White House Withholds Cyber-Security Order For Further Revision
ANALYSIS: Trump withheld an executive order on cybersecurity, leaving the Washington IT community wondering what changes he intends to make
To put it bluntly, Congress is famously stingy when it comes to spending money for the Executive Branch unless it somehow benefits each member’s district.
What’s also notable is that the revised EO, while more complete than the first version, still doesn’t really address a full cyber-security picture. For example, there’s no discussion of staff qualification or training so that existing staffers can be up to speed on current cyber-security practices.
Considering that the White House has frozen all federal hiring with few exceptions, most departments and agencies will have no way to hire experienced security personnel, which means that they must train the personnel they already have.
Likewise, the cyber-security EO, assuming it survives relatively intact, does not address the vast array of equipment the government already has. What’s going to happen to this gear? It can’t just be dumped on the surplus market, if only because much of it contains sensitive or classified information.
What next?
“This is very typical of what you see these days,” said Arman Sadeghi, CEO of Data Destruction Corporation. “That one of the areas that’s often overlooked. It’s been happening for many years. They’ve completely left it out.”
While the EO focuses heavily on keeping internet-borne hackers out of U.S. networks, it doesn’t really address threats coming from other directions. “There’s a major disconnect in where data gets out,” Sadeghi said. “They’re focusing on hacks through the web, but a much bigger risk is with devices that are obsolete and being taken off line. A data breach will involve this aspect of data security.”
The problem is that a great deal of equipment contains data, and a lot of it isn’t obvious. Some things such as hard disk drives are obvious. But surprisingly few IT managers or CISOs realize that everything from copiers to fax machines to network switches and firewalls also retain data, and that data can be recovered by attackers and used.
“They need to specifically have verbiage that addresses end of life for IT equipment that contains data,” he said. Sadeghi also said that the emergence of internet of things devices within the government will only exacerbate the problem with data retained in obsolete devices, because most of these devices contain data and so does the network equipment they use for communications.
If there’s a bright point, it’s that the cyber-security EO is still just a draft. Potentially, it can be changed to be more complete. Considering that it looks as though existing draft went through the hands of someone who knew what they were doing, perhaps it’s not too late for a more comprehensive draft to become the final executive order that the president signs.
Originally published on eWeek