The current version of the Trump administration’s cybersecurity executive order (EO) reads a lot like the last version and — depressingly — contains initiatives that could just as easily have come out of the Obama administration’s cybersecurity program.

This fourth draft focuses on IT modernization, improving federal cybersecurity defense through a risk-based approach and trying to shift management responsibility over to the military. It weirdly emphasizes workforce development by directing agencies to further assess the training of the American workforce in cybersecurity and the efforts of our foreign enemies to create powerful and well-trained cybersecurity warriors.

Close

This reads like more do-nothing, committee groupthink nonsense in the middle of a crisis. The draft directs a hoard of different agencies to all get busy with assessments and reviews and initiatives, evaluating the state of the current educational system with regard to cybersecurity training, blah, blah, blah.

In the meantime, we are under attack daily both in our government sector and in private industry with increasingly sophisticated and effective techniques and tools that successfully disrupt operations, steal money and intellectual property, and create havoc with corporate and organizational reputation and trust.

[lz_ndn video=32370145]

I can tell you where our educational system is with regard to cybersecurity — it’s nowhere. We have only a small (count on one hand) number of university programs in which cybersecurity is taught even as a part of the computer-science curriculum.

And in spite of the million-plus current vacancies in the cybersecurity field, no young software engineers are very interested in committing their careers to a profession where they always lose and are up against our own intelligence agencies’ continuing to withhold critical information from our computer industry vendors.

Just because they are young, it doesn’t mean they’re stupid.

There is no question that our federal IT systems need modernization. But we have known this for a long, long time, and the Obama administration pushed the idea of modernizing federal government IT over a year ago. So, to call this draft evolutionary versus revolutionary is very generous. I call it “more of the same.” And from the great change-agent, no less.

Many government officials have glommed on to the misguided notion that you have to modernize IT to better secure IT. This is nonsense. This idea has of course been heavily promoted by the IT vendor community; the same people (aka pigs at the trough) who could not adequately protect the existing systems 10 years ago are now arguing that these systems are too old to protect against modern threats. Give me a break.

Who do you think would win the Presidency?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

The federal government, not including the defense department, has already spent more than $15 billion on cybersecurity last year and has nothing other than successful cyberattacks to show for it. The total budget request for cybersecurity in 2017 was $19 billion. We have already purchased tons of advanced technology, but we have no idea how to implement it and don’t have the qualified staff to do so.

This huge IT investment is wasted, yet these agency heads are claiming we need to spend more. I thought government spending was supposed to be a Democrat disease.

This latest EO draft includes plans for more than 15 reports and studies. One provision calls on commerce and homeland security to head an initiative that includes the private sector to reduce the threats posed by botnets. I have a newsflash for these guys. The private sector has been focusing on bots for years. What this EO really needs to focus on is the imminent threat from unsecured Internet of things (IoT) devices.

Anti-botnet technology exists today, and it works just swell. Instead of an “initiative to study bots,” how about we simply implement the current technology and focus instead on how we are going to deal with IoT threats that put our nation’s critical infrastructure at risk? Do we have to wait until the first power grid is destroyed by a cyberattack before we “study” the potential risk from infrastructure threats? Or are we waiting for a massive bricking attack on smart cars?

[lz_related_box id=786050]

We’re not talking loss of sensitive or financial data here. We’re talking loss of lives.

Cybersecurity has been studied ad infinitum. It’s time for action. This waiting for yet another report to say the same things simply increases our national risk. The failure to address the Faustian pact with our intelligence agencies continues to force our private sector to spend embarrassing sums on defensive security technologies while actually failing to reduce their risk.

If the Trump company were being plagued with cyberattacks every hour, I don’t think the pre-presidency businessman Trump would just float initiatives to study the problem.

Steve King is the COO and CTO of Netswitch Technology Management.