The political blogosphere is abuzz over rumors that the White House may issue an Executive Order aimed at improving the security of information held on government computer networks. Some are fulminating against the alleged proposal, perceiving it as part of an ongoing attempt to stymie WikiLeaks-style exposés of embarrassing documents.
The Anti-War blog insists that WikiLeaks was a useful experiment in showing just how much of the classified data emanating from government every year can be made public without any tangible damage to safety and security. In a general pile-in on the Democratic Underground's message boards, this makes Obama "Bush III" or worse. The Noisecast points out, perhaps more aptly, that WikiLeaks did serve the purpose of showing just how unprotected the nation's proposed secrets are.
In fact, the blog which broke the story, Secrecy News, describes an order which would go rather wider than WikiLeaks, and might even address some much-needed vulnerabilities. According to, well, a leak, "the order addresses gaps in policy for information systems security, including characterization and detection of the insider threat to information security. It does not define new security standards, nor does it impose the security practices of intelligence agencies on other agencies... Rather, the order establishes new mechanisms for 'governance' and continuing development of security policies for information systems."
Admittedly, we've yet to see confirmation that this order, supposedly fast-tracked over the last few months, exists. But does it seem such a bad idea?
In addition to the WikiLeaks episode, this year has seen the prankster hacking of Pentagon-associated military contractors Booz Allen Hamilton and a just-for-laughs intrusion on Senate databases. Much more worrying than the exploits of teenage masterminds, many have been quick to blame China for the lengthy and belatedly discovered trawl through government and defense databases known as "Operation Shady RAT."
My simple point is that the current situation suggests that the cyberdoors are standing wide open to much more threatening characters and hostile enemies than Julian Assange.
The insider threat clearly needs to be treated as seriously as hacking exploits. Gaps in information security policy do need to be closed. What is needed, above all, of course, is concrete progress on systems security, including the key and apparently intractable issue of authentication.
Fast-tracking an Executive Order is all very well, but fast-tracking NSTIC would seem to be a prerequisite for conclusive action. As long as the networks hosting the nation's digital infrastructure and security systems can't distinguish between good and bad actors, it remains endangered: a predicament which is likely to be exacerbated when the networks migrate to the cloud, with what the NIST described as its "large attack service."
Tweaking the policies which control insider access to sensitive networks is probably a good idea. Ultimately, it's technological fixes we need, however, not well-intentioned government wish-lists.
— Kim Davis , Community Editor, Internet Evolution