On May 11, 2017, President Donald J. Trump signed a long-awaited executive order on cybersecurity. The order, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” is largely directed at the federal government, but includes several changes that implicate the private sector as well.
Below is a summary of the various provisions in the report and some key takeaways.
Cybersecurity of Federal Networks
- Agency Risk Management Reports: The Executive Order states that the heads of Executive Branch agencies and departments will be held accountable for managing their agencies’ cybersecurity risks. To that end, agency heads are directed to submit a report within 90 days to the Secretary of the Department of Homeland Security (“DHS”) and the Director of the Office of Management and Budget (“OMB”) detailing their risk management measures, including what risks they have chosen to mitigate or accept and why those particular decisions were made, and how precisely they will implement the NIST Framework.1 The Secretary of DHS and the Director of OMB will then review those reports and advise the President as to whether the agency heads are taking appropriate steps to ensure their agencies’ cybersecurity.
- Implementing the NIST Framework: Agencies will be required to implement the NIST Framework, and must submit their plans for doing so to the White House and DHS within 90 days.
- Plan to Secure Federal Networks: In addition to providing the President with their assessments of the various agency risk management reports, the Secretary of DHS and Director of OMB must submit their own plans to the President to protect federal IT networks, including obtaining the necessary resources and legal authorities for doing so.
- Shared Services and Networks: Agency heads must show preference for shared IT services in procurement policies and decisions, including cloud and cybersecurity services.
- Modernization of Federal IT Systems: The Director of the newly-created American Technology Council must submit a report to the President within 90 days that provides a plan for upgrading the federal government’s legacy IT systems, including using shared services where practicable and even transitioning some or all civilian agencies to consolidated networks. The American Technology Council was created by Executive Order No. 13,794 on April 28, 2017. Operating under the umbrella of the White House Office of American Innovation, its Director is Chris Liddell, former CFO of Microsoft. For defense and intelligence networks, a parallel process is created.
- Supporting High-Risk Infrastructure: The Secretary of DHS, with the aid of the Department of Defense, law enforcement, and intelligence agencies, must report to the President on the areas of critical infrastructure at greatest risk for attack, and identify the authorities and capabilities necessary to improve their security.
- Report on Market Transparency: The Secretary of DHS is directed to report to the President within 90 days on whether current “market transparency” of critical infrastructure cybersecurity risk management is “appropriate,” particularly as it relates to publicly-traded entities.
- Botnet Mitigation: The Secretaries of Commerce and DHS, along with other agencies, including the Federal Communications Commission, are directed to lead a collaborative effort with the private sector to take steps to reduce the threat of botnets and other automated denial of services attacks. Within 240 days of the date of the order, a report on this effort must be made public.
- Assessment of Electricity Disruption Incident Response: The Secretaries of Energy and DHS are directed to assess within 90 days the potential impact of a prolonged power outage, and the plans to prevent, respond to, and mitigate the effects of such an event.
- Defense Industry Risks: A report must be provided within 90 days on the risks specific to the defense supply industry, including both civilian and military networks.
National Defense and Readiness
- Deterrence: The order calls for the Secretaries of State, Treasury, Defense, Commerce, DHS, the US Trade Representative, and the Attorney General, in coordination with the Director of National Intelligence, to submit a report on the ways in which we can deter our adversaries in cyberspace.
- International Priorities and Cooperation: The Secretaries of State, Treasury, Defense, Commerce, and DHS, in consultation with the Attorney General and FBI Director, are directed to submit reports to the President within 45 days outlining their international cybersecurity priorities, including investigation and attribution of cyber attacks as well as capacity-building and cooperation.
- Assessment of Workforce Needs: The Secretaries of Commerce and DHS are directed to submit various reports assessing the state of our current cyber workforce training efforts, in both the civilian and military spaces, and what we can do to improve them.
The order establishes cybersecurity as a top priority of the new Administration. In announcing the order, White House Homeland Security Advisor Tom Bossert signaled a desire to accelerate efforts within the federal government and the private sector to improve cybersecurity. It is unclear, however, whether the order will have much short-term impact. The order requires well over a dozen reviews, assessments, and reports from various federal agencies, but is fairly limited in the immediate actions it mandates. Only one of the reports commissioned by the order—the one on botnet mitigation—is mandated to be publically released.
Also notable is the fact that the Administration has chosen civilian agencies—namely DHS and OMB—to play the lead role with regard to federal IT infrastructure, as opposed to the military. This had been a subject of debate over recent months and even years, and reports on previous draft versions of the order indicated that the Administration had been considering placing this responsibility with the Department of Defense.
The order draws heavily from the recommendations of President Obama’s Commission on Enhancing National Cybersecurity (the “Commission”), which issued its report in December 2016. Tom Donilon, Senior Of Counsel to O’Melveny, chaired the Commission, and Sam Palmisano, former Chairman, President, and CEO of IBM Corporation, served as Vice Chair.