Five months after rejecting a less detailed executive order on cybersecurity, Trump signed one on May 11, 2017 (Order). The Order notifies federal agencies that the “President will hold heads of executive departments and agencies (Agency Heads) accountable for managing cybersecurity risk to their enterprises.” Other key goals of the Order are to: (1) assess the scope and sufficiency of the U.S. cybersecurity workforce; (2) increase education opportunities to ensure the U.S. has the work force to protect itself and be competitive internationally; and (3) increase transparency in the software market.[1]  Proponents of the Order hope to strengthen the security of federal networks and protect the nation’s critical infrastructure. Coincidentally, the executive branch released the Order on the eve of one of the largest and very avoidable ransomware attacks in history, the viscious #WannaCry.

The President premises the Order on the belief that federal agencies are complicit in their vulnerability to cyber threats.

IP_PuppyThe Order identifies known, immediate threats to the security of the U.S. infrastructure including:

> Being lax about cybersecurity risk management;

> Using operating systems after the expiration of vendor support; and

> Disregarding patches and updates to remedy vulnerabilities.

Essentially, many federal agencies are complacent about cybersecurity.

The Order comes with a simple but proven tool box.

The National Institute of Standards and Technology (NIST) is a non-regulatory division of the Department of Commerce.  NIST’s original mission in the cybersecurityIP_Toolbox industry was to develop a voluntary framework to manage the cybersecurity risks that threaten the U.S. electric power grid and other critical infrastructure (Framework). The Framework’s simplicity and usability led private and public entities throughout the world and across countless industries to adopt it.

The Order requires that Agency Heads must use the Framework to develop realistic risk management plans. Agency Heads must modernize equipment and software, while increasing the sharing of IT services across agencies and being more receptive to monitor and address vulnerabilities. The timing of the Order, coming one day before the worldwide #WannaCry ransomware meltdown, illustrates the important, but too-long neglected cybersecurity and privacy concerns within the U.S. government.

WannaCry? Here is something to cry about.

Almost 250,000 computers in 99 countries (and counting) would not have been vulnerable to the WannaCry or WannaCrypt ransomware if their users had just restarted the network. Here is a quick primer on the WannaCry destruction.

Ransomware 101. Ransomware locks a computer’s files and the computer operator will get a message requiring the payment of somewhere between $300 and $1 million, give or take a few bitcoin, to get the files released.
IP_Shed_2Malware, called worms, spread ransomware attacks. How does malware get on a computer?  It, the worm, enters through a “hole” in the cybersecurity fence. How does a hole develop?  Inattention. How do you fix holes?  First, you have to monitor your fence line and know there is a hole. When you find a hole, you patch it. Then, you — the vendor or IT specialist — send updates to users, if the patch cannot be updated automatically, reminding them to restart their computers or networks to download the patch. Just like that…fixed.[2]

The perfect storm of using outdated software, not looking for holes and ignoring updates permits the nightmare of WannaCry ransomware to spread. One of the most exploited targets of WannaCry is a version of software that its vendor has not sold since 2008 or supported since 2014. Users who updated the exploitable software were safe. Those who did not update to acquire the patch may have been infected.

No solution is fail-safe. Nevertheless, at a minimum, use the tools provided to you by the software vendors, IT technicians and NIST. The continued safety of the U.S. relies in part on keeping the infrastructure free of malware and fully patched. The Order has a wide-range of obligations, analysis and goals that ultimately may not be achieved within the stated timeframe. There’s a patch for that.

[1] Software is treated as a one-time capital expense, depreciating over time. This pricing model ignores the reality that software is never truly finished — it always needs a new version or update to increase efficiency and reduce vulnerabilities. This aspect of the Order merits discussion, but not here, not now.

[2] The author clearly has a problem with holes in buckets also:

EmailTweetLikeLinkedInGoogle Plus
Photo of Jane E. Brown Jane E. Brown

Jane Brown counsels companies on domestic and international privacy and data security regulations and advises companies looking to grow into new markets on international trademark and data considerations.

As former in-house counsel at an asset management fund, Jane engendered a level of trust that resulted in employees proactively seeking her advice to avoid, rather than resolve problems. One of her greatest talents is serving as a hub to bring diverse groups to common ground. Jane has worked with the Chief Privacy Officer for the State of Washington and some brilliant law students and state employees to create a Privacy by Design, Privacy Modeling Tool:

Jane’s other representative experience includes:

  • Developing and maintaining privacy policies,
  • Assisting a startup identify from which countries in Europe, Central and South America and Asia it could collect biometric data,
  • Showing all members of the organization how they contribute to the company’s compliance with state, federal and international regulations, including APEC and the GDPR,
  • Verifying ownership of international trademarks and effecting assignment of those marks in a corporate transaction, and
  • Drafting co-production film agreements, releases and nondisclosure contracts.

Jane recognizes that clients need a nimble, versatile and practical advocate to shepherd them when legal issues, or even fulfilling a dream, requires tough decisions.  The common thread in all of her successes is her ability to help people define their needs vs. their wants and collaborate on a plan to get them the best possible result. Jane and her southern accent moved from Dallas to Seattle in late 2014, to assist with the care of a family member.  Her quick adjustment to her new home is indicative of her entrepreneurial and adventuresome spirit.

She has traveled the world, configured outbound delivery routing, raised funds for nonprofits and produced plays and community television shows. In every circumstance, she built a familial support team and smashed through, bargained with or adapted to adversity.