New Cybersecurity Executive Order Released
The president issued an EO aimed at strengthening the United State’s cybersecurity.
The White House memo talks about software development, BGP router protocol security, post-quantum cryptography, AI security, IoT security, encryption, sanctions policies and addressing the prevent the abuse of digital identities.
But an EO only represents the president’s wishes so we will see whether it is any more effective than the similar EOs issued by former presidents Biden and Obama. It amended those previous EOs.
One section removed encouraged the use of digital IDs to access public benefits. They claim it would have facilitated fraud by illegal aliens. In reality the section that was removed only told NIST to create standards for strong digital identity mechanisms and would not have required any agency to issue or accept digital IDs.
It also removed the requirement for federal contractors to attest that they follow secure software development practices so expect Chinese hacks of government systems to continue since there are no consequences to selling the government software that is not secure.
When it comes to AI, the EO refocuses AI cybersecurity efforts toward finding vulnerabilities.
Regarding post quantum cryptography (PQC), the EO requires the maintenance of a list of software that supports PQC and only requires the government to support but not require TLS 1.3 by 2030. TLS 1.3 is in use by industry now and requires zero protection against Chinese hacking of our data using quantum computers which are anticipated to be available before 2030. TLS 1.3 does support the use of PQC algorithms if the web server implements it and the user can support it. That means that most likely, the vast majority of TLS 1.3 will not protect against quantum computing hacking by China.
Another section removes the ability to sanction US entities that attack the United States. Of course, there are many laws to use so maybe this isn’t a big deal.
The EO asks NIST and CISA to establish a pilot program to test the concept of “rules as code”, which would facilitate automated testing for security holes. Whatever comes out of this is years away and likely would only be usable by large companies, but still, a good thing. Even the administration admits this may be a total failure.
Among the reasons that this EO may be doomed to failure is the dramatic downsizing of CISA and the fact that the EO cannot and does not fund anything. What that means is that this is mostly a check the box paper exercise that won’t improve security, but we can hope. Only time will tell.
Credit: Security Week and Dark Reading
by 