March 28, 2020

March 27, 2020

Subscribe to Latest Legal News and Analysis

March 26, 2020

Subscribe to Latest Legal News and Analysis

March 25, 2020

Subscribe to Latest Legal News and Analysis

Trump Executive Order Embraces New Standards for Federal Cybersecurity

On May 12, 2017 the WannaCry ransomware attack made world-wide headlines, and affected thousands of private entities and government agencies, including the National Health Services of the United Kingdom, and wide-ranging targets in China and Russia. The day before the WannaCry attack started, President Trump signed the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Executive Order) in an attempt to improve the state of cybersecurity in the US government and across the nation’s critical infrastructure industries. The Executive Order subjects US federal agencies to some of the same cybersecurity controls being deployed by private industry. The Executive Order includes three substantive sections covering cybersecurity for federal networks, critical infrastructure, and national preparedness.

In its first section, the Executive Order requires that all federal agencies immediately adopt the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST). This flexible framework is widely respected and is gaining traction with cybersecurity professionals. In another change, section one of the Executive Order holds heads of federal agencies directly accountable for managing cybersecurity risk to their enterprises – much as a CEO is responsible for data breaches at a company. Previously, responsibility was often assumed by an agency’s IT director.

Section one also mandates eventual movement of federal information technology to the cloud and its centralization into a single enterprise network, relying on shared cybersecurity controls. “We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture,” said Homeland Security adviser Tom Bossert. “If we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.” A number of bills before Congress would create funding for actions taken to modernize and implement federal systems based on this Executive Order.

The second section addresses federal support for the owners and operators of the nation’s critical infrastructure, as defined in President Obama’s Presidential Policy Directive 21, which includes utility distribution, financial and healthcare services, and telecommunications systems. The Secretary of Homeland Security has 180 days to report on vulnerabilities and proposed defenses. The Secretary will also consider how private sector companies can help reduce the threat of widespread malware attacks. On this topic, the Secretary has 240 days to issue a preliminary report and one year to issue a final report. In addition, various secretaries have 90 days to issue a joint report on the cybersecurity risks facing the defense industrial base, including its supply chain, and U.S. military platforms, systems, networks, and capabilities – along with recommendations for mitigating these risks.

The third part of the Executive Order calls for a report on policies to protect and promote a safer Internet, and to develop a skilled cybersecurity workforce to help defend the nation from future attacks, and maintain a strategic long-term advantage.

Copyright Holland & Hart LLP 1995-2020.


About this Author

C. Matt Sorensen, Holland Hart, regulatory compliance attorney, data breach management lawyer

Mr. Sorensen is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E), focusing his practice on domestic and international data privacy and cybersecurity law. He advises companies across industries on breach prevention, cyber-attack preparedness, information governance,  regulatory compliance, and data breach management. In particular, he helps clients understand how to create and implement effective compliance programs and controls...

Romaine C. Marshall, Holland Hart, Software Technology Litigation Lawyer, Arbitration Attorney

Mr. Marshall is a litigation and trial attorney in the Salt Lake City office who represents businesses in the software, technology, financial and technical services, and energy and natural resources industries. He distills complex factual and legal issues to effectively persuade judges, juries, and opposing parties at trial and arbitration. He also counsels clients how to avoid the business expense and disruption of litigation and trial through settlement, pretrial dispositive relief, and other dispute resolution options. Mr. Marshall has represented clients in disputes before and on behalf of numerous federal and state agencies including the SEC, FDIC, FBI, IRS, and the Utah Department of Insurance.

Prior to joining Holland & Hart, Mr. Marshall was a judicial law clerk for the Honorable J. Thomas Greene for the U.S. Federal District Court in Utah.

Software and Technology Litigation

  • Obtained injunctive relief and favorable settlement for telecommunications provider in data breach and misappropriation of trade secrets case.

  • Successfully opposed attempts to cease operations of software company in California and defended company's former CEO in Utah against claims for fraud, data theft, and trade secret misappropriation.

  • Successfully defended software distribution and CRM company in California and negotiated voluntary dismissal of all claims by software manufacturer.