Trump Cybersecurity Order Calls for Critical Infrastructure Review

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo and Daniel R. Stoller

President Donald Trump May 11 signed a long-awaited executive order calling on the government to support owners and operators of critical infrastructure as they try to tackle growing cybersecurity risks.

The executive order, “Strengthening The Cybersecurity of Federal Networks and Critical Infrastructure,” is aimed at protecting U.S. critical infrastructure systems and federal information technology networks from growing cyberattack risks. Trump wants to use the executive branch, it said, “to support the cybersecurity risk management efforts of the owners and operators” of critical infrastructure.

According to the Department of Homeland Security, 16 critical infrastructure sectors were defined in 2013 in Presidential Policy Directive 21. Those include chemicals, commercial facilities, communications, manufacturing, emergency services, energy, defense, financial services and information technology, among others.

In addition to calls to strengthen critical infrastructure systems, the executive order directs agency heads to be responsible for cybersecurity management; asks the Secretaries of Commerce and Homeland Security to identify and promote action to increase internet resiliency; calls for an assessment of the cybersecurity workforce; and directs work with international allies to reach these goals.

Michael R. Overly, cybersecurity partner at Foley & Lardner LLP in Los Angeles, told Bloomberg BNA that the executive order “is designed for critical infrastructure entities, not all types of businesses.” However, “every company can benefit from reviewing the framework and, potentially, adopting relevant elements.” Overly worked with Trump adviser and former New York Mayor Rudy Giuliani during the order’s early stages.

Industry professionals had largely positive reactions. Harley Geiger, director of public policy at security data and analytics software company Rapid7, told Bloomberg BNA that the “cybersecurity EO appears broadly positive and well thought out—we support the order and believe it contains good and overdue goals.”

Riley Walters, research associate at the Heritage Foundation, called the order “fair.” He told Bloomberg BNA that it also shows that the Trump administration is turning its attention to web-connected devices. The section on resilience against botnets deals with connected devices, although it doesn’t specifically mention the internet of things, Walters said.

However, agency reports required by the order may have limited significance because some are due as soon as 90 days from now, Walters said. Among other things, the order directs government agencies to submit reports on cybersecurity risk management and mitigation; legal, policy and budgetary considerations; and timelines and milestones of agency transitions to consolidated network architectures and shared IT services.

Agency Head Responsibility

The executive order holds agency heads directly responsible for cybersecurity risk management. A 2017 Thales data threat report found that 95 percent of agencies viewed themselves at risk for a cyberattack, while 48 percent thought they were “extremely vulnerable.”

Steve Grobman, senior vice president and chief technology officer at Intel Corp.'s McAfee LLC in Santa Clara, Calif., told Bloomberg BNA that Trump is handling cybersecurity issues like a U.S. company would. Holding agency heads accountable—much like CEOs are responsible for a companies’ security—is a “very positive development,” he said.

The executive order also calls on federal agencies to adopt the National Institute of Standards and Technology cybersecurity framework, which outlines five elements necessary for effective cybersecurity: identify, protect, detect, respond and recover. Each of the elements breaks down into additional categories that provide more specific cybersecurity guidance for companies and non-profits.

Ed McNicholas, partner at Sidley Austin LLP in Washington and the firm’s global privacy and cybersecurity practice leader, told Bloomberg BNA that the government’s use of the NIST cybersecurity framework across agencies is “exceptionally positive.” Many businesses “will find it easier to work with the government if the government and industry are using the same NIST framework,” he said.

Cybersecurity Workforce

Trump is also seeking to “ensure that the United States maintains a long-term cybersecurity advantage” by supporting the "growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objective in cyberspace,” according to the order’s text. The order calls for reports on the cybersecurity workforce from the secretaries of Commerce, Homeland Security and Defense, and from the national intelligence director.

David Brumley, director of CyLab and associate professor at Carnegie Mellon University, previously told Bloomberg BNA that there’s an inadequate pipeline of talent to fill all the necessary public and private sector cybersecurity jobs. However, the order may fix some of the workforce issues. Strong cybersecurity defenses require expansive security protocols, but also need “high caliber individuals” to protect their networks, Grobman said.

Focus on Deterrence

Under the order, the secretaries of State, Treasury, Defense, Commerce and Homeland Security, the attorney general, and the U.S. trade representative must coordinate with the director of national intelligence and submit a report within 90 days on U.S. deterrence options.

“We’ve seen increasing attacks from allies, adversaries, primarily nation-states, but also non-nation-state actors, and sitting by and doing nothing is no longer an option,” Homeland Security Advisor Tom Bossert said at a May 11 briefing.

In February 2016, then-President Barack Obama proposed a $19 billion Cybersecurity National Action Plan, which called for a $3.1 billion Information Technology Modernization Fund aimed at modernizing and replacing legacy information technology systems.

In March 2016, Rep. Ted Lieu (D-Calif.) pushed to fund that effort but his amendment was rejected by the House Budget Committee. Following that, Lieu worked with Rep. Will Hurd (R-Texas) to introduce legislation to help agencies modernize cybersecurity systems.

Hurd’s bill, the Modernizing Government Technology Act, passed the House by voice vote last fall but stalled in the Senate. Hurd has reintroduced a revised version of the bill in this Congress.

With assistance from George R. Lynch in Washington

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com and Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the executive order is available at http://src.bna.com/oMT

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security