Obama Exit Memos Feature Cybersecurity; Trump Take Unclear

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Some cybersecurity initiatives that feature prominently in the Obama administration’s exit memos may be expanded by President-elect Donald Trump, analysts told Bloomberg BNA Jan. 5.

Cybersecurity has moved from being an afterthought to center stage in the eight years since President Barack Obama took office in January 2009. That is reflected in the exit memos, which the President asked the leaders of cabinet-level departments and offices to create, listing their initiatives and detailing forward-looking challenges. Trump has acknowledged the importance of cybersecurity in general but hasn’t shared his opinion regarding most of the specific points outlined in the exit memos.

Although Obama doesn’t mention cybersecurity in his introductory letter to the exit memos, the vast majority of the memos focus on cybersecurity as a major issue.

“The Trump Administration will almost certainly expand on many of the cybersecurity programs and issues covered in a number of the cabinet exit memos,” Edward McAndrew, a cybersecurity partner at Ballard Spahr LLP in Philadelphia, told Bloomberg BNA Jan. 5.

However, Paul Tiao, partner in the Global Privacy and Cybersecurity Practice at Hunton & Williams, and former Senior Counselor for Cybersecurity to the FBI Director, told Bloomberg BNA Jan. 5 that Trump hasn’t “given the public a clear signal” about his cybersecurity priorities.

The inclusion of cybersecurity throughout the memos of so many agencies sends a clear message regarding the issue’s salience, Norma Krayem, senior policy adviser at Holland & Knight LLP in Washington and co-chair of the firm’s Cybersecurity and Privacy Team, told Bloomberg BNA Jan. 5. It “demonstrates the mainstream impacts cyber has on our economic, national and homeland security,” she said.

The Trump transition team didn’t respond to Bloomberg BNA’s e-mailed request for comment on the exit memos.

National security and commercial cross-border data transfers were a central focus in the memos, but other cybersecurity concerns also received attention.

Private Sector Collaboration

The introductory letter emphasizes the “unprecedented collaboration” that the Obama Administration undertook with private industry, such as the National Institute for Standards and Technology (NIST) February 2014 Framework for Improving Critical Infrastructure Cybersecurity (Framework), and the agency memos are replete with other examples of government-private sector collaboration.

“But much work remains to be done and we can only hope that it will build on the foundation established by the Obama administration and take it to the next level,” Tiao said.

Marc Rotenberg, the president of the Electronic Privacy Information Center advocacy group anticipates that the Trump administration will continue with private sector cybersecurity collaboration, especially with the implementation of the Cybersecurity Information Sharing Act, which was designed to shield companies from various liability risks that could be triggered by cybersecurity threat data sharing.

Trump has provided some continuity with his proposed Cyber Review teams, which would task public and private stakeholders across various sectors with carrying out across-the-board assessments of both the private sector and government cybersecurity policies. The proposal is similar to Obama’s Commission on Enhancing National Cybersecurity, which was created by executive order Feb. 9, 2016 as part of the Cybersecurity National Action Plan.

Krayem said that the issue is less about a complete revision of existing programs, but rather a need to elevate the collective response to growing cybersecurity threats, which requires collaboration with the private sector.

One critical area the Trump administration could look to expand will be “real time cyber-threat information sharing,” as discussed in memos from both the Department of Homeland Security and Department of Commerce, McAndrews said. “Enhancing the private sector’s cyber defense capabilities requires a much greater sharing of classified threat information,” he said.

Rotenberg said that personal data protection should be a central cybersecurity focus of the Trump administration. He suggested the creation of a federal agency dedicated to data protection.

National Security

The Department of Homeland Security devotes the most direct attention to cybersecurity issues in its memo, as would be expected from the department with the most direct responsibility in the area. DHS cites its expanding role in assisting the public and private sectors in defending against and mitigating the effects of cyberattacks. The memo said there have been “tangible improvements” in U.S. cybersecurity but concludes that much more is left to be done by the next administration.

The DHS report notes the efforts of the Obama administration in opening a cybersecurity dialogue with China. But the Department of State memo speaking of China said that the U.S. still has “areas of vigorous disagreement, including on cybersecurity.”

The Department of Justice memo details efforts to battle cybercrime, including indicting five officials in the Chinese People’s Liberation Army for hacking activity. The DOJ said it is vital that the Trump administration “continues building partnerships with the private sector to strengthen our cybersecurity.”

Law enforcement agencies are currently forced to triage national security and other types of cybercrimes, at the expense of other types of crime, McAndrews said. “Over the long term, that approach will have dire consequences for public safety.”

The national security implications of cybersecurity underpin the DHS cybersecurity. That approach is consistent with how Trump has addressed cybersecurity. But the ongoing debate between the President-elect and federal intelligence leaders about the role Russia allegedly played in cyberattacks against the U.S. has muddied the waters somewhat.

Data Transfers

The Department of Commerce memo cited NIST’s Framework for Improving Critical Infrastructure Cybersecurity as a central development in setting baseline cybersecurity standards for the private sector.

Commerce pointed to the importance of cybersecurity in cross-border data transfers as fundamental to establish necessary corporate and consumer confidence to grow the digital economy. The Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, which establish a system for mutual interaction of privacy and security laws of the 21 member countries. The U.S. and China are APEC members.

The importance of data transfers from the European Union is also cited in the Commerce memo. The EU-U.S. Privacy Shield, which allows for the legal transfer of personal data from the EU to the the U.S. by U.S. companies that self-certify their compliance with privacy and security principles approved by the EU, is a crucial mechanism to support the more than $260 billion in trade in services between the U.S. and EU, Commerce said. The Privacy Shield was finalized in July 2016 as a replacement for the U.S.-EU Safe Harbor data transfer program relied on by over 4,000 U.S. companies and tens of thousands of EU business partners that was invalidated by the EU’s top court, in part, over cybersecurity concerns related to government access to transferred data.

Other Departments, Offices

Other departments and agencies also included cybersecurity in their discussions, including:

  •  the Department of Defense memo, which details efforts to prepare for electronic warfare and strengthening U.S. cybersecurity defenses;
  •  the Department of Energy memo, which cites the need to protect the electric grid from cyberattacks;
  •  the Department of Health and Human Services memo, which describes the challenge of securing protected health data;
  •  the Department of Treasury memo, which says the department is working with the financial services sector to improve cybersecurity;
  •  the General Services Administration memo, which focuses on cybersecurity improvements in cloud computing and federal contracting;
  •  the Office of Management and Budget memo, which describes federal agency information technology upgrades for better security;
  •  the Office of Personnel Management memo, which details remedial efforts in the wake of the data breach of federal worker records; and
  •  the Office of Science and Technology Policy memo, which noted the role of cybersecurity in leveraging the benefits of internet of things connected devices.
Interestingly, the Department of Transportation memo didn’t directly address cybersecurity in its discussions of autonomous vehicles and connected cars. Transportation has been criticized by some for not addressing data security, privacy and cybersecurity issues in formulating rules for the emerging technology.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The cabinet exit memos are available at https://www.whitehouse.gov/administration/cabinet/exit-memos.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security