To put it bluntly, Congress is famously stingy when it comes to spending money for the Executive Branch unless it somehow benefits each member’s district.
What’s also notable is that the revised EO, while more complete than the first version, still doesn’t really address a full cyber-security picture. For example, there’s no discussion of staff qualification or training so that existing staffers can be up to speed on current cyber-security practices.
Considering that the White House has frozen all federal hiring with few exceptions, most departments and agencies will have no way to hire experienced security personnel, which means that they must train the personnel they already have.
Likewise, the cyber-security EO, assuming it survives relatively intact, does not address the vast array of equipment the government already has. What’s going to happen to this gear? It can’t just be dumped on the surplus market, if only because much of it contains sensitive or classified information.
While the EO focuses heavily on keeping internet-borne hackers out of U.S. networks, it doesn’t really address threats coming from other directions. “There’s a major disconnect in where data gets out,” Sadeghi said. “They’re focusing on hacks through the web, but a much bigger risk is with devices that are obsolete and being taken off line. A data breach will involve this aspect of data security.”
The problem is that a great deal of equipment contains data, and a lot of it isn’t obvious. Some things such as hard disk drives are obvious. But surprisingly few IT managers or CISOs realize that everything from copiers to fax machines to network switches and firewalls also retain data, and that data can be recovered by attackers and used.
“They need to specifically have verbiage that addresses end of life for IT equipment that contains data,” he said. Sadeghi also said that the emergence of internet of things devices within the government will only exacerbate the problem with data retained in obsolete devices, because most of these devices contain data and so does the network equipment they use for communications.
If there’s a bright point, it’s that the cyber-security EO is still just a draft. Potentially, it can be changed to be more complete. Considering that it looks as though existing draft went through the hands of someone who knew what they were doing, perhaps it’s not too late for a more comprehensive draft to become the final executive order that the president signs.
Originally published on eWeek
Quiz: What do you know about Trump and technology?
Page: 1 2
NHS Dumfries and Galloway condemns ransomware gang for publishing patients clinical data after cyberattack earlier…
Research data suggests fewer people are using Elon Musk's X, but platform insists 250 million…
US assurances required. Julian Assange handed a slender reprieve in fight against his extradition to…
Apple reportedly to use Baidu's Ernie Bot AI in Chinese iPhones, Macs as company prepares…
Apple hit by at least three new class-action lawsuits imitating Justice Department antitrust action alleging…
US, UK impose sanctions on China over campaign to target critical infrastructure and place officials…