April Fools' Day may be over, but the fallout continues. For me, it always comes back to the central mystery: Was it or was it not actually a joke? For 2015, the most confusing candidate came from the White House. I realize politicians -- especially staffers -- are second only to Catholic school nuns in their historic lack of a humor gene, but if you read the original post on the White House blog and its two subposts, then consider they were published on April 1 -- well, the humor door swings wide open.
If you were busy giggling about Tesla’s W model or Google’s Pac-Man and weren’t, like me, snogging scotch on the couch while surfing political websites, you may have missed what I’m talking about. It was a post by Michael Daniel, the Special Assistant to the President and the Cybersecurity Coordinator, titled “Our Latest Tool to Combat Cyber Attacks: What You Need to Know.” That sounded awesome, especially well into my second fifth, so of course I clicked on it.
As it turns out, our latest tool to flatten the exponentially growing, seething, bubbling cauldron of globally dispersed cyber lintwads is -- hold on to your expectations -- the sleep-inducing power of an executive order, aka the legislative trophy wife. This order comes on the heels of another presidential cyber security mandate back in February that created the Cyber Threat Intelligence Integration Center (CTIIC).
I wrote about the first order with my usual air of diplomacy and veiled disappointment because it established another money-sucking branch of federal government with no direct responsibilities other than to use unquantifiable verbs like “analyze,” “communicate,” and “coordinate.” The White House must have seen the post and collectively decided, “Let’s see how he likes this!” Yes, I’m that important.
A second chance for cyber security
To get my ailing heart as close to a rage-induced cardiac event as possible, the White House went to great lengths to ensure that the new order sounds even more pointlessly pompous and has even less real content than its predecessor, yet is composed of three online documents whereas the earlier version numbered only two. On that note, along with April Fools' timing, it’s understandable that I was wondering if the prez was having some fun.
Merely reading Daniel’s main post can leave you chuckling -- or smashing yourself in the face with a roofing hammer, depending on how seriously you take cyber security. The order is framed as an FAQ, but be warned: Daniel is afflicted with the double-whammy of a politician’s aversion to straight answers and a security professional’s allergy to actionable information. Some examples:
What does the executive order do exactly? It authorizes the Secretary of the Treasury, the Attorney General, and the Secretary of State to impose sanctions on parties whom the Secretary of the Treasury has decreed are international bad people or entities using computers to do bad things to us. Never mind that none of the trio can impose any significant international policy by themselves or that the Secretary of the Treasury may be the least likely Washington official to ever figure out who is and isn’t a cyber villain. But hey, it looks good on paper and we’re out of here in 2016, so who cares?
Who will we target with this new tool? The “worst of the worst” of malicious “cyber actors.” Unlike Daniel, I’m not an InfoSec professional, so maybe I missed the last nomenclature memo that officially declared all digital d-bags “cyber actors,” but that’s what the White House is calling them. Why only the “worst of the worst” and not only the worst -- or simply anyone who performs one of the monstrously vague and broad acts described in this executive brain fart? And whose sliding scale of U.S. spook-agency-omitting e-worseness are we using? I don’t know, probably because the less this order is referred to outside of election rhetoric or April Fools' Day, the better for the White House.
How effective will the sanctions be? According to this language, there’s a better than even chance the bad guys won’t notice they're sanctioned unless Daniel blogs again to tell them so.
What about the Sony Pictures hack? Could this executive order have been used then? I’m including this because it’s one of the few times you see someone go to the effort of writing down and calling attention to a question they then completely avoid answering. Daniel carefully carves a wide berth around either yes or no and instead focuses us on what the president did before this order was ever spawned.
The fine print
There’s more, including two additional posts with flowery, cheering, and in no way enlightening language from the president and Assistant for Homeland Security and Counterterrorism Lisa Monaco. I wasted almost a full hour of my life and, far more important, several droplets of spilled amber going over these posts looking for any concrete motions -- a reference to an actual law, a targeted bad guy organization, or even a declaration that the White House will create especially mean-looking stationary Obama can use when informing the nasties they’ve been so sanctioned. All I found were loads of syllables; many instances of the words “malicious,” “national security,” and “actors;” and a slanted regurgitation of the administration's robustly backhanded and ineffective treatment of cyber security across the globe.
Given that, you can’t blame me for thinking the whole production might have been a joke. But the posts are still there, which means they’re pranks of a depressingly different but all too familiar ilk -- the kind that has me reaching for more fermented life juice and has cyber baddies the world over rolling their eyes without ever taking their grubby fingers off the keyboard. Well done, sir!