On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”).  The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February.  Since then, revised drafts of the order were circulated, including a version from February 10, 2017 (the “Revised Draft”) that differed significantly from the initial draft order, but aligned with Executive Order 13636, “Improving Critical Infrastructure Security,” which was signed by President Obama on February 12, 2013.  With few exceptions, the Order signed yesterday mirrors the Revised Draft that we previously analyzed in our February 17, 2017 blog post titled “Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors.”  Here, we highlight key differences between the Revised Draft and the final Order.

Section 1:  Cybersecurity of Federal Networks

The first section of the Order continues to primarily address cybersecurity risk management and IT modernization within the executive branch consistent with the Revised Draft and Executive Order 13636 signed by President Obama.  The Order incorporates nearly all of the Revised Draft’s language in this section, with minor exceptions.
Continue Reading White House Issues New Cybersecurity EO

The Trump Administration appears likely to release an Executive Order on Cybersecurity.  The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors.  However, it remains unclear if and when the current draft will be signed.

President Trump originally was scheduled to sign an Executive Order on Cybersecurity on February 1, 2017, but the signing was postponed.  The original draft Order, titled “Strengthening U.S. Cyber Security and Capabilities,” (the “first draft Order”) articulated a general policy focused on enhancing the nation’s cybersecurity defenses and capabilities, particularly with respect to specified federal systems and critical infrastructures.  Specifically, the first draft Order directed the Department of Defense (“DOD”) and Department of Homeland Security (“DHS”)—in coordination with representatives of the intelligence community—to accomplish three main goals.  First, to conduct a review of cybersecurity vulnerabilities in national security systems, federal networks, and critical civilian infrastructure systems.  Second, to identify the United States’ cyber adversaries.  Third, to conduct a review of the United States’ cybersecurity capabilities, including a review of “U.S. efforts to educate and train the workforce of the future.”

On Friday, February 10, 2017, a revised draft of the Executive Order was circulated.  The revised draft Order, now retitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (the “Revised Order”) is significantly different from the first draft Order and more closely aligns with Executive Order 13636, “Improving Critical Infrastructure Security,” signed by President Obama on February 12, 2013.  Like Executive Order 13636, the Revised Order focuses on an agency-led, risk-based approach to cybersecurity and, in particular, requires federal agencies to adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) to manage cybersecurity risk.  The Revised Order also delegates primary responsibility for developing a comprehensive risk management plan to the Executive Branch, specifically the Office of Management and Budget (“OMB”) and DHS.
Continue Reading Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors

On February 9, 2017, six Democratic senators wrote to DHS Secretary John Kelly about their concerns over a Trump executive order that would remove Privacy Act protections for non-U.S. citizens and lawful permanent residents.

Senators Ed Markey (MA), Ron Wyden (OR), Jeff Merkley (OR), Al Franken (MN), Chris Coons (DE), and Mazie Hirono (HI) wrote that Section 14 of the order would make it easier for government agencies to share non-citizens’ personal information with Congress and the public.
Continue Reading Senators Seek Answers from DHS on Privacy Aspects of Trump Order, Including Privacy Shield

On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S.  Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”

This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer framework
Continue Reading European Commission Dismisses Privacy Shield Concerns Over Trump Executive Order

By Caleb Skeath

During the White House’s inaugural Summit on Cybersecurity and Consumer Protection last Friday, President Obama signed an executive order designed to facilitate increased information sharing between the private sector and the federal government.  The order follows the introduction of the Cyber Threat Sharing Act of 2015 in the Senate, an information-sharing bill modeled on the legislative proposal released by the White House in January.

Continue Reading President Obama Signs Executive Order to Encourage Information Sharing

By Ashden Fein and Randall Friedland

On Friday, President Obama signed an Executive Order directed at securing consumer transactions and sensitive data, improving consumer identify theft remediation, and better securing personal information on federally run websites.  Among the security measures, the President ordered all federal government-issued credit cards be equipped, as soon as possible, with chip-and-PIN technology.  The chip-and-PIN technology, commonly used in Europe, makes stealing credit card numbers more difficult.  Chips are embedded in the credit cards and generate a unique code for every transaction requiring a user PIN (similar to a debit card)—adding another layer of security.  Further, the Executive Order requires all retail payment card terminals at federal agencies to be able to accept the chip-and-PIN technology by January 1, 2015.

Continue Reading President Obama Signs Executive Order Aimed at Protecting the Security of Consumer Financial Transactions

Today the National Institute of Standards and Technology (“NIST”) issued a discussion draft of a “Preliminary Cybersecurity Framework.”

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity tasked NIST with developing a “Cybersecurity Framework” “to reduce cyber risks to critical infrastructure.”  The Order specifies that the Framework must “provide a prioritized, flexible repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

NIST is drafting the Framework in consultation with industry, other government agencies, and other experts.  The final version will provide voluntary cybersecurity guidance for critical infrastructure and other business.  NIST describes the Framework as providing “a common language for expressing, understanding, and managing cybersecurity risk.”

As described by the NIST discussion draft, the Framework is intended to guide businesses through a risk-based assessment and improvement of their cybersecurity posture.  The discussion draft Framework is organized around three issues: the Framework Core, Implementation Tiers, and Profile.

Continue Reading NIST Releases Preliminary Cybersecurity Framework

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directs the National Institute of Standards and Technology (“NIST”) to develop a Cybersecurity Framework  of standards, methodologies, and processes for addressing cybersecurity risk.  It also charges the Department of Homeland Security with developing a Critical Infrastructure Cybersecurity Program to promote adoption of the Cybersecurity Framework by critical

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Continue Reading President Obama Issues Cybersecurity Executive Order

In the wake of the Senate’s failure to pass comprehensive cybersecurity legislation in August and amid continued discussion about the possibility of a cybersecurity executive order, Senator Jay Rockefeller has sought information directly from Fortune 500 companies. 

Senator Rockefeller has urged President Obama to issue a cybersecurity executive order, but in a letter