Cybersecurity takes a big hit in new Trump executive order Ars Technica
p
Provisions on secure software quantumresistant crypto and more are scrapped
ppCybersecurity practitioners are voicing concerns over a recent executive order issued by the White House that guts requirements for securing software the government uses punishing people who compromise sensitive networks preparing new encryption schemes that will withstand attacks from quantum computers and other existing controlsppThe executive order EO issued on June 6 reverses several key cybersecurity orders put in place by President Joe Biden some as recently as a few days before his term ended in January A statement that accompanied Donald Trumps EO said the Biden directives attempted to sneak problematic and distracting issues into cybersecurity policy and amounted to political footballppSpecific orders Trump dropped or relaxed included ones mandating 1 federal agencies and contractors adopt products with quantumsafe encryption as they become available in the marketplace 2 a stringent Secure Software Development Framework SSDF for software and services used by federal agencies and contractors 3 the adoption of phishingresistant regimens such as the WebAuthn standard for logging into networks used by contractors and agencies 4 the implementation new tools for securing Internet routing through the Border Gateway Protocol and 5 the encouragement of digital forms of identityppIn many respects executive orders are at least as much performative displays as they are a vehicle for creating sound policy Bidens cybersecurity directives were mostly in this second campppThe provisions regarding the secure software development framework for instance was born out of the devastating consequences of the SolarWinds supply chain attack of 2020 During the event hackers linked to the Russian government breached the network of a widely used cloud service SolarWinds The hackers went on to push a malicious update that distributed a backdoor to more than 18000 customers many of whom were contractors and agencies of the federal governmentppThe departments of Commerce Treasury Homeland Security and the National Institutes of Health were all compromised A large roster of private companiesamong them Microsoft Intel Cisco Deloitte and FireEyewere also breachedppIn response a Biden EO required the Cybersecurity and Infrastructure Security Agency to establish a common form for selfattestation that organizations selling critical software to the federal government were complying with the provisions in the SSDF The attestation had come from a company officerppTrumps EO removes that requirement and instead directs National Institute for Standards and Technology NIST to create a reference security implementation for the SSDF with no further attestation requirement The new implementation will supplant SP 800218 the governments existing SSDF reference implementation although the Trump EO calls for the new guidelines to be informed by itppCritics said the change will allow government contractors to skirt directives that would require them to proactively fix the types of security vulnerabilities that enabled the SolarWinds compromiseppThat will allow folks to checkbox their way through we copied the implementation without actually following the spirit of the security controls in SP 800218 Jake Williams a former hacker for the National Security Agency who is now VP of research and development for cybersecurity firm Hunter Strategy said in an interview Very few organizations actually comply with the provisions in SP 800218 because they put some onerous security requirements on development environments which are usually like the Wild WestppThe Trump EO also rolls back requirements that federal agencies adopt products that use encryption schemes that arent vulnerable to quantum computer attacks Biden put these requirements in place in an attempt to jumpstart the implementation of new quantumresistant algorithms under development by NISTppWhat we basically ended up with is less firm direction and less guidance where we already didnt have much said Alex Sharpe who has 30 years of experience in cybersecurity governance He and other industry experts caution that the transition to quantumresistant algorithms will be among the biggest technological challenges the government and private industry have ever undertaken That in turn creates friction and resistance to the job of overhauling entire software stacks databases and other existing infrastructure that will be necessaryppNow that the enforcement mechanism was taken off there are going to be a lot of organizations that are less likely to deal with that he saidppTrump also scrapped instructions for the departments of State and Commerce to encourage key foreign allies and overseas industries to adopt NISTs PQC algorithmsppOther changes mandated by the EO includeppI think its very probusiness antiregulation Williams said of the overall thrust of the new EO Besides weakening SSDF requirements he said Striking the BGP security messaging is a gift to ISPs who know this is a problem but also know it will be expensive for them to fixppSharpe said that most of the deleted requirements made a lot of sense Referring to Trump he added He talks about the burden of compliance What about the burden of noncomplianceppA previous version of this story erroneously listed a company not compromised in the SolarWinds attackppArs Technica has been separating the signal from
the noise for over 25 years With our unique combination of
technical savvy and wideranging interest in the technological arts
and sciences Ars is the trusted source in a sea of information After
