Friday, 27 January 2017

Why one executive order won't be enough to secure the federal government

Why one executive order won't be enough to secure the federal government
Russian hacking played a central role in the 2016 election, embarrassing senior aides to Hillary Clinton and possibly handing the presidency to Donald Trump.

Even though hacking may have benefited him last year, Trump’s administration is looking for ways to secure government networks — and ideally, the US internet more generally — against hackers and other online troublemakers. The Washington Post has released what it says is a leaked draft of Trump’s forthcoming executive order on cybersecurity.

A lot of Trump’s executive orders so far have been controversial, but this one looks innocuous. It largely consists of asking various agencies to gather information relevant to cybersecurity and report back within 60 to 100 days.

The question is what the administration will do once those reports come back.

“Securing systems is boring and requires discipline, and it's a lot of work,” says Nicholas Weaver, a security researcher at the University of California.

Unfortunately, in his first few days in office, Trump has shown little discipline or interest in boring details. After all, media reports indicate that Trump is using a years-old Android phone that likely has glaring security vulnerabilities. If he can’t be bothered to take basic security precautions for himself, how can he ask thousands of federal employees to take security more seriously?

Cybersecurity is about getting lots of details right
The draft leaked to the Washington Post asks for details about vulnerability in US government and private networks, a review of America’s “cyber adversaries,” and the “cyber capabilities” of the Department of Homeland Security, Department of Defense, and National Security Agency. And recognizing that America will need more computer security experts in the future, it asks the Department of Education to compile information about US efforts to train America’s future workforce on these issues.

These are all sensible first steps to prevent more disasters like the 2015 attack on the Office of Personnel Management, the federal government’s HR agency, which compromised the privacy of millions of federal employees. But the real challenge will be what the Trump administration does once these reports come back.

Making a system truly secure requires attending to lots of small details. Do users have secure passwords? Have all relevant software packages been updated? Has custom-written code been audited for security defects?

On top of that, Weaver notes, “the real threats are often nongovernmental systems — things like the power grid and telecommunications infrastructure. All of that is in private hands.”

It may also require taking precautions that inconvenience users. For example, a technique called two-factor authentication asks users to input a number generated by a smartphone app or keychain device in addition to their password.

Princeton computer scientist Nick Feamster points to last year’s hack of Clinton campaign manager John Podesta as an example. “If we look at the Podesta email leak, we're not talking about rocket science hacks here. We're talking about something that could have easily been prevented” with two-factor authentication, Feamster argues.

But users often resist setting up two-factor authentication because it takes time to set up and because it can get you locked out if you misplace your cellphone or keys.

And this isn’t just whining. Security measures really do impose inconveniences that make workers less productive. A perfectly secure organization would be so hemmed in by security measures that it would barely be able to get anything done.

At the same time, inertia often does cause companies to underinvest in cybersecurity. Government watchdogs had been warning about security problems at OPM for years before the agency finally discovered it had been hacked in 2015.

The challenge for the Trump team, then, is to figure out how to change the culture at government agencies to make security more of a priority — without imposing rigid policies that prevent agencies from getting their work done. That’s not an issue that’s explored in the draft executive order.

No comments:
Write comments