President Biden’s recent “Executive Order on Improving the Nation’s Cybersecurity” has been hailed by many as a significant step forward in protecting the infrastructure of the United States against the serious threats that it faces. This will probably turn out to be false.
Like the many other orders and directives on cybersecurity that have been signed over the past quarter of a century, this one will probably end up being “full of sound and fury, signifying nothing.”
This is not the fault of the Biden administration or the people who will be working to implement the EO. It is just an unfortunate reality that information security is hard and getting harder, and we really don’t know how to make it any easier.
No quick fix
With today’s technology, it is essentially impossible to make reasonably secure software, and advancing the state of the art in that area is more suitable for a multi-decade research project than something that can be addressed by any quick fix, even with the full power and authority of the US president behind finding one.
As the characters in the 2004 reboot of the TV series Battlestar Galactica often said:
“This has happened before and will happen again.”
The first attempt to address the cyber threats that the US faces might have been President Clinton’s 1996 Executive Order 13010, “Critical Infrastructure Protection.” It identified nine critical national infrastructures: telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services, and continuity of government. Two years later, in 1998, Clinton signed Presidential Decision Directive 63, “Critical Infrastructure Protection,” which had this ambitious goal:
No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation's critical infrastructures from intentional acts that would significantly diminish the abilities of:
- “The Federal Government to perform essential national security missions and to ensure the general public health and safety;
- “State and local governments to maintain order and to deliver minimum essential public services.
- “The private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services.
- “Any interruptions or manipulations of these critical functions must be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States.”
This was followed in 2000 by “Defending America's Cyberspace,” a document that described a plan built around three key objectives:
- Prepare and prevent: Taking those steps necessary to minimize the possibility of a significant and successful attack on the nation’s critical information networks, and build an infrastructure that remains effective in the face of such attacks.
- Detect and respond: Taking those actions required for identifying and assessing an attack in a timely way, and then to contain the attack, quickly recover from it, and reconstitute affected systems.
- Build strong foundations: Doing the things the nation must do to create and nourish the people, organizations, laws, and traditions that will make the United States better able to prepare and prevent, and detect and respond to attacks on its critical information networks.
Note that these goals are quite reasonable. And if you read all 199 pages of “Defending America’s Cyberspace,” it’s hard to not get the impressions that the US government had a solid plan and was off to a good start in implementing it.
But little progress was apparently made. In 2001, President Bush signed Executive Order 13231, “Critical Infrastructure Protection in the Information Age,” which had remarkably similar goals to those defined by Clinton’s directives. In February 2003, “The National Strategy to Secure Cyberspace” was published. This document told us that:
Consistent with the National Strategy for Homeland Security, the strategic objectives of this National Strategy to Secure Cyberspace are to:
- “Prevent cyber attacks against America’s critical infrastructures;
- “Reduce national vulnerability to cyber attacks; and
- “Minimize damage and recovery time from cyber attacks that do occur.”
In July 2004, National Security Presidential Directive 38, “National Strategy to Secure Cyberspace” was published, and in January 2008, National Security Presidential Directive 54, “Cybersecurity Policy” followed. Again, if you read these orders and directives, it’s hard to not get the impression that the US government had a solid plan and was off to a good start in implementing it.
Now is probably an appropriate time to imagine your favorite Battlestar Galactica character saying, “This has happened before and will happen again.”
Well-meaning EOs are not moving the needle
Little progress was made. In 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience.” Much like their predecessors from the Clinton and Bush administrations, these orders and directives make it look as if the US government had a solid plan and was off to a good start in implementing it.
“This has happened before and will happen again.”
Fast forward to 2017, and we have the Trump administration issuing Executive Order 13800, ”Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which looks eerily similar to what the previous three presidents signed.
It’s hard to not repeat that Battlestar Galactica quote one more time at this point because, as noted at the outset, the Biden administration has issued yet another directive concerning the important business of protecting the infrastructure of the US against cyber threats. It’s unlikely that the “Executive Order on Improving the Nation’s Cybersecurity” will do any more than its predecessors to dramatically increase the protection of the nation’s critical infrastructure. But this isn’t the fault of the Biden administration. I feel fairly sure that they mean well and really want to get the right things done.
But so did their predecessors.
And much as happened after the previous directives were issued, lots of people are making dramatic statements about how this EO is a game-changer that will shift paradigms, as well as do many other buzzword-filled things. These claims are probably going to look more than a little ridiculous with the benefit of a few years of hindsight, just as the similar claims about the actions of the Clinton, Bush, Obama, and Trump administrations do today.
I was involved in some of the activities that the Obama administration organized around improving the security of the United States’ critical infrastructure, and I found that the people involved were uniformly smart, hard-working, well meaning, and all sorts of other good things. I don’t think that I met a single person who wasn’t very passionate about making sure that the right things happened.
But they didn’t happen.
Complexity is not our friend
And it wasn’t the fault of the people involved or the politicians organizing these efforts. And it seems unlikely that this most recent iteration of this process will be much different from the previous ones. There is a saying, which apparently goes as far back as 1691, that seems particularly relevant here: Fool me once, shame on you; fool me twice, shame on me. Is there an appropriate saying for what to do when you get fooled for the 11th time in a row?
The reality is that our networks are the most complex things ever created by man and comprise components that are in turn so complicated that no single person understands how they work. And our ability to make those complicated things has dramatically surpassed our ability to make them work correctly or securely. Manufacturers recently announced a processor comprising 2.6 trillion transistors.
Software is correspondingly complex, and even a relatively simple system such as a passenger vehicle can take hundreds of millions of lines of code to make it function. Since software is used to design and fabricate hardware, the security of software also affects the security of hardware, so the integrity of software can also dramatically affect the security of the platforms on which software runs. Yet that’s what our critical infrastructure is built with.
Resilience is the way forward
This is not a simple problem that can be overcome by simply taking security more seriously or using more or better security products. Absolutely any additional things that we might do will be constrained by our relatively non-existent understanding of how to make nontrivial computer systems that operate securely. That’s probably a research project that will take decades to complete. Until then, getting by with what we have now may be the best that we can do.
That means that we need to accept that our networks are full of exploitable weaknesses and design them so that they will keep functioning reasonably well even when those weaknesses are exploited by malicious adversaries. That’s what “resiliency” is all about, and it is eerily similar to the “detect and respond” objective of Clinton’s “Defending America's Cyberspace.”
Until researchers figure out how to make computers that work the way they’re supposed to, that’s probably the best that we can do. Follow that 20-year-old advice, and wonder why it took us so long to do so.
No Security is a monthly column.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.