies no longer need it, he said.

He also recommended asking presidential candidates whether they support the Federal Trade Commission punishing companies for poor cybersecurity standards.

Ultimately, public and private organizations are unlikely to pay for better cybersecurity without a strong push from above, Feinman said.

Presidential candidates, in turn, are unlikely to use the issue for much more than a cheap talking point until the public starts demanding that they do otherwise.