US President Donald Trump this month signed an executive order that aims to increase protection for US essential services in case of a cyber attack that results in “catastrophic regional or national effects on public health or safety, economic security, or national security”.
The order is particularly targeted at the operators of critical infrastructure — including chemicals manufacturers, communications companies, emergency services and energy providers. It demands an investigation into the effect of a prolonged power cut due to a cyber attack and the risks facing “the defense industrial base, including its supply chain, and US military platforms, systems, networks, and capabilities”.
“The executive order gets several things right,” says Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, a US think-tank. It correctly assesses, he adds, that critical infrastructure is “antiquated and difficult to defend”.
“Our dependence on connected technology has grown faster than our ability to secure it,” Mr Woods says. “In the past year we have seen a simple phishing campaign lead to the Democratic National Convention breach; low-cost, ‘low-hygiene’ devices threaten internet infrastructure through the Mirai botnet; and the vulnerability of our public health and critical infrastructure exposed by the . . . WannaCry ransomware.”
Mr Trump’s pronouncement builds on an Obama-era order in 2013 that led to the creation of the National Institute of Science and Technology’s Cybersecurity Framework. This provided guidelines for essential industries ranging from banking to utilities. President Trump took office vowing to improve the nation’s cyber security after an election campaign riven by hacks and online data leaks. But his plans before signing the order were unclear, leaving security experts guessing at his intentions from the wording of an initial draft and the appointments of key personnel.
Mr Trump’s knowledge of the subject was in question as he once dismissed the Russian hack on his political rival, the Democratic National Committee, as perhaps being the work of a single “400-pound hacker”. The US Intelligence Community, a federation of government agencies, has since released a document that states with “high confidence that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election” and with a “clear preference” for Mr Trump. Officials have since said that President Trump has acknowledged Russia’s role in hacking the election campaign.
In spite of this, experts from think-tanks and companies have praised Mr Trump’s recruitment of cyber security specialists to senior positions. These include Tom Bossert — a former national security aide to President George W Bush and a fellow at the Atlantic Council — who is now a homeland security adviser; and Rob Joyce, a technical specialist who used to run offensive operations at the National Security Agency and now leads cyber security at the White House.
Edward Stroz, a former FBI agent who is president of Stroz Friedberg, which advises companies on cyber security, says the order is particularly good for recognising that critical infrastructure is the “crown jewels” that need to be protected. “It is pretty concrete for a document of this nature.”
The order considers the software systems and suppliers that support services such as “dams and generators”, encouraging critical infrastructure providers to examine the ecosystems they rely on to be sure that they can keep running in emergencies, Mr Stroz says.
He adds that the order makes it clear to directors of private companies that they cannot simply argue the threat is too great to cope with and that they must be prepared to defend their cyber security risk management decisions.
Last year a distributed denial of service attack by the Mirai botnet on Dyn, a relatively small company that provides domain name services to websites, brought down several high-profile sites, including the New York Times, Airbnb and Twitter. “You realise anybody can be surprised in this area,” Mr Stroz says.
The order also requires a modernisation of government IT — including big changes to procurement — and places more responsibility on the heads of government agencies and departments. It builds on lessons learnt from several large-scale cyber attacks during the tenure of President Obama. These ranged from the hack into the systems of the Office of Personnel Management, the human resources arm of the federal government, which targeted the data of 18m people, to the assault against the State Department’s email systems, reported to have been carried out by Russian hackers.
Within 90 days of the order, signed on May 11, the head of each government agency is required to provide a risk management report to the Department of Homeland Security. This should detail how they have reached their decisions on cyber security measures, including any budget considerations and what they have decided constitutes “accepted risk”.
James Lewis, senior vice-president at the Center for Strategic and International Studies, a non-profit policy research group, says the order is a “useful start” but only if government can move quickly. He cautions that implementation is likely to be slow as many of the political posts responsible for cyber security in strategic departments, including defence, justice and homeland security, remain unfilled.
He adds that the spread of the WannaCry virus this month “shows how in some ways we haven’t made very much progress in more than a decade”.
1. On Friday May 12 2017, mobile operator Telefónica was among the first large organisations to report infection by WannaCry
2. By late morning, hospitals and clinics across the UK began reporting problems to the national cyber incident response centre
3. In Europe, French carmaker Renault was hit; in Germany, Deutsche Bahn became another high-profile victim
4. In Russia, the ministry of the interior, mobile phone provider MegaFon, and Sberbank became infected.
5. Although WannaCry’s spread had already been checked, the US was not entirely spared, with FedEx being the highest-profile victim