President Donald Trump's executive order on cybersecurity ignores a vital component of agency security: it fails to provide guidance on how to secure the encryption that federal agencies are implementing across their systems.
On 11 May, President Donald Trump signed an executive order specifying how the United States can strengthen federal government systems' and critical infrastructure's digital security. The directive makes clear the heads of executive departments and federal agencies are ultimately responsible for managing digital security risk at their enterprises. President Trump expects the agency heads to fulfill this duty by make use of existing security frameworks.
As the executive order sets forth:
"Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order."
The White House is wise to incorporate NIST's cybersecurity framework into its executive order. After all, enterprises can use the document's five core digital security functions—Identify, Protect, Detect, Respond, and Recover—to mitigate risk on their networks. They can also refer to the document on how to correlate their digital security metrics with their business objectives.
But "the Framework" doesn't do everything. It fails to emphasize the importance of protecting encryption. Without this security control, sensitive personal and financial information stored on federal networks is at risk of exfiltration by state-sponsored actors and computer criminals. In the hands of such nefarious individuals, this data can jeopardize the security of critical infrastructure and thereby threaten public safety.
Recognizing the threat of a data breach, the Senate passed legislation in October 2015 ordering federal agencies to "encrypt sensitive and mission critical data or otherwise render such data indecipherable to unauthorized users." But NIST's Framework doesn't cite that directive. Version 1.1 of the document (PDF), which was published more than a year after the Senate's bill became law, only mentions encryption with respect to another publication. NIST doesn't include the security control in its Framework directly.
This is cause for concern. These days, attackers aren't just abusing the absence of encryption to steal data in plaintext. They're also using encryption to gain access to sensitive systems, misuse which the National Geospatial-Intelligence Agency experienced firsthand in the spring of 2017. In fact, Gartner believes more than half of network attacks in 2017 will use encrypted traffic to bypass existing security controls.
If they are going to take the rise of encryption-enabled attacks seriously, both the White House and NIST need to mention encryption in a meaningful way in their respective documents. That includes emphasizing the importance of federal agencies detecting threats in their encrypted traffic so as to prevent bad actors from misusing their keys and certificates.
Does your organization or agency have complete visibility over encrypted traffic?