Trump's cybersecurity strategy kinda makes sense, so why delay?
Out of all the executive orders he didn't sign, why did it have to be that one
Worrying and puzzling, indeed. But here's what's got computer security experts scratching their heads: why did Donald postpone signing a new cybersecurity executive order.
According to a leaked draft, the order will hold US government department chiefs more accountable than ever for computer security failings. The executive order will require senior government leaders to implement the cybersecurity defense framework developed by NIST – America's National Institute of Standards and Technology.
Trump's executive orders in other spheres – an immigration lock-down, popping his "white supremacist" advisor Steve Bannon onto the US National Security Council, and so on – have sparked controversy. By contrast, the cybersecurity order-that-never-was drew a sympathetic response – or, rather, a collective sigh that there was nothing too terrible in it, relatively speaking.
Richard Stiennon, chief strategy officer of Blancco Technology Group and author of There Will be Cyberwar, reckons the draft executive order made sense.
"Obviously more has to be done to not only protect federal agencies from cyber attack but also the nation's critical infrastructure," Stiennon said. "The concept of holding cabinet secretaries and agency heads accountable for the cybersecurity of their organizations is a good one. Each head of agency should take that a step further and push down accountability to those who are actually responsible.
"Each network administrator, system admin, and program manager should be held accountable for the security of their own systems. This will immediately surface major vulnerabilities as those responsible identify the obstacles to cyber defence they face."
Kirsten Bay, chief exec and president of Cyber Adapt, is an expert who has advised the White House and the European Union for many years. She said the "accountability element makes a lot of sense." She added the caveat that those responsible for defending America's computer systems have to be given the necessary resources.
Send in the auditors
The first draft of the executive order called for a 60-day review of vulnerabilities in US government networks. "This will not be too burdensome since this has been done by the previous administration," said Stiennon. "So, all that is needed is fresh look at priorities in the new reality of nation state influence and attacks."
Along with hunting for flaws, the review should look at storage: critical data stores should be identified and their protection prioritized, said Stiennon.
Rules and roles
"There are probably too many different groups claiming to be responsible for cybersecurity," Stiennon concluded. "Centralization could clear the confusion, although Department of Defense leadership may not be the right direction. It would be better to have a separate cabinet-level cyber leader, one with the technical and policy background to offer a real contribution.”
Cybersecurity discussions in the aftermath of Trump's unexpected success in the 2016 presidential election have centered on accusations of Kremlin interference. US intel agencies concluded that units of Russian military intelligence and the FSB sought to influence the election's outcome by hacking the Democrat campaign and leaking sensitive emails.
Trump was skeptical of these conclusions, suggesting that anyone – Russia, China, or someone in a New Jersey basement – could have infiltrated the Democrat political machine. This set the president against his intel agencies although, after a face-to-face meeting, he grudgingly accepted Russian hackers played some kind of small role. Ultimately, Trump is obsessed with image, particularly the image of him alone in triumphing in the election with no one else helping him; he did it all by himself because he's Donald Trump, the greatest man alive. Any suggestion that, actually, the Russians gave him a significant leg up is an outrage, in his mind.
US Congress is set to hold hearings about Russia's involvement, which is likely to guide future cybersecurity policy. "We haven't heard the last of the intel side even though it's a conversation President Trump doesn't want to have," Bay noted.
The draft policy leaves the scope of Trump's cybersecurity advisor Rudy Giuliani undefined. "It's an open question what he'll do," Bay told El Reg. Giuliani could occupy a similar role as Howard Schmidt, the cybersecurity coordinator of the Obama Administration.
A clear cybersecurity policy helps shape strategies with vendors and serves as the legal framework in which American online businesses operate and share people's private information. The delay in the executive order is unwelcome although hardly unprecedented: the Obama administration delayed the announcement of several policy positions. Admittedly, that was to consult with experts and politicians, revise and redraft, rather than blast out poorly written orders, Bannon-style.
Security experts speculate that the Trump administration's delay in releasing its cybersecurity policy may be connected to a dispute with tech companies over H-1B visas, a program the Trump administration is looking to curtail against the objections of Silicon Valley. There may also be some behind-the-scenes lobbying, or Trump – furious that Bannon apparently edited the national security council order without the president's knowledge before it was signed off – wanted a freeze on all further orders.
Perhaps Donald lost interest in the idea of making his agency chiefs accountable for security shortcomings: leaders within his government admitting failure could make him look weak, and he hates to look weak. Perhaps the order didn't go far enough.
"Politicians can be paralyzed by the complexity of cybersecurity and this can lead to bad policy or no policy, which amounts to the same thing," suggested Bay. While a shakeup in government cybersecurity is needed so Uncle Sam can adapt to new threats and types of attack, Bay said much more needed to done in applying and enforcing existing cybersecurity policies.
"We should be looking at how to implement rules that we've already created, as well as how we fund educational programs," Bay said.
It's unclear how well the Trump administration will work with experts in the information security world, especially when many specialists advocate greater international cooperation – which is at odds with Trump's seemingly protectionist philosophy. Still, there is one plus point: Trump has insisted that two regulations are torn up for every new rule introduced by government agencies. "We need less regulations and more action," Bay said. ®