On May 10, the President released his Executive Order on Cybersecurity. The comprehensive document is intended to set out the national strategy for ensuring that the Internet is used to promote national values, that it is secured against attack from inside and outside, and to promote national interest in security and security technology.
The Executive Order prioritizes domestic software, databases and technologies over foreign data, and recognizes the need to create, promote and encourage the use of domestically produced encryption technology, particularly for federal agencies and departments and domestic banking and financial services companies.
The Executive Order also prioritizes those technologies in the nation’s “critical information infrastructure” and calls for public-private partnerships to use the resources of the state in protecting that infrastructure from malicious hacking. The document sets out the national vision for the use of the Internet from 2017 through 2030, to foster a “knowledge society” and to foster the nation’s “spiritual and moral values” and the “observance of [corresponding] behavioral norms in the use of information and communication technologies.”
The 29 page document laid out a multi-year strategy for the use of the Internet.
Problem is, the Executive Order was not released by President Trump. It was released by his counterpart, President Vladimir Putin.
And this points out an essential problem in cyberspace. The goal of security is to allow “good” guys to get access to data, processes, information, services, etc., while keeping the bad guys out.
But each nation – each entity in fact, decides who is a “good” guy and who is a “bad” guy. So while Russia’s FSB might want Gasprom to be secured, they might not care so much if Exxon is secured.
It appears that the Russians have separated the “offensive” and “defensive” functions of cyberattacks, with attacks like Fancy Bear, Cozy Bear and attacks on Ukrainian infrastructure, as well as attacks on US, French and German political systems reportedly being coordinated by the Russian MOD, while the FSB itself works with institutions like the “Kvant” Research Institute to have both “offensive” capabilities and defensive capabilities to protect Russian critical infrastructure.
So security is neither good nor bad. Neither the US nor the Russians want “absolute” security. Just reasonable security. And better security. And better security than our adversaries. Oh, and the Russians released its own EO on cyber the same day. More on that later.