Skip to main content
banner image
venafi logo

Trump’s Cybersecurity Executive Order Gives No Guidance on Agencies’ Encryption Adoption Efforts

Trump’s Cybersecurity Executive Order Gives No Guidance on Agencies’ Encryption Adoption Efforts

June 22, 2017 | David Bisson

President Donald Trump's executive order on cybersecurity ignores a vital component of agency security: it fails to provide guidance on how to secure the encryption that federal agencies are implementing across their systems.

On 11 May, President Donald Trump signed an executive order specifying how the United States can strengthen federal government systems' and critical infrastructure's digital security. The directive makes clear the heads of executive departments and federal agencies are ultimately responsible for managing digital security risk at their enterprises. President Trump expects the agency heads to fulfill this duty by make use of existing security frameworks.

As the executive order sets forth:

"Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order."

The White House is wise to incorporate NIST's cybersecurity framework into its executive order. After all, enterprises can use the document's five core digital security functions—Identify, Protect, Detect, Respond, and Recover—to mitigate risk on their networks. They can also refer to the document on how to correlate their digital security metrics with their business objectives.

But "the Framework" doesn't do everything. It fails to emphasize the importance of protecting encryption. Without this security control, sensitive personal and financial information stored on federal networks is at risk of exfiltration by state-sponsored actors and computer criminals. In the hands of such nefarious individuals, this data can jeopardize the security of critical infrastructure and thereby threaten public safety. 

Recognizing the threat of a data breach, the Senate passed legislation in October 2015 ordering federal agencies to "encrypt sensitive and mission critical data or otherwise render such data indecipherable to unauthorized users." But NIST's Framework doesn't cite that directive. Version 1.1 of the document (PDF), which was published more than a year after the Senate's bill became law, only mentions encryption with respect to another publication. NIST doesn't include the security control in its Framework directly.

This is cause for concern. These days, attackers aren't just abusing the absence of encryption to steal data in plaintext. They're also using encryption to gain access to sensitive systems, misuse which the National Geospatial-Intelligence Agency experienced firsthand in the spring of 2017. In fact, Gartner believes more than half of network attacks in 2017 will use encrypted traffic to bypass existing security controls.

If they are going to take the rise of encryption-enabled attacks seriously, both the White House and NIST need to mention encryption in a meaningful way in their respective documents. That includes emphasizing the importance of federal agencies detecting threats in their encrypted traffic so as to prevent bad actors from misusing their keys and certificates.

Does your organization or agency have complete visibility over encrypted traffic?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more