An administration burned by the failure of its executive order on immigration to pass legal muster has held up consideration of its next big effort, which is an order on cyber-security. That executive order, something each administration has issued since the George W. Bush presidency, was withheld without explanation on the day it was supposed to be signed.
A look at the original EO as obtained by the Washington Post and the subsequent revision as obtained by Lawfare show substantial differences. The latest version, which is still a draft, shows two things, one is a wish list from lots of people, and the other which is a more thoughtful approach by someone with actual cyber-security expertise.
The speculation as to why the order was suddenly pulled revolves around a president who was reportedly angry that the immigration order wasn’t well crafted and who wanted to make sure this one was done right.
The new version of the EO does several important things. First, it makes clear that each agency head and each department secretary has the ultimate accountability for cyber-security. This appears to be done to prevent those heads from passing the buck to their subordinates instead of retaining it in their own hands.
The new EO also speaks clearly about the need to modernize the U.S. government’s antiquated data systems, to keep software and systems updated and to make sure the latest security practices are followed. The order also requires full assessments of government agency’s cyber-security status and to report it to the White House. The Office of Management and Budget would receive the reports and consolidate them for the President.
It’s notable that the revised EO discusses risk management in detail and it discusses the risk of outdated systems. The draft order says, “Known but unmitigated vulnerabilities are among the highest risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security specific configuration guidance.”
The problem with the approach is that it comes from a President who continues to use an older, unsecured, Samsung Galaxy cell phone on a constant basis despite having been provided a secure smartphone like the one used by his predecessor.
Likewise there are reports widely circulating in Washington that the senior White House staff has yet to give up using their personal devices. It’s worth noting that the President’s Android phone is one of those that are vulnerable to being hacked by a single incoming text message.
Still, much of the order argues for a consistently updated federal IT infrastructure, which is something that previous administrations haven’t really tried. But the reason that approach hasn’t been tried is the difficulty in getting Congress to pay for a comprehensive data system update.