Skip to content
Home » security » What a pocket veto is

What a pocket veto is

A pocket veto is a political term, but it doesn’t strictly apply only to governments. It is also a concept or practice in business politics. It’s something I deal with quite a bit as a security professional.

A pocket veto example in software development

what a pocket veto is

A pocket veto is a common practice in both business and politics.

When Twitter and Facebook performed mass layoffs in November 2022, a collapse I compared to Digg v4, a number of stories from former employees came out regarding questionable things they were ordered to do.

One story I read involved planting spyware in a mobile app. Essentially, one of the phone companies wanted to be able to use a social network’s mobile app to know when one of their customers visited a competing store.

Highly unethical. This particular former developer was in a position to say no. Firing this specific developer would be risky, and this developer new they would be able to find other employment very quickly if they were terminated.

The developer ended the story with a bit of advice. If you are a developer facing an order to build something unethical, and you can’t afford to say no, you can utilize a pocket veto.

In this case, a pocket veto means not saying no. It may mean implementing something but implementing it intentionally badly, or delaying it. Either way, you’re not saying no. And you can buy yourself some time to find a better situation, theoretically.

A pocket veto example in IT

I run into examples of a pocket veto in IT all the time. I work in a specialized security field called vulnerability Management. The major thing that we oversee in vulnerability management is patch deployment. Software vendors such as Microsoft release updates to their software every month. These updates fix security issues.

The problem is security teams have no actual oversight. In some cases, IT teams can be downright defiant. Because the CISO usually reports to the CIO in most large companies, it means the CISO is just another IT vice president. When the rest of the IT department doesn’t want to do something, all they have to do is find two or more IT vice presidents who agree that they don’t want to do that thing. Then they just go to the CIO and outvote the CISO. And that’s probably going to be the end of it.

But that’s not a pocket veto. That is very much a conventional veto. A pocket veto is outright ignoring the security team.

Two forms

I’ve personally seen these pocket vetoes take two different forms. In one form, a manager says that the update is an unfunded mandate, that they don’t have the staff or the tooling to comply, and they don’t do it. They never sign a risk acceptance. Going by the book, a risk acceptance is the right way to handle that situation. They don’t accept any risk or responsibility. They just say they aren’t going to do it. Sometimes it’s verbally, but I’ve even seen it in writing.

If I had something in writing, I’d save it and put it in the GRC tool. Wrong form for an official risk acceptance, but it’s a paper trail. I wouldn’t call that a true pocket veto since they delivered something in writing.

In its more common form, they just don’t deploy the update. They don’t even say yes or no. And the problem with this type of pocket veto is that even the lowest rank employee in the organization can execute it. They can ignore the ticket. Or they can close the ticket and say they did it even though they didn’t, and play the false positive card.

I can counter this type of pocket veto, because I was a system administrator specializing in remediation, and I am extremely good at reading a Qualys or a Nessus scan. I can tell by reading the scan results if they didn’t deploy the update at all, and I can also tell if they deployed the update and just didn’t reboot. Usually, I can even tell from the scan the last time the system was rebooted.

Not every security organization has someone with that level of skill at reading scans.

What a pocket veto is in politics

In government politics, a pocket veto works in much the same way. If the legislature passes a bill, and the president or governor doesn’t want to sign it into law, the normal process is to veto it. And depending on the bill, a president or a governor might make a very big deal of vetoing it, even calling a press conference and doing it on camera.

When the chambers are controlled by one political party, and the governor or president is from the other party, this can happen quite a bit. Both sides are jockeying for political leverage.

But sometimes a bill passes, and it would be politically popular, but the governor or president opposes it. They don’t want to sign it. But they also don’t want to make a big deal of vetoing it. And they don’t want to give the senate a chance to override a veto with a 2/3 majority. So they ignore the bill, so they can say they never signed anything on that issue.

A skilled debater will counter by saying that’s because the bill has been sitting on your desk ever since it passed both chambers. But at that point, it’s up to the fact checkers to confirm or refute that. The politician who used the pocket veto is betting that very few voters will be swayed by this single failure to act. And that’s probably a fairly safe bet. Realistically, the only ones who will be enraged are the people who were going to vote for the opponent anyway.

When the electorate isn’t polarized, a pocket veto is very much an act of cowardice. But when the electorate is polarized, it can be seen as an act of defiance and be less risky than a proper veto would be.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: