DRAFT (Inclusive of errors, et cetera - Editor) HatTip
Executive Order - Strengthening U.S. Cyber Security and Capabilities
STRENGTHENING U.S. CYBER SECURITY AND CAPABILITIES
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
Section 1. Policy.
It is the policy of the United States to defend and enhance the security of the Nation?s cyber infrastructure and capabilities. Free and secure use of cyberspace is essential to advancing US. national interests. The Internet is a vital national resource. Cyberspace must be an environment that fosters efficiency, innovation, communication, and economic prosperity without disruption, fraud, theft, or invasion of privacy. The United States is committed to: ensuring the long-term strength of the Nation in cyberspace; preserving the ability of the United States to decisively shape cyberspace relative to other international, state, and non-state actors; employing the full spectrum of our capabilities to defend US. interests in cyberspace; and identifying, disrupting, and defeating malicious cyber actors.
Sec. 3. Findings.
America?s civilian government institutions and critical infrastructure are currently vulnerable to attacks from both state and non-state actors. Criminals, terrorists, and state and non-state actors are engaging in continuous operations that impose signi?cant costs on the US. economy and signi?cantly harm vital national interests. These operations may disrupt or disable the functioning of important economic institutions and critical infrastructure, and may potentially cause physical effects that could result in signi?cant property damage and loss of life.
The cyber realm is undergoing constant, rapid change as a result of the pace of technological innovation, the explosive global growth in Internet use, the increasing interdependencies between the networks and the Operations of infrastructure and key economic institutions, and the continuously evolving nature of cyberattacks and attackers.
As a result of these changes, cyberSpace has emerged as a new domain of engagement, comparable in signi?cance to land, sea, air, and space, and its signi?cance will increase in the years ahead.
The Federal Government has a reSponsibility to defend America from cyberattacks that could threaten US. national interests or cause signi?cant damage to Americans? personal or economic security. That responsibility extends to protecting both privately and publicly operated critical networks and infrastructure. At the same time, the need for dynamism, ?exibility, and
innovation in cyber security demands that government exercise its responsibility in close cooperation with private sector entities.
The executive departments and agencies (agencies) tasked with protecting civilian government networks and critical infrastructure are not currently organized to act collectively/ collaboratively, tasked, or resourced, or provided with legal authority adequate to succeed in their missions.
- De?nitions. As used in this order:
The term ?critical infrastructure? means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
The term ?national security system? means any telecommunications or information system Operated by the Federal Government or any contractor on its behalf, the function, operation, or use of which?
involves intelligence activities;
(ii) involves activities related to national security;
involves command and control of military forces;
(iv) involves equipment that is an integral part of a weapon or weapons system; or
is critical to the direct fulfillment of military or intelligence missions (but does not include a system used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications).
Policy coordination, guidance, diSpute resolution, and periodic in-progress reviews for the functions and programs described and assigned in this order shall be provided through the interagency process established in National Security Presidential Directive of January 21,
2017 (Organization of the National Security Council and the Homeland Security Council), or any successor.
Q. Review of Cyber Vulnerabilities. Scope and Timing.
A review of the most critical U.S. cyber vulnerabilities (Vulnerabilities Review) shall commence immediately.
(ii) Within 60 days of the date of this order, initial recommendations for the protection of US. national security systems shall be submitted to the President through the Secretary of Defense.
Within 60 days of the date of this order, initial recommendations for the enhanced protection of the most critical civilian Federal Government, public, and private sector infrastructure, other than US. national security systems, shall be submitted to the President through the Secretary of Homeland Security.
(iv) The recommendations shall include steps to ensure that the responsible agencies are appropriately organized, tasked, and resourced, and provided with adequate legal authority necessary to ful?ll their missions.
Review Participants. The Secretary of Defense shall co?chair the Vulnerabilities Review with the Secretary of Homeland Security, the Director of National Intelligence, the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism.
(0) Operation ofthe Vulnerabilities Review. The Co-Chairs of the Vulnerabilities Review shall assemble all information in the possession of the Federal Government that pertains to the most urgent vulnerabilities to national security systems, the most urgent vulnerabilities to civilian Federal Government networks, and the most critical private sector infrastructure. All agencies shall comply with any request of the Co-Chairs to provide information in their possession or control pertaining to US. cyber vulnerabilities. The Secretary of Defense, the Secretary of Homeland Security, the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism may seek further information relevant to the Vulnerabilities Review from any appropriate source.
