It didn’t take President Trump long to weigh-in on Federal Government CyberSecurity. And it took even less time for all kinds of company “Talking Heads” to issue their own self-serving versions of the Executive Order.
There isn’t much there. No move to the “cloud”. No massive consolidation of resources into a massive Government data silo. No mandated changes to civilian cloud security.
Of the “cloud”, if you have something of value, it doesn’t belong in there. There are so many holes; cross-channel CPU cache exploits, memory sniffing, CPU process attacks, it’s ridiculous. No, the cloud is going to continue to be the place where you put stuff that can be hacked, pilfered, and used against you. You’ll need a Trillion dollar forklift for CPUs that are “cloud-aware”, and the corresponding hooks in the Virtual Machine hypervisors before there will be any real improvement there. Imagine an implementation that is similar to what Windows does with Hardware DEP (Data Execution Prevention) on a stand-alone CPU processors that support it (most do, nowadays).
In fact, President Trump mentions the word “cloud” twice in his Executive Order, and the phrase “Shared IT Resources” three times in the Executive Order. Of course the terms “cloud” and “Shared IT Resources” are both pretty nebulous; they mean different things to different people. Perhaps not surprisingly is that these terms are not even defined in Section 4 “Definitions“.
The complete Executive Order, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” can be found on the Whitehouse site here.
What President Trump does do is express his concerns with DDOS attacks (Distributed Denial Of Service) and the mitigation thereof. He wants to see a plan to ensure US competitiveness in cloud infrastructures. He expresses that Department Heads will be responsible for their inadequate INFOSEC and Operational Readiness. He wants all US Government agencies to adopt the NIST’s (National Institute of Technology) “The Framework for Improving Critical Infrastructure Cybersecurity“, a.k.a “the Framework“, as the method to ensure security.
The Cybersecurity Framework draws heavily upon the publication (DRAFT status) NISTIR 8170 “The Cybersecurity Framework, Implementation Guidance for Federal Agencies” that was developed over the last few years. Note that NISTIR stands for “NIST Interagency Report”. As with everything bureaucratic in nature, you can never have too many acronyms; and there are plenty of them in NISTIR 8170.
The real challenge is that agencies have 90 days to report their compliance findings and reports to President Trump. Still, the top-level approach that the NIST took is interesting. It probably should be implemented by every company in the US.