Trump signs executive order on cybersecurity, White House now runs the show

Promises to hold agency heads responsible for slipups

President Donald Trump has signed his long-promised executive order on cybersecurity – and it says the executive branch will take overall command of securing America's critical IT systems.

During his campaign, Trump promised a missive on cybersecurity within 90 days of taking office, but delayed the signing in late January. Now, 111 days after swearing to protect and uphold the constitution of the United States, the order has been signed, and it signals that Trump intends his staff to take command.

"The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises," the order begins.

"In addition, because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise."

All federal agencies (of which there are hundreds) will have to enforce the National Institute of Standards and Technology guidance document [PDF] and will report on their progress in the next 90 days.

The Secretary of Homeland Security and the Director of the Office of Management and Budget will then assess the reports and present the information to the President 60 days later. They will also produce a plan to protect the executive branch if there are holes in its security.

In addition, the Director of the American Technology Council will ask each agency for a feasibility plan for combining IT infrastructure for departments within 90 days. Agency heads will also, henceforth, give preference in IT spending to shared systems architecture.

The Secretary of Defense and the Director of National Intelligence aren't spared the report writing either. They will have 150 days to come up with a plan to protect national security IT systems and deliver it to the Assistant to the President for National Security Affairs.

But the US government can only do so much. Over 80 per cent of IT systems classified as part of the US critical infrastructure are in private hands. Trump wants the Secretary of Homeland Security, the Secretary of Defense, the Attorney General, the Director of National Intelligence, and the Director of the FBI (once he has decided who that will be) to report on strengthening these systems within 180 days.

Getting specific

Trump also wants a report, again within 90 days, on how to promote transparency in government security purchasing agreements. But the president also concentrated on specific threats.

  • He wants reports on the threats posed by botnets within 240 days from the Secretary of Commerce and the Secretary of Homeland Security. Up to a year later the report will be published, after possible revision, so the public can learn how the US intends to combat the threat.
  • The Secretary of Energy and the Secretary of Homeland Security also have 90 days to report on the threat by hackers (but not squirrels) on the nation's electrical system.
  • The Secretaries of Defense and Homeland Security and the head of the FBI have a similar period to review the resilience of the nation's military and industrial base to attack.
  • "To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft," the report states, without using the term net neutrality. To ensure this, Trump wants (you guessed it) a report on how to secure the internet in the next (I'm not giving you odds on this) 90 days, this time from the Secretaries of State, the Treasury, Defense, Commerce, Homeland Security, the Attorney General, the United States Trade Representative, and the Director of National Intelligence.
  • He also wants a report in the next 45 days on how the US can work with other countries to secure the internet. This will be produced by the Secretaries of State, the Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and the Director of the FBI.
  • Domestic training ideas are wanted within 120 days from the Secretaries of Commerce, Homeland Security, Defense, Labor, Education, the Director of the Office of Personnel Management, and maybe some other agencies. To secure the skills to do this, the Director of National Intelligence has 60 days to produce a report analyzing other countries' efforts to train an IT security workforce. He'll also work with the Secretaries of Defense, Commerce, and Homeland Security to report in 150 days on how to maintain the US' position in cybersecurity.

There was no mention of encryption, or any plans to allow law enforcement to install backdoors. Nor were there any direct plans for action – at this stage it's reports only, please.

So basically: expect no movement on cybersecurity over the next three to six months. The players will have their hands full preparing the hundreds of reports the executive order demands, and will be far too busy to cope with anything else. ®

Broader topics

Other stories you might like

  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • TikTok US traffic defaults to Oracle Cloud, Beijing can (allegedly) still have a look
    Alibaba hinted the gig was worth millions each year

    The US arm of Chinese social video app TikTok has revealed that it has changed the default location used to store users' creations to Oracle Cloud's stateside operations – a day after being accused of allowing its Chinese parent company to access American users' personal data.

    "Today, 100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," the company stated in a post dated June 18.

    "For more than a year, we've been working with Oracle on several measures as part of our commercial relationship to better safeguard our app, systems, and the security of US user data," the post continues. "We still use our US and Singapore datacenters for backup, but as we continue our work we expect to delete US users' private data from our own datacenters and fully pivot to Oracle cloud servers located in the US."

    Continue reading

Biting the hand that feeds IT © 1998–2022