Just days after President Trump signed his executive order on cybersecurity, the massive WannaCry attack dominated the news cycle. The assault infiltrated 150 countries, penetrating national networks and infrastructure.
A breach of such international scale has rightly raised questions about government preparedness for digital warfare. In answering these concerns, Trump’s executive order should not be forgotten. In fact, the White House has taken an important first step toward helping to safeguard America’s cybersecurity stature.
Making Cybersecurity a Real-World Issue
The very fact that President Trump has placed cybersecurity on his administration’s agenda is a powerful statement. For too long, it has been considered the preserve of geeks engaged in a virtual battle. The executive order sent a strong message that what happens in cyberspace has a direct impact on the real world. We can no longer afford to bury our heads in the sand. The fight must be taken up by decision-makers and administrators, as well as technical experts.
But that is not the only sense in which Trump’s directive has created order. The text itself set out a tangible timeline for action. Each government agency is required to carry out a cyber risk assessment, which must be submitted within 90 days. These reports will be subject to scrutiny and, in some cases, oversight will continue all the way up to the president himself. In other words, there is a schedule and a plan of action, which means that the directive is less likely to gather dust on the shelf. Given that WannaCry demonstrated unequivocally how urgently action is required, this represents significant progress.
A Benchmark for a Cybersecurity Strategy
Importantly, the executive order is also explicit on one specific standard to be applied as each agency undergoes its own cyber audit: Agencies have been instructed to use a framework developed by the National Institute of Standards and Technology (NIST), widely regarded as a rigorous benchmark. Holding each federal agency to such a standard creates a yardstick by which to measure vulnerabilities and gauge preparedness. This is a critical first step in creating a forward-thinking action plan. It establishes a basis on which to strategically allocate resources, develop techniques and to deploy specific tools.
Having said all this, the executive order fails to address a number of key areas. For a start, it focuses on federal agencies. But what about individual states? Truly understanding cyberthreats means understanding that networks are linked. There is no neat distinction between federal and state as there is in government. After all, a breach in one state will quickly migrate to the next.
No Safety in Isolation
By the same token, the digital ecosystem not only includes the public sector, but it also crosses the boundary into the private sector, encompassing infrastructure and business. A significant attack on a transit system or power network is likely to cause mass panic and engender a sense of widespread chaos. The implications for public safety and order are clear.
Similarly, should financial institutions be breached, the ripples will be felt across the markets and the economy in general. Consequently, any directive aimed at enhancing national cybersecurity must also include specific guidelines and legislation governing elements of the private sector.
While the NIST benchmark is important, it focuses largely on the technological layers required to fight cybercriminals. Unfortunately, applying technology is no quick fix. Our enemies are becoming more sophisticated all the time, constantly developing new methods of attack. The latest protective tool, by itself, is only a bandage until the next time. Instead, a strong cybersecurity posture requires a holistic approach, which also incorporates best practices and modes of behavior.
Because cyber warfare is so dynamic, cross-agency intelligence sharing is required. It is critical that all relevant bodies are up to date with the very latest threat assessment and on the same page when it comes to combating tomorrow’s dangers. This cooperative approach must be at the heart of any future steps that follow the executive order.
Executive Order on Cybersecurity Starts the Conversation
Perhaps the most significant gap in President Trump’s executive order on cybersecurity is that it does not substantively address future steps. Trump’s directive cannot be treated as a one-time event. The reports mandated cannot be submitted in isolation — they must be the start of an ongoing assessment process. Furthermore, the agencies involved need to take part in ongoing training, simulated war games and other activities to sharpen preparedness.
Nonetheless, this should not take anything away from what is unquestionably a positive development in the fight against fraudsters. But failure to use it as a springboard to a more comprehensive strategy will ultimately place the U.S. at the mercy of those who wish to cause harm. After all, WannaCry was not a one-time event, either.