adamparent - Fotolia
US president Donald Trump has finally signed an executive order on cyber security almost three-and-a-half months after the signing was initially scheduled to take place on 31 January 2017.
As expected, the executive order is aimed at improving the cyber security of US government agencies, modernise US computer networks and protect critical national infrastructure from cyber attacks.
Among the requirements is that government department and agency heads must be accountable for managing cyber security, implementing risk management measures and updating their systems.
“The executive branch has for too long accepted antiquated and difficult–to-defend IT,” the order said.
The order also requires a co-ordinate effort across government agencies to support operators of critical national infrastructure in their cyber security efforts.
It calls for action to improve the resilience of internet and communications networks and encourage collaboration between stakeholders, as well as for an assessment of the potential scope and duration of a power outage as a result of a cyber incident and the readiness of the US to deal with such a incident.
The order calls for reports on the cyber security risks facing the defence industrial base and US military platforms, systems, networks and capabilities; on the strategic options for deterring adversaries and better protecting the American people from cyber threats; on US international cyber security priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building and co-operation.
To ensure that the US maintains a long-term cyber security advantage, the order requires a report on on the sufficiency of efforts to educate and train the American cyber security workforce of the future recommendations for supporting the growth and sustainment of the US cyber security workforce in the public and private sectors.
Order lacks actions, say critics
The executive order has been praised for aiming to understand and address the gaps in US cyber security capabilities, and for focusing attention on the US capability to defend its critical infrastructure, but critics say it falls short in terms of action.
The Information Technology and Innovation Foundation (ITIF), a US science and tech-policy think tank, said the executive order was disappointing.
“This executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats,” said Daniel Castro, ITIF vice-president.
“Cyber security should be a top priority for the Trump administration. The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order. While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions,” he said.
Castro said the order leans heavily on the government for ideas and implementation rather than a public-private partnership approach.
“This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government. Moreover, the private sector has the deepest bench of cyber security talent, so the federal government will likely need to look outside its ranks to stay on top of these issues,” he said.
However, Castro said it is a good sign that the White House included much-needed government IT modernisation and consolidation as part of the executive order. “While there are many reasons to pursue IT modernisation, the administration is likely to have the most success getting this done as a cyber security mandate rather than as a push for efficiency,” he said.
The single biggest opportunity facing the new administration is modernisation, said Amit Yoran, CEO of Tenable Network Security.
“This requires smart investments in security technologies that can help government agencies understand and reduce their cyber risk. As agencies embrace modern IT, including shared cloud services and internet-enabled devices, it is important to understand the changes in the attack surface and embrace opportunities to enhance security,” he said.
Yoran said the order’s prioritisation of assessing and mitigating known vulnerabilities is a good step forward. “Agencies need the tools to detect networked devices and systems, and the ability to identify and prioritise methods to best mitigate risk,” he said.
Call for cyber revoltion
Phil Dunkelberger, former CEO of PGP and current CEO at Nok Nok Labs, said the executive order is essentially a continuation of what the US has already been doing and, in many cases, failing.
“The industry and government needs a revolution. The executive is an evolution and continuation of the same frameworks and reports that we’ve been seeing for the past 10 to 15 years,” he said.
“We have made strides, but the question is are we moving fast enough? Unfortunately, the threat factors around us are evolving at a much faster pace. We need to be much more assertive and aggressive as our adversaries aren’t playing by any rules.”
While the order on strengthening government’s cyber security defences should bring some focus to efforts to protect critical infrastructure, there needs to be less focus on the cyber security incidents of the past, said Kevin Bocek, chief cyber security strategist at Venafi.
“To keep government agencies and businesses safe, the government orders and initiatives like this one need to be expanded to include threats that have the potential to affect us in the future. Cyber criminals are beginning to target cloud services, IoT [internet of things] devices and the wide range of new device types and applications businesses around the world employ,” he said.
“Government-led cyber security initiatives must encompass these changes or we will remain vulnerable. One of the most important aspects of effective cyber security protection is the preservation of strong encryption – this is critically important to keeping countries and businesses competitive in the global economy, ensuring safe digital commerce and preserving liberty.”
UK post-election surveillance plans
In the UK, documents leaked to the Open Rights Group indicate that, after the election, the UK government plans to introduce regulations on technical capabilities notices (TCNs) under the controversial Investigatory Powers Act that will require telecommunications service providers to provide real-time access to citizen’s data even it if is encrypted.
Open Rights Group executive director Jim Killock said the proposed powers could be directed at companies such as WhatsApp to limit their encryption.
“The regulations would make the demands that [home secretary] Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret,” he said.
“The public has a right to know about government powers that could put their privacy and security at risk. There needs to be transparency about how such measures are judged to be reasonable, the risks that are imposed on users and companies, and how companies can challenge government demands that are unreasonable.
“Businesses and the public need to know they aren’t being put at risk. Sometimes surveillance capabilities may be justified and safe but, at other times, they might put many more people – who are not suspected of any crime – at risk,” he said.
The government has indicated it intends to ensure UK data protection laws are consistent with the European Union’s (EU’s) General Data Protection Regulation (GDPR) at the point of Brexit to ensure there is no disruption to data flows between the UK and EU member countries.
However, UK information commissioner Elizabeth Denham and others giving testimony in House of Lords EU Home Affairs Sub-Committee hearings on the new EU data protection package have said the government should be aware any inconsistencies between provisions under the Investigatory Powers Act and EU law could be a stumbling block.
Read more about the IP Act
- Civil rights group Liberty has begun its legal challenge to the bulk surveillance powers in the new Investigatory Powers Act, setting in motion a judicial review.
- Labour’s shadow home secretary, Diane Abbott, says wider society must now debate the controversial Investigatory Powers Bill, despite parliamentary approval.
- As the Investigatory Powers Bill goes through its final stages in parliament, a former GCHQ intelligence officer puts the case for the bulk surveillance powers contained in the legislation.
- Former NSA technical director Bill Binney talks about the Investigatory Powers Bill and the UK government’s independent review of bulk surveillance powers.