The Trump Administration appears likely to release an Executive Order on Cybersecurity. The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors. However, it remains unclear if and when the current draft will be signed.
President Trump originally was scheduled to sign an Executive Order on Cybersecurity on February 1, 2017, but the signing was postponed. The original draft Order, titled “Strengthening U.S. Cyber Security and Capabilities,” (the “first draft Order”) articulated a general policy focused on enhancing the nation’s cybersecurity defenses and capabilities, particularly with respect to specified federal systems and critical infrastructures. Specifically, the first draft Order directed the Department of Defense (“DOD”) and Department of Homeland Security (“DHS”)—in coordination with representatives of the intelligence community—to accomplish three main goals. First, to conduct a review of cybersecurity vulnerabilities in national security systems, federal networks, and critical civilian infrastructure systems. Second, to identify the United States’ cyber adversaries. Third, to conduct a review of the United States’ cybersecurity capabilities, including a review of “U.S. efforts to educate and train the workforce of the future.”
On Friday, February 10, 2017, a revised draft of the Executive Order was circulated. The revised draft Order, now retitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (the “Revised Order”) is significantly different from the first draft Order and more closely aligns with Executive Order 13636, “Improving Critical Infrastructure Security,” signed by President Obama on February 12, 2013. Like Executive Order 13636, the Revised Order focuses on an agency-led, risk-based approach to cybersecurity and, in particular, requires federal agencies to adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) to manage cybersecurity risk. The Revised Order also delegates primary responsibility for developing a comprehensive risk management plan to the Executive Branch, specifically the Office of Management and Budget (“OMB”) and DHS.
The Revised Order is organized around three substantive topics: cybersecurity of federal networks; cybersecurity of critical infrastructures; and cybersecurity for the nation. The portions of the Revised Order addressing the cybersecurity of federal networks and cybersecurity for the nation principally focus on government agencies’ networks. In contrast, the portions of the Revised Order addressing cybersecurity risks to critical infrastructure will more directly impact the private sector. The Revised Order also contains specific requirements directed at the Communications, Energy (particularly electricity), and the Defense Industrial Base critical infrastructure sectors.
Cybersecurity of Federal Networks
The Revised Order expressly states that “[e]ffective immediately, it is the policy of the United States to build a more modern, more secure, and more resilient Executive Branch [Information Technology] architecture.” The Revised Order recognizes that federal systems are “antiquated and difficult to defend”; that effective risk management requires collaboration across a multi-functional team of experts; and that federal systems require regular maintenance, patching, and improvement, as known but unmitigated vulnerabilities present some of the most significant risks to agency networks. To ensure these goals are met, the stated policy of the Revised Order—recently repeated verbally by the President—is to hold heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprises. In addition, because an agency’s risk management decisions “can affect the risk to the executive branch as a whole,” the Revised Order delegates the comprehensive management of cyber risk of the “executive branch enterprise” to OMB and DHS.
Accordingly, the Revised Order directs the heads of federal agencies to provide a cybersecurity risk assessment and mitigation plan, consistent with the NIST Cybersecurity Framework, to OMB and DHS within ninety days of the signing of the Revised Order. (Heads of federal agencies overseeing national security systems are only required to “implement this order to the maximum extent feasible and appropriate.”) Subsequently, OMB and DHS are charged with assessing the agencies’ plans and developing and reporting enterprise-wide risk management recommendations to the President within sixty days of receipt of the agencies’ plans. In addition, the Revised Order requires the Assistant to the President for Intergovernmental and Technology Initiatives to coordinate a report to the President for modernizing the technological infrastructure of federal systems within 150 days of the signing of the Revised Order.
Cybersecurity of Critical Infrastructure
The Revised Order notes that it is the policy of the United States to ensure the government is “prepared to employ its authorities and capabilities to aid in the protection of the operation of critical infrastructure entities,” which are defined by reference to Presidential Policy Directive 21 (“PPD 21”). Accordingly, the Secretary of DHS—in coordination with other government leaders—is directed to identify authorities and capabilities the government could use to support the cybersecurity efforts of “critical infrastructure owners and operators,” particularly those most at risk of catastrophic attacks.
The Revised Order directs DHS to accomplish a series of tasks. First, DHS must work with other identified agencies to solicit input from critical infrastructure entities on whether and how to employ the government’s authorities and capabilities and any obstacles to doing so. DHS must report its findings within 180 days of the signing of the Revised Order. Consequently, private sector companies in the critical infrastructure sectors may see additional engagement with federal agencies.
Second, DHS must coordinate with the Department of Commerce (“DOC”) to examine existing federal policies and practices for promoting market transparency in risk management practices by critical infrastructure entities, particularly with respect to publicly-traded entities. DHS must report its findings within 90 days of the signing of the Revised Order. As a result, private sector companies in the critical infrastructure sectors may see the promulgation of additional incentives and requirements related to public disclosure of cyber risk management practices or cybersecurity information sharing.
The Revised Order also identifies additional requirements with respect to critical infrastructure entities in three sectors: Communications, Energy, and Defense Industrial Base.
Communications: DHS and DOC are required to identify and promote activities by the “core communications infrastructure” to increase resiliency of communications networks and reduce threats of outages by “automated and distributed” attacks; the Revised Order specifically identifies the creation of “botnets” as such a threat. (The Revised Order does not define “core communications infrastructure” and it is unclear which entities would be included in this definition.) DHS and DOC must create a report on these efforts and submit a final report to the President within one year of the signing of the Revised Order.
Energy: DHS and the Department of Energy (“DOE”) are required to assess the potential scope and duration of a “significant cyber incident” against the electricity subsector; the readiness of the United States to manage the consequences of any potential incidents; and any gaps or shortcomings in assets or capabilities to mitigate the consequences. The assessment must be provided to the President within 90 days of the signing of the Revised Order.
Defense Industrial Base: DHS, DOD, the Federal Bureau of Investigation (“FBI”), and the Director of National Intelligence (“DNI”) must create a report assessing cybersecurity risks to the defense industrial base and military platforms, systems, networks, and capabilities. Both assessments must be provided to the President within 90 days of the signing of the Revised Order.
Accordingly, private companies in the Communications, Energy, and Defense Industrial Base critical infrastructure sectors may see increased engagement with federal agencies, even beyond that expected for other sectors.
Cybersecurity for the Nation
The Revised Order provides that it is the policy of the U.S. to “promote an open, interoperable, reliable, and secure Internet.” The further policy of the U.S. is to foster efficiency, innovation, communication, and economic prosperity while respecting privacy and guarding against disruption, fraud, and theft. To promote this policy, the Revised Order directs the Secretaries of State, Treasury, Defense, Commerce, and Homeland Security, the Attorney General, and the United States Trade Representative—in coordination with the DNI—to draft a report on “strategic options for deterring adversaries and better protecting the American people” from those seeking to “defeat or undermine this policy.” This report must be submitted within 90 days of the signing of the Revised Order, and an additional report detailing continued coordination among stakeholders must be submitted within 180 days.