On May 11, 2017, President Trump signed an Executive Order (EO) on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The EO provides a blueprint for how the Administration will approach certain cybersecurity vulnerabilities, at least in the near-term. The EO requires a number of reports on cybersecurity risk management, pledges support to owners and operators of critical infrastructure, and requires the development of additional strategy for promoting cybersecurity.
What the EO Does
Focus on Federal Government Networks
As an Executive Order, the EO focuses predominantly on the executive branch. The EO declares that it is the “policy of the United States to manage cybersecurity risk as an executive branch enterprise.” While the EO does not elaborate on what exactly that means, the President appears to plan to use the regulatory and enforcement power of executive agencies to push the Administration’s cybersecurity agenda. For example, the EO states that the President will “hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.” This signals the importance that the Administration places on cybersecurity, and suggests that the President will take action if federal agencies fail to similarly make cybersecurity a priority.
To do so, as a first step, the EO requires executive department and agency heads to provide a “risk management report” to the Secretary of Homeland Security and the Director of the Office of Management and Budget within 90 days. The report must:
- Document the risk mitigation and acceptance choices made by each agency head, including the strategic, operational, and budgetary considerations that informed those choices, and any accepted risk, including from unmitigated vulnerabilities; and
- Describe the agency’s action plan to implement the Cybersecurity Framework adopted by the National Institute of Standards and Technology (NIST).
But other than a review of current policies and procedures and requirement to issue future recommendations, there is little guidance that hints at substantive policy changes, which could be made to influence how executive branch agencies function as a body. The EO requires agency heads to “show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.” The shift toward universally adopted systems could lead to increased collaboration between agencies, decrease potential entry points and vulnerabilities for bad actors to exploit, and thereby boost the security of federal networks. However, shared systems and tools could also provide a single access point to increased amounts of data, making for a more enticing target. How the various agencies plan to implement these shared systems going forward remains an open question.
Protecting Critical Infrastructure
The EO also focuses on critical infrastructure cybersecurity and prioritizes critical infrastructure at greatest risk, such as financial services and utilities.
The EO expresses the policy of the executive branch to “use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure.” Sector specific agency heads, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Attorney General, the Director of National Intelligence and the Director of the FBI, must provide a report to the President within 180 days detailing recommendations for “better supporting the cybersecurity risk management efforts” of critical infrastructure entities. The report must be updated annually.
The EO also requires reports in four main areas: (1) transparency in the marketplace; (2) resilience against botnets and distributed threats; (3) electricity disruption and incident response; and (4) cybersecurity risks facing the defense industrial base:
- The Secretary of Commerce and the Secretary of Homeland Security have 90 days to provide the President with a report that “promote[s] appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities”;
- The Secretary of Commerce and the Secretary of Homeland Security are also tasked with identifying and promoting action by appropriate actors to address the growing threat of botnet attacks, and must make a preliminary report available to the public within 240 days and a final report to the President within one year;
- The Secretary of Energy and the Secretary of Homeland Security must report to the President within 90 days concerning the potential scope and duration of a prolonged power outage in addition to current readiness to respond to the incident; and
- The Secretary of Homeland Security and the Secretary of Defense must provide a report, within 90 days, detailing the cybersecurity risks faced by the defense industrial base.
Development of a Cybersecurity Strategy
The EO also broadly outlines the Administration’s policy for an Internet that remains open but secure, though does not undertake to resolve the often mutually exclusive goals of openness and security. With respect to the security of the Nation, the EO requires a report outlining “the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”
Finally, the EO indicates the need for workforce development in the area of cybersecurity and requires a report, within 120 days, detailing findings and recommendations regarding how to support growth and interest within both the public and private sectors in this area.
What the EO Does Not Do
Outside of requiring executive agencies to use the NIST Framework to manage risk, the EO does not mandate that any specific controls be implemented by any agency, department, or private enterprise. In addition, there is no mention of previous cybersecurity attacks that have infiltrated the public and private sectors alike.
Furthermore, the EO devotes a section to “Cybersecurity for the Nation” but does little to address or discuss specific areas of vulnerability for US citizens. For example, while botnets are mentioned, there is no reference to hacking via the Internet of Things or online identity theft, both of which pose significant security risks to individuals. Nor does the EO address privacy concerns or information sharing, as President Obama’s 2013 Executive Order on critical infrastructure did.
The EO is likely to be the first of several actions taken by the Administration to reduce or mitigate the country’s cybersecurity risk. Eversheds Sutherland will continue to monitor further developments as the President’s cybersecurity agenda continues to take shape.