Cybersecurity: An Executive Order and a Worst-Case Study

The WannaCry cyberattack that shut down an estimated 300,000+ computers in a single weekend provides a dramatic case study in the ever-increasing importance of cybersecurity. The resulting shutdown of English National Health Service medical facilities makes the real-world consequences of cyber threats all too clear.

WannaCry—ransomware that locks users out of their own computers unless they pay the hackers $300 in Bitcoin—takes advantage of a well-known, already-patched vulnerability in Windows. The malware spread rapidly among users who had failed to install the patch (as well as those using pirated copies of Windows, who do not have access to Microsoft’s security updates).

It’s still a developing story: as Reuters reports, a number of unexplained oddities remain around the attack, and some are pointing to possible North Korean involvement; meanwhile, Microsoft’s president has criticized Government for “stockpiling” knowledge of this and other vulnerabilities, rather than immediately notifying Microsoft so that the threats could be patched.

But that’s a larger political debate. One way or another, Microsoft had learned of the vulnerability and made a patch freely available months prior to the attack. It appears that a relatively ordinary piece of malware spread globally in a perfect storm of bad security practices and known-but-unaddressed vulnerabilities. (NextGov has compiled a helpful list of proactive steps both public and private enterprises can take to protect themselves from the next such attack, and DHS recently showcased several cyber tools newly available to the private sector).

The attack came just as the Trump administration’s long-anticipated cyber Executive Order (EO) at last debuted. Troublingly, although no U.S. agencies were hit this time, the EO notes that “known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies.” The EO calls for quick-turnaround reports from 14 agencies, some in as little as 90 days.

As Federal News Radio reports, the EO continues the Government’s trend toward shared services and centralization of IT assets, viewing federal IT as one large enterprise network. The goal, as the White House explains, is to bring an end to the environment in which “we have 190 agencies that are all trying to develop their own defenses.”

Also of note is the EO’s discussion of the defense industrial base as a whole, a recognition that federal contractors and their computer systems must be included in any comprehensive analysis of federal cybersecurity.

The White House has indicated that the Administration’s newly formed American Technology Council will take the lead in shoring up the Government’s cyber defenses.

It remains to be seen what form these efforts will take, but it’s easy to imagine that GSA’s recently added Highly Adaptive Cybersecurity Services (HACS) Special Item Numbers (SINs)—designed for precisely this type of work—could become an important contract vehicle for them. We encourage cybersecurity providers to review the HACS SINs; we provide a quick introduction and links for further reading in this post.