>A review ... of the DoD, DHS, and NSA shall identify and initial set of capabilities needing improvement to adequately protect U.S. critical infrastructure.
This could potentially mean allowing NSA expanded capabilities. Not necessarily, though, I guess.
I don't think it goes either way. An argument could be made that the review ends up saying "Everything the NSA does is irrelevant, shut it down and give the money back to the shareholders".
Obviously I don't think that is actually going to happen either, but, nor do I think this means the NSA would be expanded here.
A stopped clock is right twice a day. A clock that mistimes a second will be right far less often, and a mis-set clock is never right. Likewise a Widlarized clock is never right, and that's as broken as you can get.
Is he demanding a review of government systems or of private systems as well? Like is the homeland security going to bring an army of security experts and start banging on Google's doors demanding access to their servers to see if they are above board?
The term ?critical infrastructure? means systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of such systems would have a
debilitating impact on security, national economic security, national public health or safety, or
any combination of those matters.
The term national security system means any telecommunications or information system
Operated by the Federal Government or any contractor on its behalf, the function, operation, or
use of which?
The destruction of Google's, Apple's or Amazon's systems would obviously "have a debilitating impact on national economic security". All of them are also contractors of the Federal Government.
I disagree, section 8 is geared completely towards private sector systems, and section 5 subsection c refers to the most urgent vulnerabilities in civilian, and the most critical private sector infrastructure.
Government cloud customers already have various requirements and certifications. See DoD SRG and FedRAMP for examples of such certifications by the US government.
If so, then Google should do the right thing. They know they have a lot of allies, and public opinion, media, NGOs, customers and most voters are on their side.
The problem: could Trump do this legally, and legally force Google not to disclose it? What can Trump do with the NSA data? I haven't seen any stories addressing this, beyond vague "concerns".
> Furthermore, it misses the larger point that all of their data is readily and easily collected by the NSA already.
Such assertions are counterproductive. They ignore actual statements by google regarding their efforts to improve security against US agency snooping, or Apple's somewhat valiant if ultimately fruitless attempts to defend the iPhone's security against national security interests.
We need to specifically call out bad actors and actions, such as Yahoo's eagerness to CC the NSA on all our emails. We also need to reward positive action with praise. Both are methods to provide the incentives for companies to act in our interests: the companies can point to praise to argue that their principled stand makes financial sense, and the employees deserve the recognition by their peer group.
That's what I was asking. What legal authority does Trump and his administration have? What can they do with the powers legally granted to them, both with the NSA, and with private companies directly?
The wider public is completely ignorant about this, and this should be written up and publicized more.
Some thoughts, sorry for the long quotes. Start with the second-to-last quote for what I personally find to be the most worrying.
As a result of these changes, cyberSpace has emerged
as a new domain of engagement, comparable in
signi?cance to land, sea, air, and space, and its
signi?cance will increase in the years ahead.
This raises the possibility of hacking being treated as an act of war, and the resulting actions. I'm not sure if that's the current status quo – I know there was discussion about it a few months ago.
The term ?critical infrastructure? means
systems and assets, whether physical or virtual,
so vital to the United States that the incapacity
or destruction of such systems would have a
debilitating impact on security, national economic
security, national public health or safety, or
any combination of those matters.
This does notably seem to exclude anything related to elections.
The term ?national security system? means any
telecommunications or information system
Operated by the Federal Government or any contractor
on its behalf, the function, operation, or use of which:
[...]
is critical to the direct fulfillment of military or intelligence
missions (but does not include a system used for routine
administrative and business applications, including payroll, finance,
logistics, and personnel management applications).
This seems to go out of its way to exclude "personnel management applications", which is curious considering exactly such a system was at center of the second-largest hacking scandal involving the government last year.
Review Participants. The Secretary of Defense
shall co?chair the Vulnerabilities Review with
the Secretary of Homeland Security, the Director of
National Intelligence, the Assistant to the
President for National Security Affairs, and the
Assistant to the President for Homeland Security
and Counterterrorism.
The last three are Dan Coats, Michael Flynn, and Tom Bossert, respectively. It's a bit heavy on the military brass and leans towards the political side to the exclusion of anybody with technical credentials (I'd think someone from the NSA or even the private sector could possibly be useful). But I've always been critical when, for example, judges have been accused to be inadequate to adjudicate technical issue – smart people can and will get the information they need to make right decisions. So let's give them the benefit of the doubt.
