On Thursday, President Donald Trump signed a long-awaited executive order on cybersecurity. It generally received good reviews (“a solid document (0)”), but it was immediately overtaken by events — an unprecedented “ransomware” cyberattack that disrupted and damaged institutions, particularly hospitals and universities, and government agencies all around the world; at least 200,000 computers in more than 150 countries (1) were affected. In a ransom attack, hackers lock down the victim’s computer and threaten to destroy files if they are not paid a ransom of varying sums.
First, on the executive order. Building on the work of the Obama administration, a key goal of the executive order was to mandate the upgrading of the government’s own cybersecurity systems. Heads of departments and agencies henceforth will be held “accountable for managing the cybersecurity risk of their enterprise (2).” The agencies were ordered to undertake a 90-day review of their computer systems security and report back steps to overcome vulnerabilities, which may result in a large price tag for the federal government.
The executive order also continues the process of establishing and coordinating public-private efforts to defend and protect critical infrastructure in the United States. It directs all federal agencies to adopt the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology. One important aim of the framework is to establish a common language for “understanding, managing[,] and expressing cybersecurity (3).”
Furthermore, and ironically given the turn of events within 24 hours of its publication, the executive order tasks a broad group of top US officials — secretaries of homeland security, state, defense, and treasury — to develop options for deterring cyber adversaries and attacks and create “an engagement strategy for international cooperation in cybersecurity (4).” It is in this sense that the new order, while solid so far as it goes, is still “a plan for a plan (5),” as noted by former Obama cybersecurity coordinator, Michael Daniel.
The worldwide cyberattack
Over the past several days, the press has documented the huge reach of the worldwide set of cyberattacks that began on Friday and have continued to the present day. Russia, Ukraine, and China appear to be the hardest hit, but reports have also come in from many other countries in Europe, Asia, and Africa. The US was less affected, largely because of the inadvertent discovery of an antidote by a British graduate student, who stumbled on a means of halting the spread of the malware (6). Individual disruption have varied from the British Health Service to FedEx; Romanian car factories, Nissan, Telefonica, and the Deutsche Bahn were also affected (7). Thus far, a much-feared second wave of follow-on attacks has not occurred.
The source of the global assault appears to be an element of a hacking tool devised by the National Security Agency (NSA) and stolen by an obscure group called Shadow Boxers. The group first appeared last year when it dumped what seemed to be NSA spying tools onto the internet. In April, it further publicized a specific tool called the WannaCry ransomware that could be used to exploit a Microsoft software flaw that particularly exists in older versions of Microsoft programs. Although intelligence agencies have refused to disclose any details, outside experts believe that the malware appears to originate with the NSA’s Tailored Access Operations unit (8), which penetrates and exploits foreign computer networks.
In April, Microsoft had devised a patch to thwart the virus, but as it turns out, many individuals and organizations did not incorporate the fix into their systems immediately — hence their vulnerability this past weekend.
This episode is still unfolding, and there is much we do not know about the ransomware attack. But here are two initial thoughts.
First, the past weekend’s events give much greater urgency for the tentative, “plan for a plan” executive order the Trump administration announced last week. At a minimum, the deadlines given to cabinet secretaries and the individual departments and agencies should be advanced. Furthermore, thought should be given to creating a cybersecurity strategy centered on the White House. This would entail bestowing much greater authority on the White House homeland security adviser, Thomas Bossert, to crack the whip and oversee both the creation and execution of a comprehensive set of US cybersecurity strategies. This might include the necessity for congressional assent and action.
Second, there needs to be a careful analysis of the means by which the White House and the NSA decide on exploiting or revealing software flaws. Over the weekend, Microsoft directly attacked the NSA and Central Intelligence Agency for “stockpiling” and keeping secret software codes that hackers can use. Brad Smith, the company’s president and chief legal officer, stated that the theft of NSA’s spying tool was the equivalent of “the US military having some of its Tomahawk missiles stolen.” Others have strongly defended the NSA and the Vulnerable Equities Process by which software flaws are screened for publication or exploitation. They note that the NSA clearly notified Microsoft in January well before the April information dump. And they argue that the real culprits are companies and organization that failed to update their security systems after the Microsoft notification (9). Whatever the case in this instance, the Trump administration, as part of its commissioned reviews, should include a credible look at the existing software flaws publications process — not least to protect the integrity of the system from inevitable criticism from numerous foreign governments.