Review of Cyber Adversaries. Scope and Timing.
A review of the principal U.S. cyber adversaries (Adversaries Review) shall commence immediately.
(ii) Within 60 days of the date of this order, a ?rst report on the identities, capabilities, and vulnerabilities of the principal U.S. cyber adversaries shall be submitted to the President through the Director of National Intelligence.
Review Pariiczpanis. The Director ofNational Intelligence shall co-chair the Adversaries Review with the Secretary of Homeland Security, the Secretary of Defense. the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism.
(0) Operation ofthe Adversaries Review. The Co-Chairs of the Adversaries Review shall assemble all information in the possession of the Federal Government that pertains to the identities, capabilities, and vulnerabilities of US. cyber adversaries. All agencies shall comply with any request of the Co-Chairs to provide information in their possession or control pertaining to US. cyber adversaries. The Co~Chairs may seek further information relevant to the Adversaries Review from any appropriate source.
- US. Cyber Capabilities Review. Scope and Timing.
Based on the results of sections 5 and 6 of this order, a review of the relevant cyber capabilities of the Department of Defense, the Department of Homeland Security, and the National Security Agency (Capabilities Review) shall identify an initial set of capabilities needing improvement to adequately protect U.S. critical infrastructure.
(ii) The Capabilities Review?s recommendations shall include steps to ensure that the responsible agencies are appropriately organized, tasked, and resourced, and provided with adequate legal authority necessary to ful?ll their missions.
Participants. The Secretary of Defense shall co?chair the Capabilities Review, with the Secretary of Homeland Security and the Director of the National Security Agency.
(0) Operation ofCapobz?lz?ries Review. The Co-Chairs of the Capabilities Review shall assemble all information in the possession of the Federal Government that pertains to relevant cyber capabilities of the Department of Defense, the Department of Homeland Security, and the National Security Agency. All agencies shall comply with any request of the Co? Chairs to provide information in their possession or control pertaining to US. cyber capabilities. The Secretary of Defense, the Secretary of Homeland Security, and the Director of the National Security Agency may seek further information relevant to the Capabilities Review from any appropriate source.
Workforce DeveZopmenr Review. In order to ensure that the United States has a long-term
cyber capability advantage, the Secretary of Defense and Secretary of Homeland Security shall also gather and review information from the Department of Education regarding computer
science, mathematics, and cyber security education from primary through higher education to understand the ?ll] scope of US. efforts to educate and train the workforce of the future. The Secretary of Defense shall make recommendations as he sees ?t in order to best position the US. educational system to maintain its competitive advantage into the future.
Sec. Private Sector Infrastructure Incentives Report.
Scope and Timing.
Preparation of a Report on options to incentivize private sector adeption of effective cyber security measures (Report) shall commence immediately.
(ii) Within 100 days of the date of this order, the Report recommending options shall be submitted to the President through the Secretary of Commerce.
Participants. The Secretary of Commerce shall co-chair the group preparing the Report, with the Secretary of the Treasury, the Secretary of Homeland Security, and the Assistant to the President for Economic Affairs. The Secretary of Commerce may also invite the Chair of the Securities and Exchange Commission and the Chair of the Federal Trade Commission to participate.
(0) Operation ofReport. The Co-Chairs of the group that prepared the Report shall review and expand on existing reports on economic and other incentives to: induce private sector owners and operators of the Nation?s critical infrastructure to maximize protective measures; invest in cyber enterprise risk management tools and services; and adopt best practices with respect to processes and technologies necessary for the increased sharing of and response to real-time cyber threat information. All agencies shall comply with any request of the Co-Chairs to identify those economic policies and incentives capable of accelerating investments in cyber security tools, services, and software. The Secretary of the Treasury, the Secretary of Commerce, the Secretary of Homeland Security, and the Assistant to the President for Economic Affairs may seek further information relevant to the Report from any appropriate source.
Sec. 2. General Provisions.
