On May 11, 2017, President Donald Trump signed Executive Order 13800 (“EO 13800”), titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” This executive order constitutes the first significant action to address cybersecurity by the Trump administration. The executive order is divided into three sections addressing cybersecurity for federal networks, critical infrastructure, and the nation overall. The specific processes initiated build upon the existing federal framework for addressing cybersecurity risk management, while also calling for broad policy reviews by multiple U.S. government departments and agencies. Below we describe the three sections of the executive order and highlight areas of particular significance for the private sector.
Cybersecurity of Federal Networks
EO 13800 initiates a number of interagency processes to address cybersecurity challenges in both the public and private sectors. Under the executive order, the leaders of executive branch departments and agencies are directly accountable to the President for managing cybersecurity risk. At the same time, EO 13800 makes it U.S. policy to manage cybersecurity risk as “an executive branch enterprise,” insofar as risk management choices by a single agency head could have ramifications for the entire federal government.
Risk management is a central focus for federal cybersecurity. The executive order directs departments and agencies to apply the NIST Cybersecurity Framework and any successor documents to manage cybersecurity risk. Relatedly, agency heads must provide a risk management report to the Department of Homeland Security (“DHS”) and the Office of Management and Budget (“OMB”) within 90 days that “document[s] the risk mitigation and acceptance choices” adopted by each agency, as well as its “action plan to implement the Framework.” DHS and OMB will then evaluate each agency’s risk management report, determine whether the agency is taking appropriate actions to mitigate cybersecurity risks, and recommend any steps that are necessary to manage such risks to the executive branch. The Secretary of Defense and the Director of National Intelligence are also directed to provide a report addressing cybersecurity risk management for national security systems within 150 days.
EO 13800 also establishes a policy “to build and maintain a modern, secure, and more resilient executive branch IT architecture.” To accomplish this goal, the executive order directs the Director of the American Technology Council (“ATC”) to coordinate a report within 90 days that addresses the feasibility and cost-effectiveness of consolidating agencies’ network architectures and transitioning agencies to shared IT services. The White House Director for Strategic Initiatives, Christopher Liddell, is the current Director of the ATC.
Cybersecurity of Critical Infrastructure
EO 13800 recognizes the vital importance of supporting the cybersecurity risk management efforts of critical infrastructure owners and operators and takes several steps to evaluate current efforts and opportunities to provide enhanced support. The executive order specifically directs the Secretary of Homeland Security, in coordination with multiple departments and agencies, to identify legal authorities and capabilities that could be employed to support the cybersecurity efforts of particularly high-risk critical infrastructure targets, identified pursuant to Section 9 of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” EO 13800 also directs these same departments and agencies to “engage” with these entities and seek their input in evaluating whether and how specific authorities and capabilities could support cybersecurity risk management efforts. The executive order directs the Secretary of Homeland Security, in coordination with other departments and agencies, to provide a report within 180 days that identifies the relevant authorities and capabilities, highlights the results of private sector engagement, and provides “findings and recommendations for better supporting” these entities in their cybersecurity risk management efforts. This report will be updated for the President on an annual basis.
The executive order also establishes several projects to be pursued by both the Homeland Security and Commerce Departments to address critical infrastructure challenges. First, the executive order directs the Secretary of Homeland Security, in coordination with the Secretary of Commerce, to provide a report within 90 days that “examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities.” Second, the executive order directs the Secretary of Commerce and the Secretary of Homeland Security to lead a process to promote and encourage private sector stakeholders to take action to reduce threats from botnets and other automated or distributed attacks. The executive order requires consultation with the Chairs of the Federal Communications Commission and the Federal Trade Commission, among others, in generating this report. A final report on this effort is due within one year of the date of the executive order, with a preliminary report due within 240 days.
The executive order also contains other initiatives that focus on specific critical industries. For example, the executive order directs the Secretary of Energy and the Secretary of Homeland Security to assess and submit a report within 90 days addressing “the potential scope and duration of a prolonged power outage associated with a significant cyber incident” and the readiness of the United States to manage the impact of such an incident. The executive order also directs the Secretary of Defense, the Secretary of Homeland Security, and the FBI Director to provide a report within 90 days addressing “cybersecurity risks facing the defense industrial base, including its supply chain.”
Cybersecurity for the Nation
Pursuant to EO 13800, it is federal policy to promote an “open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” To advance this goal, the executive order requires a report within 90 days with input from several agencies on options to deter adversaries and protect against cybersecurity threats. It also requires, within 45 days, reports from multiple departments and agencies identifying their respective international cybersecurity priorities and a subsequent report from the State Department 90 days after those reports are submitted, setting out “an engagement strategy for international cooperation in cybersecurity.”
Regarding workforce development, the executive order requires a report within 120 days from several agency heads with recommendations on how to grow and sustain the cybersecurity workforce in both the public and private sectors. It also requires a report within 60 days from the Director of National Intelligence on the cybersecurity workforce development efforts of “foreign cyber peers” and a report from the Secretary of Defense and other agency heads within 150 days to “assess the scope and sufficiency” of U.S. efforts to “maintain or increase its advantage in national-security-related cyber capabilities.”
Impact on the Private Sector
Although much of the executive order is focused on establishing intra-governmental processes for evaluating U.S. cybersecurity, several initiatives will have a direct impact on the cybersecurity of certain private sector entities.
Critical Infrastructure Entities: Critical infrastructure entities in particular will have an opportunity to directly engage with the government to identify established authorities and capabilities that could support cybersecurity efforts and the obstacles that could stymie further progress. The energy sector and the defense industrial base are mentioned for specific attention.
Marketplace Transparency Report: Public corporations that qualify as critical infrastructure may wish to track and review this report as it could presage additional scrutiny or requirements for publicly traded entities.
Multistakeholder Process: The process to be established by the Secretary of Commerce and the Secretary of Homeland Security to improve internet and communications resilience in the face of automated attacks is intended to be “open and transparent.” Private sector companies seeking to engage the government to address threats posed by “automated and distributed attacks” should consider participating in this effort.