Two events affecting cybersecurity will have both immediate and lasting impact on cybersecurity, cyber policy and cyber requirements for companies for years to come.
Wannacry Ransomware Attack
The event with the most immediate impact on companies and inter connectivity is the ransomware attack which started Friday May 12, and as of time of publication affected at least 230,000 servers in 150 countries. The WannaCry attack is the most widespread and simultaneous cyber attack, locking up servers and demanding payment of $300 per server (payable in bitcoin).
The WannaCry attack allegedly exploited vulnerabilities that were disclosed in March 2017. The ransomware capitalized on certain exploits in standard Microsoft code.
The source of the exploit is less relevant than the direct impact on companies and servers that had not patched the vulnerability since Microsoft released an update in April. Those companies were held captive, often shutting down communications and contact until a decision to pay was made.
The scale of the attack was so comprehensive that in many ways, the impacted had difficulty finding legitimate sources to advise them on options. Information sharing analysis centers and organizations were overrun with questions and information, and it was difficult to sift through the information for companies to determine a course of action.
Government entities (both in the U.S. and aboard, where the impact was greater) also initiated outreach to private sector organizations, with various degrees of success. And of course even those companies who did not fall prey to the ransomware attack had to work all weekend to patch their own systems.
Even with these immediate impacts, the long term effects of the May 12 WannaCry attack will be much more severe. First, the scale and speed of this attack demonstrates that our interconnected way of life is only as protected as our least protected part of the cybersecurity ecosystem. Second, pressure now increases on the information security and technology teams to make sure their patches and security protocols are up to date. More importantly, the attacks exposed vulnerabilities within companies' own incident response plans. The cross-disciplinary incident response teams either were not immediately launched or were delayed because of inaccurate identification of a technology issues. In particular, legal advice may have been missing in the initial response. Furthermore, there may have no protocols to respond to ransomware attacks, or they did not calculate what would happen if the organization's "Crown Jewels" were locked up by ransomware (for example having a policy saying "we will never pay" ransom, or not having bitcoin accounts or the ability to facilitate bitcoin payments.)
The result of the WannaCry attacks will be increased scrutiny on incident response times, protocols, and decision escalation to management and boards of directors.
Cybersecurity Executive Order
The second event that will impact cybersecurity actually took place first; President Donald Trump released the much-anticipated Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
This Executive Order is a continuity of President Obama's multiple Executive Orders on cybersecurity rather than a departure on policy. The Order focuses significantly on federal agencies and their own cybersecurity readiness, including requiring agencies to adhere to the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity, and to provide assessments of cyber readiness and risk mitigation to the Secretary of Homeland Security and the Office of Management and Budget.
In addition to those internal exercises by federal agencies, there are several elements of the Executive Order that are germane to private sector companies.
Executive Order Impact on Private Sector
Federal agencies are encouraged to move to cloud computing environments as a first priority. This will increase the migration to cloud services for other companies, including supporting government services, and may provide related government contracting opportunities. It will also remove stigmas (if any) associated with using cloud services. For example, it is not clear that the WannaCry attack would have been successful in a cloud environment (its main target was servers), therefore all companies should evaluate those pros and cons accordingly.
Section 2 of the Executive Order focuses on critical infrastructure and private sector owners/operators. This section generally supports increased cybersecurity readiness and risk mitigation for critical infrastructure, and then identifies three areas of focus. First, federal agencies should promote a process to improve the resilience of the cybersecurity ecosystem and to encourage information sharing and collaboration with the goal of reducing threats perpetrated by automated and distributed attacks (e.g., botnets).
The second area of focus is to assess the electrical disruption incident response capabilities of the U.S. electric subsector of critical infrastructure. This too builds on the previous administration's focus on public utilities, and their potential vulnerabilities.
The third area of focus is another repeat area of cyber interest -- the defense industrial base (DIB), with a report on industry readiness due in 90 days. The DIB has had more significant cyber controls required of it in relative to other critical infrastructure sectors. With that said, the real substantive action – in the short term – for the DIB in the need to get their systems NIST 800-171 compliant by December 2017. This DFARS requirement is much more significant for DIB companies, and the Executive Order did not change that requirement throughout the supply chain life cycle.
In addition to these three specific areas on infrastructure improvements, there is a section on improving workforce education and training on cybersecurity. All companies should work to enhance training and education in order to bolster the front line of defense.
The Executive Order will create increased pressure on critical infrastructure owners/operators to ensure cybersecurity readiness and risk mitigation, not only on those discrete areas of focus. Evidenced by the WannaCry attack, the cyber ecosystem is only as protected as its least protected element.
Both the Executive Order and the post-action analysis of the WannaCry attack provide opportunities for companies to assess their cyber readiness, their incident response plan (incorporating business continuity plans), while using the NIST Framework as a baseline to assess readiness and responsiveness. That would be a very useful exercise, particularly in light of potentially increasing demands for contracting with the U.S. federal government.
For more information on the WannaCry attack and cybersecurity insurance, please see Jenner & Block's alert.
For more information on the cybersecurity Executive Order, please see Jenner & Block’s alert.