How do Republican vs Democrat administrations differ in their approach to cybersecurity policies and executive orders?

When you look at how cyber security as an issue has been framed, say starting with the Bush administration up to where we are now with Biden. To me, it has been one of the most bipartisan issues out there. There seems to be broad agreement in Congress and the administration across Democratic and Republican administrations of what the key issues are that could be solved, and roughly what the solutions are. If you look at the executive orders that have been issued for the last 20+ years by presidential administrations, there has been very little disagreement across administrations. So for instance, president Obama was the first president to issue a comprehensive global strategy for cyberspace. And the top line strategic sort of message was, “the US advocates for an cyberspace infrastructure that's open, interoperable, secure and reliable.” And when the Trump administration came in and basically tossed out it seemed like every single executive order that could be tossed out, their replacement cybersecurity executive order basically flipped the last two words in the statement of core values in the cyberspace: “The US aims for a cyberspace that is open, interoperable, reliable and secure.” One takeaway is great: that there seems to be broad agreement on these issues. But then at the same time, why the hell haven't we been able to actually make meaningful progress, particularly on the legislative front? Everybody agrees, when you have a data breach and you lose control of your information, that's a big deal. We need to have something that puts in place the proper controls, and constraints, and rewards, and penalties. But we just don't seem to be able to make national-level progress on those well-identified problems.

Anonymous Author
When you look at how cyber security as an issue has been framed, say starting with the Bush administration up to where we are now with Biden. To me, it has been one of the most bipartisan issues out there. There seems to be broad agreement in Congress and the administration across Democratic and Republican administrations of what the key issues are that could be solved, and roughly what the solutions are. If you look at the executive orders that have been issued for the last 20+ years by presidential administrations, there has been very little disagreement across administrations. So for instance, president Obama was the first president to issue a comprehensive global strategy for cyberspace. And the top line strategic sort of message was, “the US advocates for an cyberspace infrastructure that's open, interoperable, secure and reliable.” And when the Trump administration came in and basically tossed out it seemed like every single executive order that could be tossed out, their replacement cybersecurity executive order basically flipped the last two words in the statement of core values in the cyberspace: “The US aims for a cyberspace that is open, interoperable, reliable and secure.” One takeaway is great: that there seems to be broad agreement on these issues. But then at the same time, why the hell haven't we been able to actually make meaningful progress, particularly on the legislative front? Everybody agrees, when you have a data breach and you lose control of your information, that's a big deal. We need to have something that puts in place the proper controls, and constraints, and rewards, and penalties. But we just don't seem to be able to make national-level progress on those well-identified problems.
2 upvotes
Anonymous Author
I can't speak to executive orders that have been signed. I couldn't tell you exactly what any of the last four presidents have done in that area. But to be somewhat optimistic, I think that there has been some progress made. There has been the NIST standards. There are documents around Zero Trust that have been and continue to be put out from the government. But I think they get lost a lot in the shuffle. And I think where the teeth are missing is that these areas are created, and these documents are created, and these good ideas are put out to the world, but businesses at the end of the day are looking to make money, and governments are looking to cut budgets.  And with those two things in mind, security inherently creates friction, and slows things down, and adds additional cost. I think there are some good things that have come out. But ultimately there's no true incentive for them to do it outside of their business getting hit. And that's it, that's the incentive. Even in the government side, there's no incentive for them to go back and fix their old systems because there are no fines. There are no people getting laid off because of these things. So what's the teeth behind it? What is that risk, right? Where is that threshold? Anybody who ever talks to me about cybersecurity is going to hear this theme come up of risk and acceptance, and what's too much, and what's too little. We haven't figured that out as an industry yet. We just haven't in my opinion.
3 upvotes