Possibly relevant: it's two cabinet members vs three people reporting directly to the president. I don't know if these committees ever vote on anything, but that could be intentional to allow the President to keep full control over the direction of the investigation (Cabinet Secretaries being traditionally more independent than anyone in the West Wing)
[..]the Secretary of Defense and Secretary
of Homeland Security shall
also gather and review information from the
Department of Education regarding computer
science, mathematics, and cyber security
education from primary through higher education
to understand the ?ll] scope of US. efforts to
educate and train the workforce of the future. Th
Secretary of Defense shall make recommendations
as he sees ?t in order to best position the US.
educational system to maintain its competitive
advantage into the future.
I feel a bit uneasy about Secretary of Defense being authorized to change the primary school curriculum, especially considering the basically limitless scope of "maintain[ing] its competitive advantage into the future". It sounds like they want more math in school. But what if he concludes that the US has plenty of hackers, but they're just not patriotic enough and rather work for Apple (which is actually somewhat true)?
[A review shall find ways to incentivice
private enterprises to] invest in cyber
enterprise risk management tools and services; and
adopt best practices with respect to processes and
technologies necessary for the increased
sharing of and response to real-time
cyber threat information.
This is once again pretty broad, but I thought it warrants inclusion because any sharing of data collected by private entities with government agencies has the potential to violate individuals' privacy.
Overall this isn't really specific enough to scare me, yet. The bit about education is what most effectively raises my blood pressure, while the focus on military systems at the exclusion of anything election-related is somewhat curious.
The part about Department of Education ensuring a competent workfore doesn't jive with haphazardly turning back permanent residents with PhDs and valid green card from reentering the country where they live. The US was made great when refugees from around the world were welcomed and then prospered for both themselves and the melting pot country. The rush to enact these sort of ignorant, brutal, arbitrary and uncivilized policy blunders further errode national security, the economy and international standing... also, the shitshow of a constitutional crisis is brewing where the various parts of government ignore the law and do whatever they want.
Except for Iran, most of the other countries didn't contribute to a large part of the US "intelligentsia" [people with advanced technical degrees]
Any deficit could be compensated by increasing quotas for people from alternate countries, India, Russia, China all which produce great numbers of people in technical fields and who don't always get choice work in their home countries.
Steve Jobs was the son of Syrian immigrants... Iraq has a tradition of scholarship similar to that of Iran. And while it has obviously been decimated by the reign of Saddam and three devastating wars, I'm sure the spirit of it can survive one or two generations by being passed down in families. The jewish population in Europe, most of whom emigrated in 1944-1950, had also lived through 20 years of radically diminished access to education, and had to start anew from basically nothing. But their children went on to become the most productive scientific community in the history of mankind.
You miss out on the fact that Trump's actions lower America's reputation and attractiveness to the whole world. The immigration process to the US is so complex, and now so potentially volatile, that lots of people who could have wanted to contribute to the US will just want to go to Canada or Europe instead. Even if they're not affected by the 7-country-ban, because they can't be sure that it won't be expanded later.
Trump's EO sent a message, and it was the wrong message. People are listening.
This is going to have potentially decades-long ramifications for STEM, tech, and cybersecurity in the US, among other things.
I doubt it. There are huge amounts of people who would love to move here, given the chance. People who can't get a work visa for the EU, for example. Or even from the EU and are interested in cutting edge things. They don't care about politics, they just want to come and work.
I'd bet, even the people affected directly by the ban, if given the chance would accept, despite your assertion.
When I go to work or live in a diff country, the thought about immigration policies do not enter my mind aside from, can I get the visa.
I work as a consultant remotely, most of my customers are American companies. I've been paid a bit more than 1 million USD altogether in the last 4 years but haven't contributed back to the US through taxes. I also didn't contribute to the local economy there because I do not live there.
Once upon a time, I wanted to immigrate to the US but the immigration laws convinced me otherwise. I'm interested in cutting edge things but I found that I could easily work on them without being in the country.
This is just anecdotal and I don't know how many are like me but I do have quite a few friends in Europe who have the impression that the immigration process to the US is over complicated and reject trying to go there out of hand.
I'm sure there are cases like yours --and it's probably not a bad thing for the world economy and prosperity. There is a benefit to other nations becoming economically healthy, rather than suffering "brain drain" and having their brightest minds only go to already successful economies further contributing to declining conditions in those countries. We only need to look at the state Russia and South Africa are in and where they could be, if they retained their talent.
