On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”). The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February. Since then, revised drafts of the order were circulated, including a version from February 10, 2017 (the “Revised Draft”) that differed significantly from the initial draft order, but aligned with Executive Order 13636, “Improving Critical Infrastructure Security,” which was signed by President Obama on February 12, 2013. With few exceptions, the Order signed yesterday mirrors the Revised Draft that we previously analyzed in our February 17, 2017 blog post titled “Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors.” Here, we highlight key differences between the Revised Draft and the final Order.
Section 1: Cybersecurity of Federal Networks
The first section of the Order continues to primarily address cybersecurity risk management and IT modernization within the executive branch consistent with the Revised Draft and Executive Order 13636 signed by President Obama. The Order incorporates nearly all of the Revised Draft’s language in this section, with minor exceptions.
For instance, the Order specifies additional content for risk management reports, such as requiring each agency to include an action plan for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity. The Order also departs from the Revised Draft by instructing the Director of the American Technology Council, a position recently established by an EO issued on May 1, 2017, instead of the Assistant to the President for Intragovernmental and Technology Initiatives to “coordinate a report to the President . . . regarding [the] modernization of Federal IT.” Further, the modernization report must be completed within 90 days of the signing of the Order, not 150 days as initially stipulated in the Revised Draft.
Section 2: Cybersecurity of Critical Infrastructure
Minor changes were also made to the second section of the Order, which details the executive branch’s support for critical infrastructure. Section two of the Order now includes a paragraph titled “Resilience Against Botnets and Other Automated, Distributed Threats” that focuses specifically on the threats posed by botnets. Pursuant to the final Order, the Department of Homeland Security (“DHS”) and Department of Commerce (“DOC”) are directed to “identify and promote action by appropriate stakeholders . . . in the internet and communications ecosystem . . . with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g. botnets).”
Moreover, the final Order arguably requires DHS and DOC to work with a much broader group of stakeholders in fulfilling this mandate. The earlier draft order only required DHS and DOC to include stakeholders from “core communications infrastructure.” However, the final Order requires DHS and DOC to work with stakeholders, including owners and operators, throughout the “internet and communications ecosystem.” DHS and DOC are required to make public a preliminary report about these efforts within 240 days and submit a final report to the President within one year.
Section 3: Cybersecurity for the Nation
The third section of the Order includes new requirements relating to international cooperation not found in the previous drafts. The final Order also reincorporates a section from the first draft of the order focused on efforts to educate and develop a sustainable cybersecurity workforce.
With respect to international cooperation, the Order now recognizes that the U.S. is “especially dependent on a globally secure and resilient internet and must work with allies and other partners.” To that end, the Order directs the Secretaries of States, Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and Director of the Federal Bureau of Investigation, to submit a report to the President outlining their international cybersecurity priorities, “including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation” within 45 days.
To encourage the sustained growth of the domestic cybersecurity workforce, the Order also instructs the Secretaries of Commerce and Homeland Security, in consultation with other agencies, to provide a report to the President within 120 days that assesses ongoing efforts to train and educate the “cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs.” The report must also include findings and recommendations that “support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.”
The Director of National Intelligence (DNI) and Secretary of Defense are also required to coordinate and submit their own reports relating to workforce development. The DNI’s report will focus on “foreign workforce development practices likely to affect long-term . . . cybersecurity competitiveness” in the U.S. and must be submitted within 60 days. The Secretary of Defense’s report will examine U.S. efforts to maintain or increase “its advantage in national security-related cyber capabilities.”
* * *
As we explained in our February 17, 2017 post analyzing the Revised Draft, the final Order reflects a continuation of the efforts by the previous administration to adopt a risk-based approach to cybersecurity, based in part on adoption by federal agencies of the NIST Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity risk.