A few days ago the Presidents National Infrastructure Advisor Panel, a branch of the Department of Homeland Security, released a new report urging various branches of the United States Government to protect against what they call a “9/11-level cyber attack,” before its too late. To assemble their report, gather data and asses vulnerabilities, researches claim to have read hundreds of studies, interviewed 38 cyber security experts and reviewed data-sets given to them by over 140 Federal authorities.
Officially entitled “Securing Cyber Assets: Addressing Urgent Cyber Threats To Critical Infrastructure,” the 45 page document outlines a number of growing threats currently facing the country, along with a list of 11 recommendations they would like to see the Government begin acting upon immediately.
View The Full Report Here: https://www.dhs.gov/sites/default/files/publications/niac-cyber-study-draft-report-08-15-17-508.pdf
To my surprise, the recommendations were assembled pursuant to Presidential Executive Order 13800, better known as the “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” initiative launched in May of this year. Believe it or not, this is similar to the Executive Order leaked to the public in January of 2017, to which I submitted my own analysis of our countries cyber problems through contacts I have in the United States Department of Defense.
To be honest, I have not thought about this issue much since then and admittedly had completely forgotten about it altogether. But without making this article about myself, here is the list of recommendations officially being brought forward by the council:
Most note-ably absent from the list, but perhaps unsurprisingly enough, would be strengthening the Nations encryption laws to allow the private sector to better secure their infrastructure. If you were unaware, the FBI and Department of Justice have both worked to make end-to-end encryption illegal on all devices produced inside the United States over the course of the last several years. While this helps the DOJ conduct investigations and obtain evidence on whomever they want, unfortunately, it also makes it easier for hackers to obtain information more easily all the same.
While the US Government does not appear to be ready to embrace end-to-end encryption in this country like their counterparts in the European Union, I do see a number of alternatives proposed in the guidelines listed above. For example, the panels recommendation of enabling “machine to machine information sharing” and “separate, secure information networks.” This type of protocol acts as a sort of fail safe, ensuring that if one computer system or network is compromised, it does not spread to all the other computers on that network and the hack will essentially be isolated to that one machine. It also acts as a – de facto – firewall for other computer systems in that if a hacker wants to compromise an entire network, they will have to hack every single individual device on that network to have access to them all, not just a single one of them like is often the case today.
Another noteworthy recommendation I see on the list is something that I also proposed to the Department of Defense in January, allowing all of the different 3 letter acronyms associated with the US Federal Government to freely share resources, information and databases with one another. As I have pointed out multiple times in the past, it is not uncommon for multiple Federal agencies to be conducting surveillance upon or investigating the same target(s), completely independent and unaware of one another. Not only is this a complete waste of time and resources, but it is completely avoidable.
President Obama made the first step towards addressing this problem with one of his last Executive Orders in office, allowing the NSA to share their databases with other Federal agencies and the US Intelligence Community as a whole. Now, 7 months after this decision was first implemented, it appears as though other branches of the Federal Government are advising the Trump Administration to make this a permanent policy going forward in the future.
Lastly, while the report did not say any sort of catastrophic cyber attack upon the United States was immediately imminent, given the events surrounding the US Presidential election of 2016, the country is certainly not untouchable. President Trump has long since promised to secure our Nations cyber infrastructure going as far back as his campaigns during the Republican primary. Now that his cyber panel has officially concluded their initial review and submitted their proposals, it will be interesting to see what Trump decides to do with this information and how many of the recommended actions will be enacted in the future.