Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/15/2017
10:30 AM
Carson Sweet
Carson Sweet
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Trump’s Executive Order: What It Means for US Cybersecurity

The provisions are all well and good, but it's hardly the first time they've been ordered by the White House.

The WannaCry ransomware attack has dominated headlines recently, and with good reason - it has infected hundreds of thousands of computers in close to 100 countries, shutting down hospitals in the UK, causing problems for companies as large as FedEx, and has so far earned the attackers at least $70,000 in ransom money.

It’s no surprise, then, that President Donald Trump’s Executive Order that seeks to improve cybersecurity across the federal government has flown under the radar since it was signed on May 11. The EO includes provisions for securing critical infrastructure, protecting against botnets and distributed attacks, and encouraging the development of more cybersecurity experts in the government’s workforce.

These provisions are all well and good, but this is hardly the first time they’ve been ordered by the White House. President Barack Obama issued a similar order in 2016, and another one in 2013. Even the Bush administration was concerned about cybersecurity.

High-level orders just like this one come out with every administration, and they all essentially say the same thing: Thou Shalt Assess and Protect. The problem is that the follow-through usually doesn’t deliver the resources agencies need to get it done. Many of the security and compliance requirements, while necessary, are so onerous to implement that they obviate much of the value that agencies seek from cloud models. The question then becomes how well the administration can identify and eliminate the obstructions agencies face as they consider adopting cloud and shared services.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

In particular, the explicit botnet research component of the order stands out as very odd. It feels almost like it was authored by someone who only very recently learned what a botnet is, was shocked to learn they existed, and now believes they’re the root of many problems. It’s entirely unclear why botnets are highlighted instead of APTs, malware, etc. Ransomware is particularly notable in its absence considering the timing of WannaCry. But in any case, a government directive at this level should be more broadly focused than to call out one individual threat vector in a sea of thousands.

The EO gives both the Office of Management and Budget (OMB) and The Department of Homeland Security (DHS) 60 days to assess how well the current state of federal cybersecurity lives up to all these provisions AND to create a full plan to tackle any and all weaknesses.

The first part of this, simply putting the audit reports together, shouldn’t be too difficult since agencies are likely to have most of this info on hand and will just need to assemble it. The bigger question is how OMB will manage to get through reports for every department of the federal government in only 60 days. Even if the reports are available tomorrow, (and they won’t be), that timeframe is … ambitious. It really doesn’t seem to be informed by a solid understanding of practicalities.

If this Executive Order was part of a truly well-coordinated effort, it would call for the hiring of a Federal CISO to work with all departments to ensure security is consistently implemented across the entire government. This person would be accountable for actually understanding the practicalities and dealing with them, which is key since accountability is trumpeted throughout the order.

Most agencies already have their own CISOs and significant security organizations in place. They not only work to keep their departments secure, but also act as a convenient place for department heads to point fingers when things go awry. The EO emphasizes that this isn’t acceptable and that department heads will have to take full responsibility for their security failures, just as a corporate CEO is held accountable if their own CISO fails to live up to his or her job.

Like so much else in this order, though, this is nothing new. Agency heads have been accountable for some time, so if anything this is really just a loud reiteration of accountability. FISMA (and related standards tied to it) are one example of where accountability has already been established. Without a Federal CISO to oversee everything, it’s hard to see how repeating that people will be held accountable will actually make them accountable.

Only time will tell if this new order will be any more successful than its near identical predecessors at improving government security and keeping future WannaCry level exploits from making their way into the wild.

Related Content:

Carson Sweet is co-founder and chief technology officer for CloudPassage. As founding CEO, Carson led the team that created Halo, the patented security platform that changes the way enterprises achieve infrastructure protection and compliance. Carson's information security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3622
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
CVE-2020-5221
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
CVE-2019-19834
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
CVE-2019-19836
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
CVE-2019-19843
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.