Acting U.S. CIO Margie Graves said that thanks to the 2015 federal cybersecurity sprint, federal agencies were able to avoid the devastating WannaCry ransomware virus that infected more than 200,000 people and organizations in over 150 countries.
When asked at the Public Sector Innovation Summit how security protocols implemented in the 30-day sprint, including the use of multi-factor authentication, deploying security protocols provided by the Department of Homeland Security, and within 24-hour agency knowledge of vulnerabilities and patches would have helped in the WannaCry attacks, Graves emphasized that the sprint “did help the federal government because to date, I have not heard of a federal government victim of this particular incident.”
Her comments were met with a round of applause.
The 2015 30-day cyber security sprint was instituted after the Office of Personnel Management suffered a high profile breach that may have affected as many as 20 million people. Graves emphasized Wednesday that agencies’ cyber safety depends on their ability to “scan your environment almost immediately and report back within 24 hours” and “to know that vulnerability existed in advance.”
“We picked the things in the cyber sprint for a reason, because they were primary threat vectors, and we knew we needed to fix them,” said Graves. She told reporters after the summit that agencies looked at their assets and “got vulnerabilities out.”
“Not that something else can’t happen, because there always zero-day attacks,” said Graves. “But we started to march down this pathway and it’s starting to show results. Some things are starting to come to fruition.”
As GovConWire previously reported, last week President Donald Trump signed an executive order designed to strengthen the cybersecurity of the federal government. The order requires National Institute of Standards and Technology (NIST) to provide a cyber-security process framework that all federal agencies comply with, and imposes a 90-day process for the implementation of that framework.
After the protocol is agreed on, every federal agency will be given 90 days to meet a number of goals and benchmarks, as well as present a plan for how they will implement the NIST framework.
Industry experts and federal employees met at a workshop hosted this week at the National Institute of Standards and Technology in Gaithersburg, Maryland to hammer out the details of the new federal cybersecurity framework draft requested by President Donald Trump in his executive order.
“It’s never done … you’re never really done, but you have to understand what the prioritization is and just keep marching down that path and eventually try to get ahead of that curve,” said Graves of cyber security implementation. For cyber criminals, their jobs are “unfortunately… getting easier and cheaper.”