This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
Nothing in this order shall be construed to impair or otherwise affect:
the authority granted by law to an executive department or agency, or any head thereof; or
(ii) the functions of the Director of the Of?ce of Management and Budget relating to budgetary, administrative, or legislative proposals.
(0) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and
integrity of speci?c activities and associations that are in direct support of intelligence and law enforcement Operations.
This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its of?cers, employees, or agents, or any other person.
Bolt Beranek and Newman (BBN) Report #4799 Document entitled 'A History of the ARPANET: The First Decade'. First published in 1981, and detailing early ARPANET engineering, via the March 2015 'The Internet Protocol Journal' (Volume 18, Number 1). Download IPJ back issues and find subscription information at Internet Prorocol Journal.
via Grant Gross, writing at PC World, comes news of the United States Federal Communications Commission denial of submitted requests from a group of Cable and Telephony providers (the ususal suspects) to slow the implementation of the Commission's Net Neutrality rules. This, my fiends, is one commish we can all get behind (except, of course, the Cable, Telephony and their lobbyists).
ISOC - the Internet Society, has released the compiled results of the organizations' 2015 Internet Governance Survey (download the PDF here). Via the 2015 Internet Governance Survey, the primary takeaways are:
The majority of respondents (86%) indicated that Cybersecurity is the most important issue facing the Internet community today;
The priorities for the community are to make Internet governance easier to understand (with 75% feeling that this is “Extremely” or “Very Important”) and to develop and share best practices amongst countries and communities (70% indicating that this was Extremely” or “Very Important”);
A high percentage of respondents (90%) indicated that informal local and regional communities should be enhanced while 87% of respondents want the global, regional, and national Internet Governance Forums (IGFs) to be enhanced; and
27% of respondents think NMI is needed for effective Internet governance, while 56% indicated that they are unclear as to whether NMI is needed, and 17% think it is not needed.
The Federal Communications Commission has issued the codified order targeting Net Neutrality. Entitled FCC 15-24*, for GN Docket Number 14-28, In the Matter of Protecting and Promoting the Open Internet, Report and Order on Remand, Declaratory Ruling, and Order. At over *Four hundred pages long*, this document will (likely) become one of the most highly contentious Orders emerging this year (or the weapon of choice for conspiracy theorists due to it's weight*) from the Commission.
News, via The Washington Post's Ashley Halsey III of significant information security issues at the Federal Aviation Agency. In this case, the Government Accountability Office has published a new report entitled "FAA Needs to Address Weaknesses in Air Traffic Control Systems", detailing significant shortcomings in the agency's capability to fend off electronic attacks.
The GAO report facts speak volumes: The FAA has failed to fully implement the planned, 'agency-wide' information security program. The failure to implement and deploy is a tell-tale of questionable competency within the Agency's information security management, whose duty and primary task is protecting the National Airspace System (aka NAS), of which, should be the core competency of the FAA.
Time for a change at the FAA? Probably, however, the issue of foot-dragging is deeply systemic at the Agency, witness the multi-year effort to implement the FAA's Next Generation Air Transportation System (aka NextGen). Any change will most likely be accomplished over decades, rather than single digit years... After all, thirteen years post-FISMA and the Agency has not yet implemented and deployed the mandated FISMA requirements, is, in a word - astonishing.
Now, focusing on the issues, we turn to the GAO discovered chllanges the FAA faces (of which, a statement from the GAO appears below, and is a direct excerpt from the published report. Read it, my fellow citizens, and weep.
"While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.
FAA also did not fully implement its agency-wide information security program. As required by the Federal Information Security Management Act of 2002, federal agencies should implement a security program that provides a framework for implementing controls at the agency. However, FAA's implementation of its security program was incomplete. For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster. Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.
The weaknesses in FAA's security controls and implementation of its security program existed, in part, because FAA had not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission. National Institute of Standards and Technology guidance calls for agencies to establish and implement a security governance structure, an executive-level risk management function, and a risk management strategy in order to manage risk to their systems and information. FAA has established a Cyber Security Steering Committee to provide an agency-wide risk management function. However, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission. For example, it has not (1) clearly established roles and responsibilities for information security for the NAS or (2) updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.
Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk." via the United States Government Accountablity Office Report "FAA Needs to Address Weaknesses in Air Traffic Control Systems"
Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.