The Trump Administration has issued a much anticipated Executive Order (EO),“Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” directing federal executive agency heads to undertake various cyber-related reviews and to report findings back to the White House within prescribed timetables. Unlike some of the Trump Administration’s executive orders receiving much attention in recent weeks, this new cybersecurity EO does not aim to unwind policies put in place or initiatives undertaken by the Obama Administration. In fact, subsequent steps by the Trump Administration following the new EO may likely build upon the previous Administration’s efforts, which had assigned responsibilities to various executive departments serving as “sector specific” agencies for different sectors (energy, communications, transportation, and so on) with critical infrastructure.
For example, one noteworthy provision of the new EO requires the Secretary of Energy and other executive branch leaders to assess the potential risks of a prolonged power outage resulting from a cyberattack, and to gauge the power system’s readiness to manage such an attack. This direction implicates the Secretary of Energy’s emergency authorities in the event of a cyber incident, about which the Department of Energy has worked with the private sector. To determine whether and how existing authorities and capabilities can best be employed to manage cyber risks, the new EO also tasks the Secretary of Homeland Security and other federal leaders to work more broadly with owners and operators of other critical infrastructure assets for which a cybersecurity event could have catastrophic consequences.
As these examples suggest, in general, the new EO focuses on risk assessment, as opposed to actionable policy steps. Such assessments will inevitably require consultation with private stakeholders who are often at the front lines of cyber risk management. For that reason, the EO seems likely to provide a catalyst for a new round of engagement with the current Administration by private owners and operators of critical infrastructure.
For a more complete analysis of the new cyber EO, see Latham’s forthcoming Client Alert which will include additional detail on the executive order and next steps for industry stakeholders.