all you dont need to know everything only whats importantpp
p
Provisions on secure software quantumresistant crypto and more are scrapped
ppCybersecurity practitioners are voicing concerns over a recent executive order issued by the White House that guts requirements for securing software the government uses punishing people who compromise sensitive networks preparing new encryption schemes that will withstand attacks from quantum computers and other existing controlsppThe executive order EO issued on June 6 reverses several key cybersecurity orders put in place by President Joe Biden some as recently as a few days before his term ended in January A statement that accompanied Donald Trumps EO said the Biden directives attempted to sneak problematic and distracting issues into cybersecurity policy and amounted to political footballppSpecific orders Trump dropped or relaxed included ones mandating 1 federal agencies and contractors adopt products with quantumsafe encryption as they become available in the marketplace 2 a stringent Secure Software Development Framework SSDF for software and services used by federal agencies and contractors 3 the adoption of phishingresistant regimens such as the WebAuthn standard for logging into networks used by contractors and agencies 4 the implementation new tools for securing Internet routing through the Border Gateway Protocol and 5 the encouragement of digital forms of identityppIn many respects executive orders are at least as much performative displays as they are a vehicle for creating sound policy Bidens cybersecurity directives were mostly in this second campppThe provisions regarding the secure software development framework for instance was born out of the devastating consequences of the SolarWinds supply chain attack of 2020 During the event hackers linked to the Russian government breached the network of a widely used cloud service SolarWinds The hackers went on to push a malicious update that distributed a backdoor to more than 18000 customers many of whom were contractors and agencies of the federal governmentppThe departments of Commerce Treasury Homeland Security and the National Institutes of Health were all compromised A large roster of private companiesamong them Microsoft Intel Cisco Deloitte and FireEyewere also breachedppIn response a Biden EO required the Cybersecurity and Infrastructure Security Agency to establish a common form for selfattestation that organizations selling critical software to the federal government were complying with the provisions in the SSDF The attestation had come from a company officerppTrumps EO removes that requirement and instead directs National Institute for Standards and Technology NIST to create a reference security implementation for the SSDF with no further attestation requirement The new implementation will supplant SP 800218 the governments existing SSDF reference implementation although the Trump EO calls for the new guidelines to be informed by itppCritics said the change will allow government contractors to skirt directives that would require them to proactively fix the types of security vulnerabilities that enabled the SolarWinds compromiseppThat will allow folks to checkbox their way through we copied the implementation without actually following the spirit of the security controls in SP 800218 Jake Williams a former hacker for the National Security Agency who is now VP of research and development for cybersecurity firm Hunter Strategy said in an interview Very few organizations actually comply with the provisions in SP 800218 because they put some onerous security requirements on development environments which are usually like the Wild WestppThe Trump EO also rolls back requirements that federal agencies adopt products that use encryption schemes that arent vulnerable to quantum computer attacks Biden put these requirements in place in an attempt to jumpstart the implementation of new quantumresistant algorithms under development by NISTppWhat we basically ended up with is less firm direction and less guidance where we already didnt have much said Alex Sharpe who has 30 years of experience in cybersecurity governance He and other industry experts caution that the transition to quantumresistant algorithms will be among the biggest technological challenges the government and private industry have ever undertaken That in turn creates friction and resistance to the job of overhauling entire software stacks databases and other existing infrastructure that will be necessaryppNow that the enforcement mechanism was taken off there are going to be a lot of organizations that are less likely to deal with that he saidppTrump also scrapped instructions for the departments of State and Commerce to encourage key foreign allies and overseas industries to adopt NISTs PQC algorithmsppOther changes mandated by the EO includeppI think its very probusiness antiregulation Williams said of the overall thrust of the new EO Besides weakening SSDF requirements he said Striking the BGP security messaging is a gift to ISPs who know this is a problem but also know it will be expensive for them to fixppSharpe said that most of the deleted requirements made a lot of sense Referring to Trump he added He talks about the burden of compliance What about the burden of noncomplianceppA previous version of this story erroneously listed a company not compromised in the SolarWinds attackppArs Technica has been separating the signal from
the noise for over 25 years With our unique combination of
technical savvy and wideranging interest in the technological arts
and sciences Ars is the trusted source in a sea of information After
all you dont need to know everything only whats importantpp
p
