White House issues Executive Order on cybersecurity, including hacker Hunger Games
Lets the President’s Cup Cybersecurity Competition begin! And may the odds be ever in your favor
"A year after the White House eliminated the position of cybersecurity coordinator, President Donald Trump called for everyone else to do the opposite and push cybersecurity coordination through worker training and recruitment."
"America built the internet and shared it with the world; now we will do our part to secure and preserve cyberspace for future generations," said Trump in a statement Thursday.
The Executive Order calls for supporting cyber workforce mobility between the private and public sector, without addressing how that will be accomplished. It calls for more training opportunities, for recognizing cybersecurity talent and holding agency heads accountable for risk management.
It directs the Secretary of Homeland Security to create a cybersecurity job rotation program, so government IT security professionals have an opportunity to learn from and share knowledge with different agencies.
The order calls for the use of the National Initiative for Cybersecurity Education (NICE) and NIST's Cybersecurity Workforce Framework to gauge the skills of industry practitioners and instructs the Director of the Office of Personnel Management (OPM) to compile a list of cybersecurity aptitude tests that agencies can use to evaluate practitioners.
There's also to be a Workforce Report to evaluate and make recommendations about government cybersecurity goals and talent development.
This might not end well
Then there's the Cup. The order demands a plan for an annual tournament, called the President's Cup Cybersecurity Competition (PCCC), which will be open to government employees and armed service members.
"The goal of the competition shall be to identify, challenge, and reward the United States Government’s best cybersecurity practitioners and teams across offensive and defensive cybersecurity disciplines," the Executive Order says.
There are to be individual and team events for various sorts of hacking, with cash awards of not less than $25,000. The first PCCC is to be held before the end of this year.
Katie Moussouris, founder and CEO of Luta Security, told The Register that the competition could be tricky to implement.
"From the experience running the BlueHat Prize competition for $250,000 in defensive research, we were forced by gaming law to restrict what we could consider based on the exact rules we published and didn't get to see some of the entries as a result," she said.
But Moussouris said overall the Executive Order is a good move, so long as it helps fill in the gaps where talent is scarce. Pointing to her Congressional testimony on the subject last year, she stressed the need for defense and maintenance.
"Our love affair and obsession with offense security skills can't overtake our practical workforce needs to prevent as many issues as possible and create a workforce of secure builders and maintainers, not just bug hunters," she said.
What's long, hard, and full of seamen? The US Navy's latest cybersecurity war gaming classesREAD MORE
In a statement to The Register, Kevin Bocek, VP of security strategy and threat intelligence at security biz Venafi, said the Executive Order represents a positive step toward addressing cybersecurity threats. But he contends that acknowledging the need to address these threats isn't enough.
"It’s especially noteworthy that this new directive concentrates on addressing the US federal government’s lack of competitiveness when attracting and retaining talent," said Bocek. "If the government wants to recruit the greatest minds in cybersecurity, it must make sure our tools and technology are the best in the world and demonstrate their commitment to success by partnering with industry on key policy questions."
For example, Bocek urged the Trump administration to adopt the advice of industry experts and commit to not supporting encryption backdoors in consumer technology.
In March, the US Navy issued its Cybersecurity Readiness Review, in which it warned that the Navy "is preparing to win some future kinetic battle, while it is losing the current global, counter-force, counter-value, cyber war."
The Navy's cyber SOS was ignored earlier this week when Vice President Mike Pence told Navy personnel aboard the aircraft carrier USS Harry S. Truman that the aging ship will not be mothballed in 2025, something the Navy proposed in its 2020 budget. It's estimated that Navy would have saved $20bn over the coming three decades by retiring the vessel.
Those funds could have gone toward cybersecurity or other more modern systems of interest to the Navy. Now at least Navy personnel will have some motivation to try for the PCCC prize money. ®