The actors behind the WannaCry ransomware attack that swept through hundreds of thousands of computers at organizations around the world couldn't have timed their actions more ironically.
See Also: Ransomware: The Look at Future Trends
WannaCry first reared its head on May 12, the day after President Trump issued an anticipated executive order on federal government cyber security. The order essentially calls for two things: federal agencies assuming responsibility for securing their own enterprises, and a series of reports designed to take stock of the nation's security posture and readiness. Based on the way WannaCry evolved, moving through health care and government (and even some commercial) computing systems with impunity, there's clearly a lot of work to do on this front.
As with most federal declarations, the directive has been greeted with a mixture of support for the message it sends and skepticism that it will lead to any real improvement. That said, no one is downplaying the importance of the topic, or of the White House's role in making strong security a bigger priority.
Steven Weber, faculty director for the Center for Long-Term Cybersecurity and a professor in the U.C. Berkeley School of Information, wrote in a post for the legal blog Lawfare that Trump's directive at least makes important statements about the priority cyber security should be and the team effort required to do it successfully. If such messages take hold, Weber suggested, the directive could help to prevent future WannaCrys.
Clearly stating such philosophies, Weber wrote, "is a necessary step that will pay off in real action down the line."
Yet critics point to the directive's dearth of clear action paths, as well as its failure to loop in some of the most important security gatekeepers, as its weaknesses.
In an article for Slate, Emefa Addo Agawu, who leads the cyber security initiative for think tank New America, suggested that Trump's order ignores perhaps the most important lines of defense when it comes to protecting citizen data: city, county and state governments.
Trump's directive "included virtually no mention of these tiers of government," wrote Agawu. "That's deeply disappointing, because we can't afford for states and localities not to be part of the national cyber security policy conversation."
Specifically, Agawu pointed out that a section of the order calls for reports on educating, training and supporting the nation's future cyber security work force. But by leaving out any mention of state and local government, President Trump is underestimating the important role these layers of government play in addressing the industry's work force shortage. Agawu also argued that the order similarly underestimates the efforts of state and local government in securing infrastructure assets such as nuclear power stations, manufacturing plants, and financial institutions.
Even those who've complimented Trump's directive have done so in a back-handed sort of way.
Ben Flatgard, former National Security Council director for cyber security policy and one of the principal authors of the Obama administration's Cyber National Action Plan (CNAP), told Ars Technica that the order struck a strikingly familiar tone.
"My initial reaction to the order is, 'this is great,'" said Flatgard. "Trump just endorsed Barack Obama's cyber security policy."
Flatgard said that while the directive is sound in that, as it's written, it would progress some of the objectives of the CNAP, it "doesn't represent big, ambitious plans to really leap forward in terms of how we address cyber threats."
And big, ambitious plans are needed. The FBI's Internet Complain Center recently revealed that reported losses due to Internet crime last year totaled $1.3 billion. If that number's not big enough for you, consider that the Department of Justice estimates that only 15 percent of Internet-related crime gets reported to authorities. Demanding more accountability and reporting on the thoroughness and effectiveness of current security efforts is a good start. But at some point there will need to be action, and only time will tell if Trump's executive order is the trigger for that action.