You missed the point entirely. Leaving out Irish, Italians, Syrias or the Jews (Godwin's Law exception) because of nativist hate toward disparaged peoples was/is shooting oneself in the foot... other, wiser countries will gain by taking in more people (either to bolster their fertility rates, tax bases and/or future world standing) because it's hard to select the good ones in an haphazard, politically-driven immigration process whose children, grandchildren, etc. have the greatest probability of being the next billionaire job creator, small business owner or at least high income-earning taxpayers.
Additionally people from other countries will see that and might decide not to come to the US. There's now a lot of opportunities for well educated people other than the US and the actions of Trump make the US seem like a risky choice.
Actually, immigration from 'around the world' only dates back to 1965 for the US [1]. Before that, it was more or less 'whites only' - preferably not even eastern European whites. And it took many years for the new policy to be felt [2]. So the history of the US as a nation of immigrants from around the world is rather brief, and saying it was made great by this is untrue, unless you're arguing it was 'made great' entirely in the last 40-50 years.
> The part about Department of Education ensuring a competent workfore doesn't jive with haphazardly turning back permanent residents with PhDs and valid green card from reentering the country where they live.
This EO is ordering a review and report, while the immigration EO is ordering actions to address a perceived immediate need. Note also that they are only in effect for 60 and 90 days respectively - this administration is in the "organization" phase still.
The real joke is that all this information is already out there. Infrastructure has already been evaluated. The the enemy is well understood. But you do have to read the reports. You have to trust those writing the reports. You have to not yell them out of the room when they say something that offends your reality. This order is a call for new reports written by new people with the skills necessary to explain cybersecurity to large children.
"China bad. Big internet computer need antivirus."
The danger is that this is exactly what's happening, without the churlish conclusion.
This is a call for reports to be rewritten by staff sympathetic to the current president's cause. That's the first step to "securing our cyber borders" via VPNs, proxies, vetting of internet companies, etc.
I'm very serious about the language. When presenting to people like trump you must change your language. Take "VPN". I would never use that term in front of someone like trump. Never use an acronym that bossman might not understand. It pushes him into a corner. Someone like Trump wont ever ask to clarify a term because to ask suggests he doesn't know something, that he isn't the smartest person in the room. So he wont ask and instead just stare at you trying to be intimidating, a defense mechanism. Maybe he'll like your confidence, but even so you are wasting his time because you are using terms he doesn't understand and so the information isn't getting through. You wont be asked back.
If he asks what "VPN" means, you then say "Virtual Private Network" ... which he still doesn't know and must ask again, making him feel doubly stupid. So when presenting to such people you absolutely must start with baby talk. Instead of VPN start with "tunnels through the internet protected by encryption". If he recognizes this as a VPN he will interrupt you, making him feel smart. And don't mention servers. Say "computers". "Servers" will make him picture waitresses.
Not kidding. This speaking-to-the-idiot-bossman is a skill, especially in politics or military areas where bossman is appointed for reasons divorced from knowledge or background.
And "man" because I've never seen this behavior in a female leader. This is a macho male thing imho rooted in instinct and genetics.
churl•ish (chûrˈlĭsh)
adj. Of, like, or befitting a churl; boorish or vulgar.
adj. Having a bad disposition; surly: "as valiant as the lion, churlish as the bear” ( Shakespeare).
adj. Difficult to work with, such as soil; intractable.
Grizzly Steppe illustrated that the intelligence agencies are not working together (NSA had different confidence levels in the conclusions than CIA and FBI - why?) If you got a pen-test report back with those platitudinous security recommendations, you would probably not be very happy signing the check.
The Department of Commerce is rightfully responsible for the creation of the private sector report, because NIST is part of the DoC and NIST is where all of the best security guidance is coming from these days (the DoD adopted NIST's security standards, for example).
HUMINT vs SIGINT. NSA confidence was moderate as they weight SIGINT-based evidence more heavily. The biggest bits of evidence came from human intelligence sources in Russian government (I believe some were arrested for treason due to this).
https://obamawhitehouse.archives.gov/the-press-office/2013/0...
https://obamawhitehouse.archives.gov/the-press-office/2015/0...
https://obamawhitehouse.archives.gov/the-press-office/2016/0...