President Donald J. Trump issued an Executive Order on May 11, 2017 aimed at “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”).1 The Order mandates federal governmental review of cybersecurity policies and practices in two distinct but related spheres: (1) the federal Executive Branch, which “operates its information technology (IT) on behalf of the American people,” and (2) “the owners and operators of the Nation’s critical infrastructure.” The Order also addresses, generally, consumer cybersecurity issues by highlighting the need to promote an “open, interoperable, reliable, and secure internet” and grow and train a workforce skilled in cybersecurity. Its primary purposes appear to be (1) collecting information the Administration believes it needs to formulate its cybersecurity strategies; and (2) identifying avenues of potential cooperation between the federal government and other entities that are central to preserving the nation’s security.
Mandated Review of Executive Branch Cybersecurity
The President’s Order states that “it is the policy of the Executive Branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.” It instructs executive branch departments and certain high-level executive branch officials to take steps intended to strengthen the security of their departmental systems including:
- Requiring each agency to use The Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”)2, developed by the National Institute of Standards and Technology ("NIST"), to manage agency cybersecurity risk;
- Directing each agency head within 90 days to provide a “risk management report” to the Secretary of Homeland Security (“HS Secretary”) and the Director of the Office of Management and Budget (“OMB Director”);
- Directing the OMB Director and the HS Secretary to “jointly assess each agency’s risk management report” to determine the appropriateness and sufficiency of the risk mitigation and acceptance choices made in the reports; and
- Requiring the OMB Director and the HS Secretary, with support from the Commerce Secretary and the General Services Administrator, to submit to the President a plan (a) protect the Executive Branch; (b) address unmet budget needs necessary to manage risk; (c) establish a regular process to assess Executive Branch risk management; (d) clarify, reconcile, and reissue agency policies, standards, and guidelines, as necessary; and (e) align such policies, standards, and guidelines with the NIST Framework.
The most significant development is the Order’s direction that federal agencies apply the NIST Framework to their operations. In 2013, President Obama ordered NIST to develop a voluntary framework that would guide critical infrastructure entities in their efforts to identify and address the particular cybersecurity risks faced by their organizations. By its very nature, the NIST project was intended as a collaboration between the government and industry, the idea being that by working together the public and private sectors could create an approach to security that would benefit all actors, even in the absence of comprehensive federal cybersecurity legislation.3 The first version of the NIST Framework (Version 1.0) was released in February 20144; a draft amended report was released for comment earlier this year.5
However, by directing federal agencies to employ the NIST Framework as part of their operations, President Trump’s Executive Order shifts the NIST Framework from a proposal under discussion and in development to something resembling a set of government-endorsed expectations about how cybersecurity is to be managed—a shift that presents potential benefits but also potential risks to private industry. How this change will affect the level and nature of public-private collaboration in the NIST Framework’s development remains to be seen. It is one thing for a group of interested public and private actors to collaborate on a proposal that, by agreement, is essentially a work-in-progress. Modifying the NIST Framework after it has attained the status of federal policy may well become a different kind of a process.
Mandated Review of Critical Infrastructure Cybersecurity
The President’s Order also includes directives regarding the “risk management efforts of the owners and operators of the Nation’s critical infrastructure.” The Order requires that the HS Secretary, in coordination with various agency heads, “identify authorities and capabilities” that may be used to support the cybersecurity efforts of critical infrastructure entities. Such “Critical Infrastructure Entities” include those identified pursuant to a 2013 Executive Order (the “2013 Order”) that highlighted “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”6
That 2013 Order defined “critical infrastructure” broadly enough to encompass a wide array of industries, from utility and transportation companies, to defense contractors and manufacturers whose products are necessary to the continued operation of key industries, from health-related and educational institutions, to banks and other financial services companies. Section 9 of the 2013 Order concluded that damage to the networks of some infrastructure entities—the Critical Infrastructure Entities—could pose graver threats to the nation’s interests if incapacitated or otherwise harmed by cyber attack, and directed that these especially critical entities be identified. Under the 2013 Order, a list of Critical Infrastructure Entities is provided to the President annually. President Trump's Order directs the HS Secretary to solicit input from these Critical Infrastructure Entities to identify how the identified “authorities and capabilities” can effectively be implemented. Lastly, the HS Secretary must provide a report to the President, within 180 days, describing its efforts to support the “cybersecurity risk management efforts of” Critical Infrastructure Entities.
