Last Friday morning, the world saw one of the largest and most distributed cyberattacks in history. Known as WannaCry or WannaCrypt, the ransomware has infected more than 230,000 computers in 99 countries, according to Eyerys. Ransomware encrypts data on devices, blocking a user's access to the data until a fee is paid. This downtime can be life-threatening and extremely costly if the ransomware targets health care facilities or critical infrastructure.
Considering this danger, the timing of President Donald Trump’s executive order on cybersecurity, signed last Thursday, couldn’t be better. Although the directive isn’t perfect, it is a positive step in improving security online by holding leaders accountable and training more cyber professionals.
The WannaCry ransomware exploited a Microsoft Windows vulnerability for which a patch was issued in March of this year. Unfortunately, many organizations didn’t implement the patch, leaving their systems vulnerable to this malware. This is an unfortunate and continuing trend in far too many companies.
That such a devastating attack could come out of a vulnerability Microsoft attempted to fix recently is only a further reminder of how difficult it is for organizations to protect themselves in cyberspace. If an organization is going to use technology, it needs to be ready for the security responsibilities that come along with it.
The executive order will help push federal agencies in that direction by holding their leaders directly accountable to the president for their organizations’ digital security. Far too often in both the public and private sector, agency heads and CEOs have delegated responsibility to their IT departments. This transference of accountability results in the perception that cybersecurity isn’t important enough for high-level decision makers and therefore is not a priority.
The order also formally calls out the need to “educate and train the American cybersecurity workforce,” and in doing so creates a needed sense of urgency around this national security issue. It directs government agency leaders to assess their current educational and training efforts and provide recommendations to sustain America’s cybersecurity workforce over the long run. The sad reality is that U.S. simply does not have enough talented cybersecurity professionals in the workforce.
Notably, the language of the order mentions both education and training. Many of the cyber workforce challenges Americas faces can be overcome with focused training and skills-based certificate programs which are quicker, more efficient, and significantly less costly than formal education programs.
While the executive order sets ambitious goals for improving America’s cybersecurity, it falls short in establishing realistic deadlines for them. Deadlines, to be sure, are critically important for instilling urgency in any endeavor. But the chances of each federal agency providing a legitimate “risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” are essentially zero. That is simply not enough time for agencies to budget, plan, conduct, and report on a comprehensive cybersecurity risk assessment.
The bureaucracy and inertia of the federal government will prevent it from reacting quickly to a task of this magnitude. Agencies may deliver their reports in 90 days, but they will almost certainly lack the granularity and veracity of better-designed risk assessments.
The order also sets unrealistic expectations for the Department of Homeland Security (DHS) to report to the White House on agency risk assessments; legal, policy, and budgetary considerations for new technologies; and ways that various government agencies can support the cybersecurity of critical U.S. infrastructure. While the order assigns many important cybersecurity responsibilities to the DHS, Trump has yet to appoint the key role of undersecretary for the National Protection and Programs Directorate, and the secretary of homeland security has yet to fill the critical positions of deputy undersecretary for cybersecurity and assistant undersecretary for cybersecurity and communications. These leadership gaps will make it difficult for the DHS to meet these expectations.
Even with its shortcomings, Trump’s executive order might provide some very tangible results if carried out with the gravity and attention it demands. The key will be in creating a positive sense of urgency without burning out government workers who are already operating at an extremely high tempo in this chaotic cybersecurity environment.
Mark Weatherford is chief cybersecurity strategist at vArmour.