Lance Bellers - Fotolia
Still waiting for a cybersecurity executive order from Trump
News roundup: A cybersecurity executive order overdue, but 'close and nearby.' Plus, the USPTO says it will stop using HTTPS; a teenage hacker sentenced to prison; and more.
Despite nearing the 100-day mark, the Donald Trump administration has yet to deliver its promised cybersecurity executive order.
Before being sworn in, President Trump said he would have a team and a plan for cybersecurity within 90 days of taking office.
"Whether it is our government, organizations, associations or businesses, we need to aggressively combat and stop cyberattacks," he said in a public statement after a meeting with the leaders of the intelligence community on Jan. 6. "I will appoint a team to give me a plan within 90 days of taking office."
Trump also declared via Twitter on Jan. 13 that his administration would produce a cybersecurity report on nation-state hacking against the U.S. government within 90 days, but no such report was released. Last week, the 90-day mark for the cybersecurity executive order came and went, and the Trump administration has yet to issue a new order.
released by "Intelligence" even knowing there is no proof, and never will be. My people will have a full report on hacking within 90 days!
— Donald J. Trump (@realDonaldTrump) January 13, 2017
However, the White House cybersecurity coordinator, Robert Joyce, said the administration is "close and nearby" to issuing the cybersecurity executive order. Speaking at Georgetown University's International Conference on Cyber Engagement on April 24, Joyce said Trump's son-in-law Jared Kushner is working with White House officials Chris Liddell and Reed Cordish to develop strategies for both cybersecurity and modernizing federal IT systems. Joyce indicated that the efforts outlined in the cybersecurity executive order and those covered in the modernization initiative will tie in with each other, saying that "innovation and cybersecurity are intertwined".
A draft copy of Trump's cybersecurity executive order leaked in February and appeared to be similar to an executive order enacted by former President Barack Obama. Both called for cybersecurity assessments to identify areas of improvement or where new legislation might be needed. Federal IT modernization was also included in the draft copy of the Trump executive order, but Joyce indicated they would likely be in separate orders now.
In response to when the new cybersecurity executive order might be rolled out, Joyce was vague and suggested the White House was waiting for the right time in the press cycles.
"We want to make sure that the cybersecurity EO emerges with the time and attention it needs," Joyce said. "And at the same time is sequenced with other things the administration is rolling out so we don't distract from other important messages that are out there."
In other news:
- The United States Patent and Trademark Office (USPTO) stopped use of HTTPS on its Public Patent Application Information Retrieval (PAIR) site shortly after rolling it out. "The USPTO's public facing legacy systems, such as Public PAIR, were not designed to support HTTPS protocol," the office wrote in a blog post on April 24. "The agency has worked hard to enhance these legacy systems to support HTTPS. Following the agency's April 11, 2017 deployment of HTTPS to Public PAIR, some public users reported errors accessing Public PAIR. A decision was made to back-out the new HTTPS capability while the agency investigated a resolution to the issue. We expect to implement a fix and restoration of the HTTPS protocol in the next few weeks. The USPTO is sorry for any inconvenience." The use of HTTPS strengthens website security, though it has yet to surpass the use of HTTP.
- Twenty-year-old hacker Adam Mudd has been sentenced to two years in a young offender's prison in the U.K. for two charges under the Computer Misuse Act and one charge of concealing criminal property. Mudd, from Hertfordshire, England, created the Titanium Stresser tool when he was a teenager and used it to perform 595 distributed denial-of-service attacks against 181 IP addresses between December 2013 and March 2015. Mudd also rented out the Stresser and made approximately $500,000. In total, Mudd was responsible for 1.7 million cyberattacks, including on Microsoft, Sony, Minecraft, Xbox Live and RuneScape. He also targeted up to 70 schools and colleges, including his own. "I'm entirely satisfied that you knew full well and understood completely this was not a game for fun," said the sentencing judge in the case. The judge also said he would not reduce the sentence because Mudd's outcome should act as a deterrent to other hackers or potential hackers.
- HackerOne is launching a new bug bounty program: Hack the Air Force. This follows the success of the Hack the Pentagon and Hack the Army programs, and it marks the first bug bounty for the Air Force. The program is part of the Cyber Secure campaign started by the Air Force's CISO, Peter Kim. "This is the first time the [Air Force] has opened up our networks to such a broad scrutiny," Kim said. "We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities." The Hack the Air Force program is open to participants from Australia, Canada, New Zealand, the United Kingdom and the United States, making it the largest bug bounty program the Department of Defense has hosted yet. The contest opens May 30 and runs through June 23.