What does the new order do?
On May 11th 2017, President Trump issued the new, signed cyber security executive order that demands each federal agency and department head will be held accountable for cyber security risk to their enterprises; an initiative to better protect the federal government's critical data and systems. It outlines the cyber-risk reporting requirements that they must adhere to and names the framework that they'll use as the standard.
Trump’s order notes that “it is also the policy of the United States to manage cyber security risk as an executive branch enterprise.” Regardless of the actual effectiveness of the order, it is encouraging that the government is taking steps to understand the risks, improve its network security, and unite security protocols across the departments.
The framework selected to manage the agency’s cyber security risk is The Framework for Improving Critical Infrastructure* cyber security developed by the National Institute of Standards and Technology (NIST). “The Framework focuses on using business drivers to guide cyber security activities and considering cyber security risks as part of the organization’s risk management processes.”
The risk report, due in the next 90 days, must “document the risk mitigation and acceptance choices made by each agency head, including:
- The strategic, operational, and budgetary considerations that informed those choices; and
- Any accepted risk, including from unmitigated vulnerabilities and
- Describe the agency’s action plan to implement the Framework”
You can read more about the new executive order on CNET.com here.
Last week's major attack underscores the stakes
With the recent “Wannacry” ransomware attack that blitzed more than 200,000 victims in at least 150 countries, it’s about time the US government started taking cyber security more seriously. Attackers allegedly stole a tool from the U.S. National Security Agency and took advantage of a vulnerability in the Microsoft Windows operating system to spread the ransomware. Systems that did not receive a security patch released back in March were left exposed.
Victims included Fedex, Chinese Universities, with the majority of the attacks targeting Russia, Ukraine, and Taiwan. 16 National Health Service organizations in the U.K. were also hit. Several of the facilities were forced to cancel outpatient appointments and tell people to avoid emergency departments. Though the NHS noted that there was no evidence that patient information had been compromised.
Though the initial Wannacry attack has subsided, ransomware and other types of cyber-attacks are continuing to trend upward. All organizations need to be well prepared.
How can private organizations follow the lead?
Organizations around the world should take note and follow the direction in the President's executive order to better understand the cyber risks their company faces, develop an action plan to address those risks and then remain vigilant and continually assess the identified risks, their security processes, and risk management policies and procedures.
Want to learn more about effectively managing risk on an organizational level? We've developed a series of long-form resources on Enterprise Risk Management and the need to implement it in an organization.
Here are a few articles to get you started:
*The Framework was updated on April 16th, 2018, after the publication of this post.