Two of the Order’s critical infrastructure directives apply to particular market segments. The first of these directives requires that, within 90 days, the HS Secretary and the Secretary of Energy prepare a report to the President regarding the capacity of the U.S.’s “electric subsector”7 to manage a “significant cyber incident” against it that results in a “prolonged power outage.” In so doing, the Order builds upon former President Barack Obama’s Presidential Policy Directive 41 (“Directive 41”) from July 2016, which “set[_] forth principles governing the Federal Government’s response to any cyber incident,”8 but did not specifically address the capacity of any specific sector of the public or private sector to respond to a cyber incident. The Order makes clear that the HS Secretary and the Energy Secretary must conduct their assessment, and prepare their report, in consultation with various stakeholders, including State, local, tribal, and territorial governments, and with “others as appropriate.”
The second industry-specific provision directs the Secretary of Defense, the HS Secretary, and the FBI Director, in coordination with the Director of National Intelligence, to report to the President within 90 days on cybersecurity risks facing the “defense industrial base.” This analysis of the “defense industrial base” will likely include assessment of relevant governmental entities (e.g., Department of Defense components), as well domestic and foreign companies who perform under contract with the Department of Defense.9
The Order further requires—under the heading, “Supporting Transparency in the Market”—that the HS Secretary, in coordination with the Secretary of Commerce, assess the sufficiency of policies and practices governing disclosure of cybersecurity risk management practices by Critical Infrastructure Entities, in particular publicly-traded companies who operate critical infrastructure, and to report to the President within 90 days. Presumably, the conclusions of such a report might be used by governmental regulators to restructure regulatory requirements, in which case this report may have significant consequences for the disclosure obligations of publicly-traded companies who operate critical infrastructure.
Finally, the Order requires that the HS Secretary, along with the Commerce Secretary, work with agency heads and “appropriate stakeholders”—which includes any non-executive branch, private-sector representatives who elect to participate—to “improve the resilience of the internet and communications ecosystem . . . with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).” The HS Secretary and the Commerce Secretary must make public a preliminary report within 240 days (by January 2018), and submit to a final version of the report to the President within one year.
“Cybersecurity for the Nation.”
The third, and final, section of President Trump’s Order requires certain Executive Branch heads to report within 90 days regarding “the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threat.” It instructs Executive Branch leaders from the State, Treasury, Commerce, and Homeland Security Departments, as well as the Attorney General and the FBI Director, to identify their cybersecurity priorities within 45 days; the Secretary of State must then submit a report to the President “documenting an engagement strategy for international cooperation in cybersecurity.”
As part of these more general cybersecurity initiatives, the Order issues “workforce development” directives to “ensure that the United States maintains a long-term cybersecurity advantage.” These directives require the preparation of three additional reports: (1) an assessment of “the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future,” due within 120 days to the President; (2) a review of “workforce development efforts of potential foreign cyber peers” in an effort to “identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness,” due within 60 days to the President; and (3) an assessment of the “sufficiency of [U.S.] efforts to ensure that [it] maintains or increases its advantage in national-security-related cyber capabilities,” due within 150 days to the President.
It is too early to predict what, if any, actual regulatory changes will come out of the information gathering and review process mandated by the Order. At least with regard to executive agencies, the Order is meant to move the NIST Framework from development to implementation as a set of best practices. Presumably, any lessons learned from the government’s implementation experiences could be passed along to NIST and to the private actors who were meant to benefit from the NIST Framework’s development. With respect to Critical Infrastructure Entities, the Order’s directives are more nuanced, citing values like “support” and “transparency,” while providing little detail about how the Administration intends to implement these values through policy. Thus, any prediction as to how the Trump administration will shape cybersecurity policies must await the results of the reports that are to be prepared pursuant to the Order, and the President’s reaction to them.