Had it not been for the 2015 federal cybersecurity sprint, it’s very possible federal agencies would have been hit by the WannaCry ransomware, the acting head of U.S. federal IT said Wednesday.
Acting U.S. CIO Margie Graves said the cyber sprint the federal government undertook after the Office of Personnel Management breaches two years ago emphasized agencies’ abilities to “scan your environment almost immediately and report back within 24 hours … to know that vulnerability existed in advance.”
The 30-day sprint, issued by then U.S. CIO Tony Scoot, required agencies to immediately patch vulnerabilities, accelerate the use of multifactor authentication and deploy other security protocols provided by the Department of Homeland Security.
“How would that have helped you last weekend” when the WannaCry ransomware infected more than 200,000 people and organizations in more than 150 countries, Graves asked Wednesday at the the Public Sector Innovation Summit presented by VMware and produced by FedScoop and StateScoop.
“Well, I tell you, it did help the federal government, because to date, I have not heard of a federal government victim of this particular incident,” she said to a round of applause from the audience.
“We picked the things in the cyber sprint for a reason, because they were primary threat vectors, and we knew we needed to fix them,” Graves added.
After her keynote, Graves told reporters she had a “swell of emotion” knowing the federal government, at least so far, was able to escape the havoc of WannaCry.
“We looked at our assets, we got vulnerabilities out,” she said. “Not that something else can’t happen, because there always zero-day attacks. But we started to march down this pathway and it’s starting to show results. Some things are starting to come to fruition.”
Graves and her federal IT colleagues understand, though, that there is no end in the race to secure systems against cybercriminals and hackers, and therefore their work continues.
“It’s never done … you’re never really done, but you have to understand what the prioritization is and just keep marching down that path and eventually try to get ahead of that curve,” she said — particularly when “the bad guy’s job, unfortunately, is getting easier and cheaper.”
So another cyber sprint isn’t out of the question.
“[W]e certainly can run one again — thought I wouldn’t wish that on anybody trying to do all of that in 30 days,” Graves said.