Here's what I’m reading this week:
The Cybersecurity EO We've Been Waiting For: The cybersecurity EO has been "about to be signed" for months at this point. But finally – and, predictably enough, without any warning – it was put into effect on May 11. The "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" has gone through a long, strange trip. When its first draft leaked back in the earliest days of the new Administration, it was widely panned for being too military-focused. Since then, it has been completely rewritten, and today looks remarkably like a continuation of Obama-era cybersecurity policies.
The EO focuses on improving federal cybersecurity, which is a sorely needed mission. While it isn’t revolutionary, it includes several positive initiatives. The two most important points are a direction that department and agency heads will be held "accountable” for the cybersecurity of their agencies, and a requirement that federal agencies follow the cybersecurity framework put out by the National Institute for Science and Technology (NIST). The first of these follows clear lessons from the private sector: institutions invest best in security when their leaders can be held to account when that security fails. The second follows another clear lesson: without a consistent approach to cybersecurity, it is impossible to tell how secure an institution is. By requiring that agencies follow the NIST framework, the EO not only encourages greater security, it applies a single, consistent model across the federal government.
Beyond these initiatives, the EO's impact is much harder to judge, because much of the rest of the document simply directs the drafting of reports. We will have to wait for the reports themselves to judge their impact, but many of the topics – deterrence, expanding the cybersecurity workforce, and international cooperation, among others – are important issues that deserve our attention.
For a more detailed analysis and criticism of the EO, try this: "Some notes on Trump's cybersecurity Executive Order."
The Hack That Wasn't: The other big story this week was the non-impact of the massive influence operation directed at the Macron campaign. Everyone knew it as coming, but it still engendered massive speculation when a group of Russian-linked hackers stole a massive store of communications from the Macron campaign and dumped them online.
One group that wasn't surprised, though, was the Macron campaign. Apparently they had been working constantly to confuse their adversaries with fake accounts, falsified messages, and other sophisticated tricks. In the end, the intrusion and influence attempt had little (if any) measurable impact. Some of the credit for this goes to the Macron campaign’s defensive operations. Some goes to the French media, which has limited its coverage of the leaks even after the election-imposed media blackout ceased. And some goes to the French people themselves, who seemed to do a good job keeping their heads even as falsified documents were leaked online.
Altogether, this is a reminder that while influence operations can be powerful, they are fiendishly difficult to get right, and can only shift public sentiment slightly and in directions it wants to go in the first place. In other words, defense against these techniques is eminently possible – the right combination of disciplined media, sensible public, and savvy defenders can make influence operations incredibly difficult.
Finally, passwords get slightly less maddening. This week a group of vendors accepted new NIST-recommended guidelines for how passwords should be handled. These include reducing the frequency of required password changes, and limiting so-called "complexity" requirements, where users are often required to include numbers, capital letters, symbols, and zodiac signs in their passwords. Joking aside, both of these changes bode well for security, and hopefully we’ll see more changes like this in the future.