It’s popular and tempting to bash just about anything that comes out of Washington D.C. nowadays. Indeed,taking a step back and looking at the new executive order to “block or seize the assets of suspected malicious cyber actors” is really a vexing message to send to just about everyone.
There has been a trend to use incidents such as the Sony hack as a drum beat against the North Koreans. The problem with this is that military geo-political motives have little to do with best practices in information cyber-security. Truth be told, it is unlikely that anyone will find the smoking gun that absolutely nails the kill-chain process and real perpetrators of such an attack. Disgruntled former employees are as likely to have conducted this hack as any nation state actor. A cyber-security executive order won’t change that dynamic.
Second, while useful as a powerful bully pulpit tool, executive orders are perceived as one-off rifle shots (especially from a lame duck president) that signals frustration and the inability to really drive consensus with policy in the House and Senate. So this cyber-security executive order really acts more as a gap-filler than a solid step towards a mature and an effective cyber-security national policy. With such an executive order, we risk sending a message to the world that is soft and confusing. There is also the unintended consequence of projecting our lack of cohesiveness and conviction with information security, which only tempts hackers to attack our key assets all the more.
Third, does the Treasury Department really believe that this executive order will inspire other countries to crack down on their cyber thieves? Espionage is by nature clandestine (and all countries do it), so how would imposing fiscal embargo penalties help motivate a change in that behavior? The penalties associated with an admission to guilt seem to far outweigh any self-imposed incrimination with their citizens potentially harming key assets of the Unites States of America.
Finally, after the Snowden incident, this executive order looks a bit two-faced. I mean, didn’t we just violate the very and core objective of this executive order with a U.S. citizen? Does this mean we now will put trade sanctions on ourselves because we want to set an example for the rest of the world to follow? And, by the way, Snowden wasn’t a sophisticated hacker with evil tools used in some military facility in another nation state. We granted him access to all the systems from which he stole information. That’s not cyber-security. Rather it’s poor human resources process—and not having controls in place that track behavior after granting someone Highly Privileged Access to sensitive and classified
While useful as a message that cyber-security is getting the President’s attention, the inability to construct a cohesive and collaborative cyber-security policy is a mixed message that we can ill afford to spread to our global allies, not to mention our adversaries.