Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
President Donald Trump May 11 signed a long-awaited executive order calling on the government to support owners and operators of critical infrastructure as they try to tackle growing cybersecurity risks.
The executive order, “Strengthening The Cybersecurity of Federal Networks and Critical Infrastructure,” is aimed at protecting U.S. critical infrastructure systems and federal information technology networks from growing cyberattack risks. Trump wants to use the executive branch, it said, “to support the cybersecurity risk management efforts of the owners and operators” of critical infrastructure.
According to the Department of Homeland Security, 16 critical infrastructure sectors were defined in 2013 in Presidential Policy Directive 21. Those include chemicals, commercial facilities, communications, manufacturing, emergency services, energy, defense, financial services and information technology, among others.
In addition to calls to strengthen critical infrastructure systems, the executive order directs agency heads to be responsible for cybersecurity management; asks the Secretaries of Commerce and Homeland Security to identify and promote action to increase internet resiliency; calls for an assessment of the cybersecurity workforce; and directs work with international allies to reach these goals.
Michael R. Overly, cybersecurity partner at Foley & Lardner LLP in Los Angeles, told Bloomberg BNA that the executive order “is designed for critical infrastructure entities, not all types of businesses.” However, “every company can benefit from reviewing the framework and, potentially, adopting relevant elements.” Overly worked with Trump adviser and former New York Mayor Rudy Giuliani during the order’s early stages.
Industry professionals had largely positive reactions. Harley Geiger, director of public policy at security data and analytics software company Rapid7, told Bloomberg BNA that the “cybersecurity EO appears broadly positive and well thought out—we support the order and believe it contains good and overdue goals.”
Riley Walters, research associate at the Heritage Foundation, called the order “fair.” He told Bloomberg BNA that it also shows that the Trump administration is turning its attention to web-connected devices. The section on resilience against botnets deals with connected devices, although it doesn’t specifically mention the internet of things, Walters said.
However, agency reports required by the order may have limited significance because some are due as soon as 90 days from now, Walters said. Among other things, the order directs government agencies to submit reports on cybersecurity risk management and mitigation; legal, policy and budgetary considerations; and timelines and milestones of agency transitions to consolidated network architectures and shared IT services.
The executive order holds agency heads directly responsible for cybersecurity risk management. A 2017 Thales data threat report found that 95 percent of agencies viewed themselves at risk for a cyberattack, while 48 percent thought they were “extremely vulnerable.”
Steve Grobman, senior vice president and chief technology officer at Intel Corp.'s McAfee LLC in Santa Clara, Calif., told Bloomberg BNA that Trump is handling cybersecurity issues like a U.S. company would. Holding agency heads accountable—much like CEOs are responsible for a companies’ security—is a “very positive development,” he said.
The executive order also calls on federal agencies to adopt the National Institute of Standards and Technology cybersecurity framework, which outlines five elements necessary for effective cybersecurity: identify, protect, detect, respond and recover. Each of the elements breaks down into additional categories that provide more specific cybersecurity guidance for companies and non-profits.
Ed McNicholas, partner at Sidley Austin LLP in Washington and the firm’s global privacy and cybersecurity practice leader, told Bloomberg BNA that the government’s use of the NIST cybersecurity framework across agencies is “exceptionally positive.” Many businesses “will find it easier to work with the government if the government and industry are using the same NIST framework,” he said.
Trump is also seeking to “ensure that the United States maintains a long-term cybersecurity advantage” by supporting the "growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objective in cyberspace,” according to the order’s text. The order calls for reports on the cybersecurity workforce from the secretaries of Commerce, Homeland Security and Defense, and from the national intelligence director.
David Brumley, director of CyLab and associate professor at Carnegie Mellon University, previously told Bloomberg BNA that there’s an inadequate pipeline of talent to fill all the necessary public and private sector cybersecurity jobs. However, the order may fix some of the workforce issues. Strong cybersecurity defenses require expansive security protocols, but also need “high caliber individuals” to protect their networks, Grobman said.
Under the order, the secretaries of State, Treasury, Defense, Commerce and Homeland Security, the attorney general, and the U.S. trade representative must coordinate with the director of national intelligence and submit a report within 90 days on U.S. deterrence options.
“We’ve seen increasing attacks from allies, adversaries, primarily nation-states, but also non-nation-state actors, and sitting by and doing nothing is no longer an option,” Homeland Security Advisor Tom Bossert said at a May 11 briefing.
In February 2016, then-President Barack Obama proposed a $19 billion Cybersecurity National Action Plan, which called for a $3.1 billion Information Technology Modernization Fund aimed at modernizing and replacing legacy information technology systems.
In March 2016, Rep. Ted Lieu (D-Calif.) pushed to fund that effort but his amendment was rejected by the House Budget Committee. Following that, Lieu worked with Rep. Will Hurd (R-Texas) to introduce legislation to help agencies modernize cybersecurity systems.
Hurd’s bill, the Modernizing Government Technology Act, passed the House by voice vote last fall but stalled in the Senate. Hurd has reintroduced a revised version of the bill in this Congress.
With assistance from George R. Lynch in Washington
To contact the editor responsible for this story: Donald Aplin at email@example.com
Full text of the executive order is available at http://src.bna.com/oMT
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)