Trump signs executive order on cybersecurity, White House now runs the show President Donald Trump has signed his long-promised executive order on cybersecurity – and it says the executive branch will take overall command of securing America's critical IT systems. During his campaign, Trump promised a missive on cybersecurity within 90 days of taking office, but delayed the signing in late January. …
Work towards open, mathematically sound security standards which are secure for everyone? Recognising the fundamental principle that real security is better than security theatre.
No?
Oh, ok. Follow the UK! Compel people (in your country) to handover passwords. Compel companies to facilitate wide ranging communications interference/surveillance within 24 hours based on a name (USA has great track record of using Names alone to enforce security standards, I'm thinking no-fly lists). Ban any network traffic that isn't 'approved', and while you're at it ban any media content that isn't 'approved' (I'm thinking pr0n)
". . . it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft,"
So, a complete 180 then.
Consider the source of these commandments; a guy who still uses an outdated and easily pwnable S3 and a chat app more suitable to teens than some old fart with a Furby attached to his bald head pretending to be in charge, until anyone replaces him. And I mean anyone. His Cyber Security Czar is just some old douchebag, cheating husband from NY and has zero knowledge of the subject of his job. Tell me this isn't a field day for hackers everywhere? Hackers at the ready, wait for it, did I tell you the prize is getting a high level official fired?! GO!!1!
ATH+++
From the perspective of an outside observer with little more than passing interest in US politics, it looks like the current 180 degree turn is only the latest in a series without much evidence of any forward momentum..
The part that grabbed my attention though was the following:
the Director of the American Technology Council will ask each agency for a feasibility plan for combining IT infrastructure for departments within 90 days. Agency heads will also, henceforth, give preference in IT spending to shared systems architecture
I know it's easier to protect your IT resources behind one wall, instead of many (Trump wall related pun not intended, I swear!) but they'll put themselves at risk of data loss if they put too many critical systems side by side with other less valuable systems. It would be far easier for an attacker to avoid detection by hacking in through say the US parks IT systems and then find a way to tunnel from there into the FBI, or other federal systems. Even if they make the system as secure as possible, the value of the target will attract black hats like flies, and it will only take one of them finding a small hole to exploit for things to turn ugly.
Have an upvote.
Hopefully seriously expert people will be brought in on the sys architecture question. You're right, of course. The US military uses hardened Red Hat in certain situations precisely because it neither wants nor needs the systems used by a receptionist in the Dept. of Flog and Scrum running on a warship.
I very much hope that best practices will come to the fore, despite the current wording of the Order.
@Palpy: The US military uses hardened Red Hat ... precisely because it neither wants nor needs the systems used by a receptionist in the Dept. of Flog and Scrum running on a warship.
Uhm... Not so sure about that... Checked both links - this one is from the same source but dated later than the one you posted...
To be fair, the article mentions that 'Part of the Navy's strategy was forming a group designated the "Microsoft Eradication Team."' Chuckle... Nuke them from orbit...
Could we call this "shared services by the back door?"
He might like to have a little chat with his new BFF Mrs May on how well that's worked out in the UK.
Of course done right it could result in yuuge cost savings
"I know it's easier to protect your IT resources behind one wall, instead of many (Trump wall related pun not intended, I swear!) but they'll put themselves at risk of data loss if they put too many critical systems side by side with other less valuable systems."
Maybe the plan is to move the entirety of US officialdom in the cloud? Didn't the NSA just build an enormous data centre? That's convenient!
The first half of the order - get your shit together, report within 3 months - is surprisingly reasonable. I'd actually go so far as to call it a good idea.
But then comes the sting in the tail: "study the feasibility of merging systems". At the same time as securing them? That's... insane troll thinking. Either secure them first, then try to do some merging, or merge first and secure later. Trying to do both at once is a recipe for paralysis (if you're lucky), or (more likely, and I suspect the desired outcome) the biggest cost overrun in government history.
"Start over, from scratch."
What does that ever *mean*? Trash every single piece of equipment using electronics with an IP stack? And then go back to the trees while the cities are burning?
Your brilliant analysis is just about 30 years too late. Why didn't you think of it a bit earlier, before IP became omnipresent?
Because around 40 years ago, when I (and many other grad students) were working on TCP/IP at Stanford and Berkeley, all we were building was a research network to research networking. Security wasn't even thought of at the network level. If anything, we went out of our way to ensure that anybody, anywhere, could always access anything on the network. The only security was in the operating system of the connected hardware. Sometimes.
