aclater
commented
6 years ago Encryption is briefly addressed, though there could be more emphasis:
Reduce the Federal attack surface through enhanced application and data-level protections. Rather than treating Federal networks as trusted entities to be defended at the perimeter, agencies should shift their focus to placing protections closer to data, specifically through improved management and authentication of devices and user access, as well as through encryption of data – both at rest and in transit. This approach curtails an attacker’s likelihood of gaining access to valuable data solely by accessing the network, and it has the potential to better block and isolate malicious activity. As agencies prioritize their modernization efforts, they should implement the capabilities that underpin this model to their high value assets first.
mjemery1
I noted that the report did not contain the word "encryption". While there were mentions of using https, tls and other limited web browsing security features, there is nothing at all in the report on any plans to implement encryption to protect and secure Federal systems. This oversight may have been accidental but I somehow doubt that.
The recent Office of Personnel Management (OPM) hack was due in part to weak security and illustrated the poor condition of the US government IT infrastructure. OPM stated that they were unable to prevent the breach because their "legacy" COBOL based system could not be encrypted. However, that assertion is a false excuse since I wrote encryption for the US Army on COBOL based logistics systems in the 1980s. The fact is, they could have secured the data but decided not to.
Massive data breaches at the OPM, the IRS, the EPA, the FBI, the State Department, Veterans Affairs, and the Defense Department have been sprayed all over the headlines in recent months. The rank and utter disregard for the public data has left millions of Americans vulnerable to daily attack and financial damages. National secrets have become headlines and foreign powers are having a field day hacking high ranking individuals. The attacks have assisted our enemies by giving them important data on our global moves and even funded them with our own tax dollars.
A modern state is such a complex and interdependent fabric that it offers a target highly sensitive to a sudden and overwhelming cyber strike. One of the most vulnerable targets would be the U.S. government. Encryption alone does not guarantee America's security, but I believe it best exploits the nation's greatest asset — our technical skill. The move toward using powerful encryption to protect our most important assets, including the data assets of the U.S. government, is both logical and prudent.
I suggest you rewrite the report and forget the ongoing political feud regarding intelligence, law enforcement and other entities on the topic of encryption. We have no time for that. We are in a cyber-war and we must put our best defense - encryption - forward as fast as possible. The alternative is too costly to consider.