President Trump on Tuesday was scheduled to put his signature to an executive order calling for an assessment of the United States' cyber-security capabilities and weaknesses, according to a report from Reuters. However, by the end of the day he put off signing for undisclosed reasons.
When he does sign, the move will likely designate a number of reviews of the nation's posture regarding both offensive and defensive cyber capabilities.
On announcing the order at the White House, Trump pledged to "hold my Cabinet secretaries and agency heads accountable, totally accountable, for the cyber security of their organizations."
A draft of the order was published by the Washington Post on 27 January, stating: "The United States is committed to: ensuring the long-term strength of the nation in cyberspace; preserving the ability of the U.S. to decisively shape cyberspace relative to other international, state, and non-state actors; employing the full spectrum of our capabilities to defend U.S. interests in cyberspace; and identifying, disrupting and defeating malicious cyber actors."
Audits of the cyber preparedness of a number of US federal agencies will be initiated with the intention of determining how best to strengthen defences in the nation's critical infrastructure and the fed's efforts to attract and train personnel with technical skills.
Additionally, the order is expected to solicit strategies to aid the private sector in improving security implementations.
The order is expected to also initiate an audit of the cyber capabilities of several federal agencies, seek input on how to improve protections for critical infrastructure, and review government efforts to attract and train a technically sophisticated workforce.The order would also seek ways to give the private sector incentives to adopt strong security measures.
"Creating an incentive system for manufacturers to cook security into products is long overdue," John Bambenek, threat systems manager at Fidelis Cybersecurity, told SC Media on Tuesday. "The entire risk profile of the Internet of Things is that manufacturers who never had a huge need to worry about product cyber-security have rushed to put devices online while engaging in little thought of cyber-security."
The much-reviled Mirai botnets wouldn't exist, Bambenek said, if manufacturers followed best practices that were a consensus in the 90s – practices that included not having default passwords or unencrypted open services listening on the internet. "It's long overdue to make cyber-security part of the economic equation, and I look forward to what [the Trump administration] come up with on that front."
Bambenek added that while it is early in the administration, he believed some leeway should be given to them to define the problems for themselves. However, he pointed out, a number of studies have already been undertaken repeatedly and uncovered little new information. "We don't need more government white papers; we need some action already. Some of that action will involve routine, but unsexy, activities like introducing real risk management into how computing infrastructure is used in government and thinking beyond merely what classification labels are on documents."
Denelle Dixon, chief legal and business officer at Mozilla, told SC Media on Tuesday that it's difficult to evaluate the Trump administration's cyber-security policy because it is not yet developed, but expressed hope that the executive order indicates that cyber-security will be a priority for this administration.
"However, we are concerned with a shift in responsibility for cyber-security from a civilian agency to the Department of Defense," Dixon said. "We've talked about how protecting cyber-security is a shared responsibility and we believe that now more than ever. There is a need for governments, tech companies and users to work together on encryption, fixing security vulnerabilities and responsible surveillance."
Cyber-security is about more than attacks and nation-states, Dixon said. "Encryption, secure communications, government surveillance, lawful hacking, and even online privacy and data protection, at the end of the day, are fundamentally about securing data and protecting users. It's about the importance and challenges of the day to day necessities of making systems secure and trustworthy for the internet as a global public resource."
During an announcement on Tuesday, Trump brought out former New York City Mayor Rudy Giuliani to speak briefly about efforts to encourage public-private sector collaboration, a goal pursued aggressively under the Obama administration. The president also took a swipe at Democrats over hacks at the Democratic National Committee (DNC), saying that they had paid millions but had fallen short in cyber-security.