The fucking thing wasn't designed for computer and security illiterate consumers.
But trust me, we DID think about it back then. We discounted the very idea as laughable. I mean, who in their right mind would ever use this thing for anything important outside research papers and other academic nonsense?
To make it secure today, it would have to be torn down completely and rebuilt. From the ground up. With new protocols. And a new security paradigm, completely orthogonal to what we have now. And yes, that includes trashing all the hardware with embedded TCP/IP. Including your so-called "smart" phone.
Don't yell at me/us at the cost this will involve. We designed TCP/IP to be implemented in software, not hardware ... specifically so it could be replaced as research continued. Fuck-tards in marketing trying to run engineering firms put the kibosh on that.
And yes, I said "when". TCP/IP will be replaced. When, and with what, I don't know. But it's demise is inevitable. The longer it takes, the more it will cost, and not just financially. The human aspect is going to be ugly.
Have a nice weekend :-)
Anyone who says no, or 'Sorry Mr President we can't do that' is escorted from the building at the double.
One commentator on 'Wake up to Money' said that he needs to receive almost constant 'you are doing great Mr President' praises from those around him.
Comey suffered the Oliver Twist effect when he asked for more resources to investigate the Russian links.
Every day, I get more and more reminded of Dr Strangelove.
I'd better get that fallout shelter stocked ASAP.
Fair play to Trump as he is learning one of the important rules of being a politician.
Be seen to be doing something without actually doing anything.
What will be the content of these reports?
It's online and we has firewall.
Unless this is some kind of power grab of IT infrastructure. Maybe he's scoping the country out for the Russians. That's sarcasm btw in case anyone missed it.
The Secretary of Defense and the Director of National Intelligence ... will have 150 days to come up with a plan to protect national security IT systems
150 days? If they don't already have such a plan, constantly being revised, they aren't doing their jobs. They should be able to have that on the Oval Offcie desk by Monday, or start looking for new jobs better suited to their abilities.
Because as others have noted he's reputed to have a very short attention span. I'd suggest.
Brevity in the whole thing. But keep all the evidence in a bit Appendix you can show him if he complains it does not look like you've doing much work.
3-4 conclusions of a couple of (short) sentence each.
Like every boss for any problem you raise he wants to hear a solution. Better yet a couple of them.
Would it make any difference if he did read them? He has demonstrably no understanding of policy and no understanding of IT security, so even if someone can get him to sit down and read an IT security policy document, it's hard to see anything resulting from it.
So...the nation's cybersecurity is now directly in the hands of an administration who's transition plan included intentionally creating thousands of dead links on their own website. I'm truly beginning to think that doomsday preppers might have a point, even if some of them are clearly off their rockers.
Trump, stay in your lane! You don't have a clue what all the things that these reports will actually say, you can't even figure out how the new EMALS works on the new aircraft carrier (it's witchcraft!), don't go fooling about here. Let the pros handle business without any of your fuckery Donnie. If we leave this up to your dumb ass we'll go back to telegrams and the pony fucking express to send emails (not to be confused with EMALS, no that's witchcraft. You have to be Einstein to figure out digital). Just leave shit alone, you've already fucked up my country bad enough.
"So basically: expect no movement on cybersecurity over the next three to six months. The players will have their hands full preparing the hundreds of reports the executive order demands, and will be far too busy to cope with anything else."
That's more ore less what you'd like to achieve by deeply embedding one of your own in the control and command structure of your adversary.
One of the big problems is "legacy systems". If you have legacy systems running on old, insecure platforms, well it's hard to move to something simpler and therefore more secure. Feature creep in platforms leads to applications deeply embedding themselves in those features.
Maybe administrations should try to define sensible subsets of current platforms, essentially removing all non-essential features from the standards. Application vendors that already have well-behaved software will have little trouble to just work around a missing feature. If you tighten the standards more and more, and announce every change years in advance, you could discipline the market.
Then in parallel you design and build simpler, and therefore more secure computers. Those computers will emulate the previous legacy platforms, and once the currently used subset of features is implemented, you switch to them.
Today we have lots of needless features. We have whole operating systems running in "service mode" behind our backs... just so they can handle USB devices for the operating system. We have service after service running on the background for things that, in the most common case (single user, embedded system, server) could be done by a single shell script.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
