The Cybersecurity Executive Order, what it means for WannaCry and future breaches

deepak munjal / 05.22.17

The WannaCry ransomware attack has been all over the news this past week. It has infected hundreds of thousands of computers in close to 100 countries, shutting down hospitals in the UK and causing problems for companies as large as FedEx, and has so far earned the attackers at least $70,000 in ransom money.

This attack exploits the MS17-010 vulnerability in Microsoft’s Server Message Block protocol. Microsoft was already well aware of the problem and patched it across most versions of Windows back in March. I say most versions because they didn’t patch XP at the time, which was perfectly understandable since they stopped supporting XP three years ago and would prefer that no one was using it at this point. Of course lots of organizations continue using it regardless of Microsoft’s wishes, as this attack makes all too clear, leaving them with no option but to release a patch for XP this week.

At least equally as notable as WannaCry’s scale is that the tools to launch the attack were supposedly sourced through a hack of the NSA. If the National Security Administration can be so easily hacked, it implies government departments that don’t include the word “security” in their names are probably even more vulnerable.

So it was well timed that on May 11th of last week President Trump signed an Executive Order that seeks to improve cybersecurity across the federal government. It includes provisions for securing critical infrastructure, protecting against botnets and distributed attacks, and encouraging the development of more cybersecurity experts in the government’s workforce.

These provisions are all well and good, but this is hardly the first time they’ve been Executive Ordered. Take this EO President Obama issued in 2016:

Or this one from 2013:

Even the Bush administration was on it:

High-level orders just like this one come out with every administration, and they all essentially say the same thing: Thou Shalt Assess and Protect. The problem is that the follow-through usually doesn’t deliver the resources agencies need to get it done.

In particular, the “botnets” research component of the order stands out as very odd. It feels almost like it was authored by someone who only very recently learned what a botnet is, was shocked to learn they existed, and now believes they’re the root of many problems. It’s entirely unclear why botnets are highlighted instead of APTs, malware, etc. Ransomware is particularly notable in its absence considering the timing of WannaCry.

The EO gives both the Office of Management and Budget (OMB) and The Department of Homeland Security (DHS) 60 days to assess how well the current state of federal cybersecurity lives up to all these provisions AND to create a full plan to tackle any and all weaknesses.

The first part of this, simply putting the audit reports together, shouldn’t be too difficult since agencies are likely to have most of this info on hand and will just need to assemble it. The bigger question is how OMB will manage to get through reports for every department of the federal government in only 60 days. Even if the reports are available tomorrow, and they won’t be, that timeframe is… ambitious. It really doesn’t seem to be informed by a solid understanding of practicalities.

If this Executive Order was part of a truly well coordinated effort, it’d call for the hiring of a Federal CISO to work with all departments to ensure security is consistently implemented across the entire government. This person would be accountable for actually understanding the practicalities and dealing with them, which is key since accountability is trumpeted throughout the order.

Most agencies already have their own CISOs and significant security organizations in place. They not only work to keep their departments secure, but also act as a convenient place for department heads to point fingers when things go awry. The EO emphasizes that this isn’t acceptable and that department heads will have to take full responsibility for their security failures, just as a corporate CEO is held accountable if their own CISO fails to live up to their job.

Like so much else in this order, though, this is nothing new. Agency heads have been accountable for some time, so if anything this is really just a loud reiteration of accountability. FISMA (and related standards tied to it) is one example of where accountability has already been established. Without a Federal CISO to oversee everything, it’s hard to see how repeating that people will be held accountable will actually make them accountable.

Only time will tell if this new order will be any more successful than its near identical predecessors at improving government security and keeping future WannaCry level exploits from making their way into the wild.