90 days. That's the timeframe in which the president claimed he'd have a robust new cybersecurity plan for the federal government in place. As Trump nears his "100 days in office" mark with nary a plan in sight, folks are left metaphorically checking their watches and scratching their heads.
Despite the lack of a concrete plan and the criticism Trump is facing for seemingly hitting his 100-day milestone empty-handed, it's important to note that strides have in fact been made on the cybersecurity front.
For example, Trump recently hired Robert Joyce, who once ran the National Security Agency’s hacking division, as his White House cybersecurity coordinator. Not a bad move, Mr. President. While that was happening, an executive order that, according to an article by Naked Security, is waiting in the wings and is indeed ready to be signed.
Many of you probably remember the period of time at the beginning of the year when Trump was supposed to sign an executive order on cybersecurity, but left folks baffled when he canceled it and instead posed a comprehensive plan to improve security in the federal government’s IT infrastructure in 90 days.
Even though the 90-day deadline has come and gone with no plan, Joyce told attendees at Georgetown University’s International Conference on Cyber Engagement Monday that the executive order is nearly ready to sign. "We must make sure that innovation and cybersecurity are intertwined," stated Joyce.
Joyce stated that the timing of the release is less about finalizing the order than about finding the right news cycle opportunity. "I think the important focus on this is we want to make sure the cybersecurity EO emerges … in sequence with other things that the administration is rolling out so that we don't distract from other important messages that are out there," Joyce said. (As reported by FCW).
The main focus of the administration when it comes to cybersecurity will be to protect federal IT infrastructure, which will involve modernizing systems and moving toward shared services and commercial solutions. According to Joyce, this is to raise the standards for smaller agencies that don't have the budget or staff to focus on cybersecurity the way the Department of Defense does.
Further, Joyce states that while that overall policy goal will be reflected in the executive order, it's looking more like the National Security Council (NSC) will play a supporting role to Jared Kushner's new Office of American Innovation, which has been given the responsibility of modernizing federal IT.
"I'm pleased to be a part of that so I get to participate in, my staff gets to participate in, those meetings," Joyce said. The emphasis on shared services, cloud and other technical reforms, he said, "means a refresh, [and] also means an opportunity to wire in from the ground up cybersecurity."
Our second story takes a look at the role of the ISP in cybersecurity. According to Dark Reading contributor Corey Nachreiner, there are many actions ISPs could take to make online browsing safer, but one in particular stands out.
For a good while now, at least over a decade, the security sector has debated what role Internet service providers (ISPs) should take in cybersecurity. Questions like, "should they proactively protect their customers with upstream security controls and filters (e.g., intrusion prevention systems, IP/URL blacklists, malware detection, etc.), or are customers responsible for their own security," have arose.
Nachreiner states that ISPs can have a much wider impact on overall state security because they are essentially the keepers of the internet. The doormen. The gatekeepers. The bridge trolls... you get it. It goes without saying that it's an extremely valuable and advantageous position to be in. Still, there are good arguments against ISPs reach going too far and taking too much of a security role. But Nachreiner argues that there is one thing IPSs can do to improve everyone’s security... block IP address spoofing.
IP address spoofing is a very old and elementary type of attack in which a malicious computer sends a network packet with a false source IP address. IP spoofing offers limited value in normal attacks, because when you send packets claiming to be from another computer, the replies go to that computer, not the user. But, IP spoofing does play a big role in one particular kind of attack: distributed denial-of-service (DDoS) attacks, which, as we know, have been increasing in popularity lately.
ISPs generally know what public IP addresses we all receive and which ones belong on their networks. With this information, IP spoofing is actually pretty easy to sniff out and effectively block.
"For decades, there have been common Internet standards and best common practices that detail exactly how network providers can prevent IP address spoofing by configuring routing devices to validate source addresses and block spoofed traffic," states Nachreiner in the article. "Some examples include RFC 2827, BCP 38, and the updated BCP 84. Most network gear, from routers to security appliances, offer simple features and filters to do just that. If all ISPs followed these long-held best practices, they could greatly lessen certain types of DDoS attacks, without adversely affecting their customers’ networks."
According to Nachreiner, a lot of ISPs already do this. According to the Center for Applied Internet Data Analysis (CAIDA), about 70 percent of IP space is "unspoofable," which pretty much means that ISPs just have to do some good old fashioned filtering. Sounds easy enough, but the problem is that if even a few ISPs allow spoofing, attackers can leverage them against others.
"If there is one thing we need to demand of all our ISPs, it’s to implement this one well-known common best practice," says Nachreiner. The takeaway for providers? In order to prevent denial-of-service attacks is to increase the overall security level of consumers.
We close out the week with a look at DoD's new "Hack the Air Force" bug bounty program. You may remember the “Hack the Pentagon” and “Hack the Army” initiatives - due to their success, the U.S. Department of Defense announced on Wednesday the launch of the “Hack the Air Force” bug bounty program.
According to an article by Security Week, “Hack the Air Force” will be the Pentagon’s largest bug bounty project. It is open to experts not just from the United States, but also from "Five Eyes" countries, which includes the United Kingdom, Canada, Australia and New Zealand.
The program, which run on the HackerOne platform, is designed to strengthen the Air Force's critical data and assets. By now you know how it works - white hat hackers who report vulnerabilities will be eligible for sizeable amounts of cash and rewards, though the exact amounts have not yet been revealed.
The criteria? Only qualified and vetted researchers can register. “This is the first time the AF has opened up our networks to such a broad scrutiny,” said Air Force Chief Information Security Officer Peter Kim. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”
Registration for “Hack the Air Force” opens on May 15. The event will take place between May 30 and June 23.
The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.