Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
Some cybersecurity initiatives that feature prominently in the Obama administration’s exit memos may be expanded by President-elect Donald Trump, analysts told Bloomberg BNA Jan. 5.
Cybersecurity has moved from being an afterthought to center stage in the eight years since President Barack Obama took office in January 2009. That is reflected in the exit memos, which the President asked the leaders of cabinet-level departments and offices to create, listing their initiatives and detailing forward-looking challenges. Trump has acknowledged the importance of cybersecurity in general but hasn’t shared his opinion regarding most of the specific points outlined in the exit memos.
Although Obama doesn’t mention cybersecurity in his introductory letter to the exit memos, the vast majority of the memos focus on cybersecurity as a major issue.
“The Trump Administration will almost certainly expand on many of the cybersecurity programs and issues covered in a number of the cabinet exit memos,” Edward McAndrew, a cybersecurity partner at Ballard Spahr LLP in Philadelphia, told Bloomberg BNA Jan. 5.
However, Paul Tiao, partner in the Global Privacy and Cybersecurity Practice at Hunton & Williams, and former Senior Counselor for Cybersecurity to the FBI Director, told Bloomberg BNA Jan. 5 that Trump hasn’t “given the public a clear signal” about his cybersecurity priorities.
The inclusion of cybersecurity throughout the memos of so many agencies sends a clear message regarding the issue’s salience, Norma Krayem, senior policy adviser at Holland & Knight LLP in Washington and co-chair of the firm’s Cybersecurity and Privacy Team, told Bloomberg BNA Jan. 5. It “demonstrates the mainstream impacts cyber has on our economic, national and homeland security,” she said.
The Trump transition team didn’t respond to Bloomberg BNA’s e-mailed request for comment on the exit memos.
National security and commercial cross-border data transfers were a central focus in the memos, but other cybersecurity concerns also received attention.
The introductory letter emphasizes the “unprecedented collaboration” that the Obama Administration undertook with private industry, such as the National Institute for Standards and Technology (NIST) February 2014 Framework for Improving Critical Infrastructure Cybersecurity (Framework), and the agency memos are replete with other examples of government-private sector collaboration.
“But much work remains to be done and we can only hope that it will build on the foundation established by the Obama administration and take it to the next level,” Tiao said.
Marc Rotenberg, the president of the Electronic Privacy Information Center advocacy group anticipates that the Trump administration will continue with private sector cybersecurity collaboration, especially with the implementation of the Cybersecurity Information Sharing Act, which was designed to shield companies from various liability risks that could be triggered by cybersecurity threat data sharing.
Trump has provided some continuity with his proposed Cyber Review teams, which would task public and private stakeholders across various sectors with carrying out across-the-board assessments of both the private sector and government cybersecurity policies. The proposal is similar to Obama’s Commission on Enhancing National Cybersecurity, which was created by executive order Feb. 9, 2016 as part of the Cybersecurity National Action Plan.
Krayem said that the issue is less about a complete revision of existing programs, but rather a need to elevate the collective response to growing cybersecurity threats, which requires collaboration with the private sector.
One critical area the Trump administration could look to expand will be “real time cyber-threat information sharing,” as discussed in memos from both the Department of Homeland Security and Department of Commerce, McAndrews said. “Enhancing the private sector’s cyber defense capabilities requires a much greater sharing of classified threat information,” he said.
Rotenberg said that personal data protection should be a central cybersecurity focus of the Trump administration. He suggested the creation of a federal agency dedicated to data protection.
The Department of Homeland Security devotes the most direct attention to cybersecurity issues in its memo, as would be expected from the department with the most direct responsibility in the area. DHS cites its expanding role in assisting the public and private sectors in defending against and mitigating the effects of cyberattacks. The memo said there have been “tangible improvements” in U.S. cybersecurity but concludes that much more is left to be done by the next administration.
The DHS report notes the efforts of the Obama administration in opening a cybersecurity dialogue with China. But the Department of State memo speaking of China said that the U.S. still has “areas of vigorous disagreement, including on cybersecurity.”
The Department of Justice memo details efforts to battle cybercrime, including indicting five officials in the Chinese People’s Liberation Army for hacking activity. The DOJ said it is vital that the Trump administration “continues building partnerships with the private sector to strengthen our cybersecurity.”
Law enforcement agencies are currently forced to triage national security and other types of cybercrimes, at the expense of other types of crime, McAndrews said. “Over the long term, that approach will have dire consequences for public safety.”
The national security implications of cybersecurity underpin the DHS cybersecurity. That approach is consistent with how Trump has addressed cybersecurity. But the ongoing debate between the President-elect and federal intelligence leaders about the role Russia allegedly played in cyberattacks against the U.S. has muddied the waters somewhat.
The Department of Commerce memo cited NIST’s Framework for Improving Critical Infrastructure Cybersecurity as a central development in setting baseline cybersecurity standards for the private sector.
Commerce pointed to the importance of cybersecurity in cross-border data transfers as fundamental to establish necessary corporate and consumer confidence to grow the digital economy. The Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, which establish a system for mutual interaction of privacy and security laws of the 21 member countries. The U.S. and China are APEC members.
The importance of data transfers from the European Union is also cited in the Commerce memo. The EU-U.S. Privacy Shield, which allows for the legal transfer of personal data from the EU to the the U.S. by U.S. companies that self-certify their compliance with privacy and security principles approved by the EU, is a crucial mechanism to support the more than $260 billion in trade in services between the U.S. and EU, Commerce said. The Privacy Shield was finalized in July 2016 as a replacement for the U.S.-EU Safe Harbor data transfer program relied on by over 4,000 U.S. companies and tens of thousands of EU business partners that was invalidated by the EU’s top court, in part, over cybersecurity concerns related to government access to transferred data.
Other departments and agencies also included cybersecurity in their discussions, including:
To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
The cabinet exit memos are available at https://www.whitehouse.gov/administration/cabinet/exit-memos.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)