Cybersecurity and Deterrence

How Trump’s Executive Order Could Have Stopped the WannaCry Attack

By Steven Weber, Chuck Kapelke
Tuesday, June 13, 2017, 1:08 PM

Last month, a ransomware attack—one of the most far-reaching cyberattacks in history—affected thousands of hospitals, corporations, and other institutions in more than 150 countries. As expected, an attack of this magnitude galvanized calls for action to prevent this kind of event in the future.

At least some of the answers can be found, ironically, in the executive order (EO) signed by President Trump the day before the ransomware attack began. That order—titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”— aims to guide U.S. government agencies in securing their digital networks, as well as to better protect critical infrastructure like defense systems and the electric grid.

The EO is not perfect, of course, but it does mark a clear move in the right direction. Criticisms that the EO lacks specifics miss its larger aim. The EO provides a number of essential guidelines and details priorities that institutions should consider in crafting a cybersecurity strategy. Below are a few takeaways.

Cybersecurity is Everyone’s Problem

The cybersecurity EO declares that executive departments and agencies (agency heads) are “accountable for managing cybersecurity risk to their enterprises,” but that “it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.” Within each agency, “effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.”

The overarching message, and one that is vital for any institution, is that cybersecurity needs to be managed at all levels. After all, a network is only as strong as its weakest link—which in some instances can be just one employee downloading the wrong file. Too many organizations think that cybersecurity is a specialized job for their IT department, when the basics are actually about training and enlisting all your managers, from HR and other divisions, to create a “culture of security” and ensuring that each and every person on the network knows how to identify and address potential threats.

Of course, saying that cybersecurity is “everyone’s job” exposes the risk that it will end up as no one’s job, and such a lack of accountability would obviously be a step backward. But when the focus is placed on organizational culture, rather than organizational politics, the outcome can be much more positive. A robust security culture can’t protect against the most sophisticated attacks, but most attacks are not very complex, and these steps can take away the easy wins for the bad guys and make the barriers to successful attack much more burdensome. It also empowers the IT security professionals to use their time and resources more effectively.

Update Your Systems

“The executive branch has for too long accepted antiquated and difficult–to-defend IT,” Trump’s Executive Order states, adding that agencies should avoid “using operating systems or hardware beyond the vendor's support lifecycle, declining to implement a vendor's security patch, or failing to execute security-specific configuration guidance.”

Sounds like common sense and basic hygiene—and it is. What’s remarkable is that many organizations, inside and outside the government, aren’t doing it right now. The WannaCry ransomware attack took advantage of a vulnerability in an old Microsoft operating system—a bug that was already known and for which a patch was available. That hundreds of thousands of institutions did not bother to install this security update is not surprising, but the lesson remains: make sure your organization’s software is up-to-date and has all the latest patches installed.

Play Well With Others

The EO calls for new approaches “to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities.” It also calls for “appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”

In other words, the government wants the private companies that run the nation’s utilities and other infrastructure to be more open about how they are managing cyber risk. This makes sense: all institutions share a common interest in learning and supporting each other against the growing threat of malware, and all would benefit from appropriate sharing of information—what bugs and attacks they’re seeing, what defenses are working (or not), etc.—as part of an integrated cyber strategy. There are issues that need to be worked out, including liability and privacy concerns, but the intention is right. We need to aim for a world in which no legitimate organization is ever surprised by an attack that is already known to another legitimate organization.

Prepare for the Worst

The EO calls on the Secretaries of Energy and Homeland Security to assess “the potential scope and duration of a prolonged power outage associated with a significant cyber incident…against the United States electric subsector; the readiness of the United States to manage the consequences of such an incident; and any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.”

Cyber-preparedness is, in some respects, like earthquake-preparedness: we need to have a plan for how we will respond when catastrophe strikes. During the WannaCry attack, hospitals across the U.K. were forced to scramble when their data systems were frozen—a reminder that any organization should have a plan of action for the most critical contingencies of a cyberattack (within the bounds of reasonable cost-vs.-risk analysis). Such a plan should take into account the possibility that electric grids, security systems, and anything else that depends on computing power and the internet may be shut down at least temporarily.

Build the Cyber Workforce

Trump’s EO declares that the “United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.” It requires that agencies “jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education.”

Indeed, the cybersecurity challenge is only going to get more complex and challenging over time, so all institutions, regardless of their area of focus, should support efforts to train a future workforce that can defend our civic institutions from cyber threats. Our Center has called on Congress to establish a “Cyber Workforce Incubator” that would allow private-sector technologists to work in teams with government security professionals, on government-related projects on a short-term basis. We are also developing a professional Master’s program in cybersecurity that will train large numbers of technically skilled workers who can meet the needs of industry and government. Companies should reach out to work with institutions of higher education—and even K-12 schools—to help build a pipeline for future talent.

Plan for the Future

As with any policy, the devil lies in the details, which in this case means that the hundreds of thousands of employees within the U.S. Government will ultimately have to translate the EO’s directives into practice. But that won’t happen unless a clear message is sent out and reinforced that cybersecurity is now a priority objective, as important as innovation, cost savings, efficiency, and other tier-one goals. If the EO sends that message—and the White House keeps saying it—that is a necessary step that will pay off in real action down the line.

Security also means thinking about the future. Trump’s Executive Order notes that “effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.”

The U.S. Government is not known to be the most nimble institution in the world, so if they can do it, it’s a good sign for everyone else. It is now crucial to carve out the time to plan ahead and have a roadmap for the ongoing steps organizations must pursue to be safer as they become more digital. The past decade has shown us quite a lot about the advantages of digital innovation, but it has also demonstrated that no institution is safe, and a new cyberattack is almost always right around the corner. Innovation and security are becoming equally important, and if the EO makes that message real and tangible for a wide variety of organizations, it will have done much of what we can hope for it to do.