Five months after rejecting a less detailed executive order on cybersecurity, Trump signed one on May 11, 2017 (Order). The Order notifies federal agencies that the “President will hold heads of executive departments and agencies (Agency Heads) accountable for managing cybersecurity risk to their enterprises.” Other key goals of the Order are to: (1) assess the scope and sufficiency of the U.S. cybersecurity workforce; (2) increase education opportunities to ensure the U.S. has the work force to protect itself and be competitive internationally; and (3) increase transparency in the software market.[1]  Proponents of the Order hope to strengthen the security of federal networks and protect the nation’s critical infrastructure. Coincidentally, the executive branch released the Order on the eve of one of the largest and very avoidable ransomware attacks in history, the viscious #WannaCry.

The President premises the Order on the belief that federal agencies are complicit in their vulnerability to cyber threats.

IP_PuppyThe Order identifies known, immediate threats to the security of the U.S. infrastructure including:

> Being lax about cybersecurity risk management;

> Using operating systems after the expiration of vendor support; and

> Disregarding patches and updates to remedy vulnerabilities.

Essentially, many federal agencies are complacent about cybersecurity.

The Order comes with a simple but proven tool box.

The National Institute of Standards and Technology (NIST) is a non-regulatory division of the Department of Commerce.  NIST’s original mission in the cybersecurityIP_Toolbox industry was to develop a voluntary framework to manage the cybersecurity risks that threaten the U.S. electric power grid and other critical infrastructure (Framework). The Framework’s simplicity and usability led private and public entities throughout the world and across countless industries to adopt it.

The Order requires that Agency Heads must use the Framework to develop realistic risk management plans. Agency Heads must modernize equipment and software, while increasing the sharing of IT services across agencies and being more receptive to monitor and address vulnerabilities. The timing of the Order, coming one day before the worldwide #WannaCry ransomware meltdown, illustrates the important, but too-long neglected cybersecurity and privacy concerns within the U.S. government.

WannaCry? Here is something to cry about.

Almost 250,000 computers in 99 countries (and counting) would not have been vulnerable to the WannaCry or WannaCrypt ransomware if their users had just restarted the network. Here is a quick primer on the WannaCry destruction.

Ransomware 101. Ransomware locks a computer’s files and the computer operator will get a message requiring the payment of somewhere between $300 and $1 million, give or take a few bitcoin, to get the files released.
IP_Shed_2Malware, called worms, spread ransomware attacks. How does malware get on a computer?  It, the worm, enters through a “hole” in the cybersecurity fence. How does a hole develop?  Inattention. How do you fix holes?  First, you have to monitor your fence line and know there is a hole. When you find a hole, you patch it. Then, you — the vendor or IT specialist — send updates to users, if the patch cannot be updated automatically, reminding them to restart their computers or networks to download the patch. Just like that…fixed.[2]

The perfect storm of using outdated software, not looking for holes and ignoring updates permits the nightmare of WannaCry ransomware to spread. One of the most exploited targets of WannaCry is a version of software that its vendor has not sold since 2008 or supported since 2014. Users who updated the exploitable software were safe. Those who did not update to acquire the patch may have been infected.

No solution is fail-safe. Nevertheless, at a minimum, use the tools provided to you by the software vendors, IT technicians and NIST. The continued safety of the U.S. relies in part on keeping the infrastructure free of malware and fully patched. The Order has a wide-range of obligations, analysis and goals that ultimately may not be achieved within the stated timeframe. There’s a patch for that.


[1] Software is treated as a one-time capital expense, depreciating over time. This pricing model ignores the reality that software is never truly finished — it always needs a new version or update to increase efficiency and reduce vulnerabilities. This aspect of the Order merits discussion, but not here, not now.

[2] The author clearly has a problem with holes in buckets also:  https://www.beyondiplaw.com/2016/06/23/reputation-matters-dont-lose-opportunities-due-to-inaccurate-personal-data/