White House Withholds Cyber-Security Order for Further Revision

NEWS ANALYSIS: President Donald Trump withheld an executive order on cyber-security that was ready for his signature leaving the Washington IT security community wondering what changes he intends to make.

Donald

An administration burned by the failure of its executive order on immigration to pass legal muster has held up consideration of its next big effort, which is an order on cyber-security. That executive order, something each administration has issued since the George W. Bush presidency, was withheld without explanation on the day it was supposed to be signed.

A look at the original EO as obtained by the Washington Post and the subsequent revision as obtained by Lawfare show substantial differences. The latest version, which is still a draft, shows two things, one is a wish list from lots of people, and the other which is a more thoughtful approach by someone with actual cyber-security expertise.

The speculation as to why the order was suddenly pulled revolves around a president who was reportedly angry that the immigration order wasn’t well crafted and who wanted to make sure this one was done right.

The new version of the EO does several important things. First, it makes clear that each agency head and each department secretary has the ultimate accountability for cyber-security. This appears to be done to prevent those heads from passing the buck to their subordinates instead of retaining it in their own hands.

The new EO also speaks clearly about the need to modernize the U.S. government’s antiquated data systems, to keep software and systems updated and to make sure the latest security practices are followed. The order also requires full assessments of government agency's cyber-security status and to report it to the White House. The Office of Management and Budget would receive the reports and consolidate them for the President.

It’s notable that the revised EO discusses risk management in detail and it discusses the risk of outdated systems. The draft order says, “Known but unmitigated vulnerabilities are among the highest risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor's support lifecycle, declining to implement a vendor's security patch, or failing to execute security specific configuration guidance.”

The problem with the approach is that it comes from a President who continues to use an older, unsecured, Samsung Galaxy cell phone on a constant basis despite having been provided a secure smartphone like the one used by his predecessor.

Likewise there are reports widely circulating in Washington that the senior White House staff has yet to give up using their personal devices. It’s worth noting that the President’s Android phone is one of those that are vulnerable to being hacked by a single incoming text message.

Still, much of the order argues for a consistently updated federal IT infrastructure, which is something that previous administrations haven’t really tried. But the reason that approach hasn't been tried  is the difficulty in getting Congress to pay for a comprehensive data system update.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...