May 17, 2017

Ari Schwartz discusses cybersecurity executive order with Cybersecurity Law Report

2 min

In a May 17, 2017, interview with Cybersecurity Law Report, Venable's Managing Director of Cybersecurity Services, Ari Schwartz, discussed the significance of the president's recently signed executive order on cybersecurity. Signed just before the worldwide WannaCry ransomware attack, Schwartz said, “some of the main pain points that people felt from WannaCry around the world are covered.” Noting that outside events often drive policy, he said, "President Obama had taken what the Bush administration had put forward and implemented that and then the problems changed…so in the second term we came up with a new set of actions based on what happened and the same thing will happen with the Trump administration. It is following up on what the Obama administration didn’t get to implement and then, the problems will change and the policies will change around that."

Getting into the specifics of the order, which requires federal agencies to produce a risk management report using the NIST framework, Schwartz said the standard was fairly established now, "but the fact that the Trump administration is so directly embracing it makes it clear that it's going to be the U.S. standard for risk management. No one was waiting around for that, but it is clearer now for those just developing a risk-management program – the Obama administration created it and the Trump administration is using it so that is what we should use too."

Discussing a section devoted to botnets, which stems from the 2016 Mirai botnet attack that led to a denial of service attack, Schwartz said, "We still have to worry about major denial of service attacks…Old problems don't go away because new ones pop up. I get concerned that people may forget about the last one when they focus on the new one" like the WannaCry attack. "Dozens of new threats are out there and we have to make progress on all of them at the same time." While he does not expect any immediate regulatory action from the order, he expects it "will lead to creation of best practices [especially] in the energy sector and [in addressing botnet threats] and those will become the standards of due care."