November 17, 2017

November 17, 2017

Subscribe to Latest Legal News and Analysis

November 16, 2017

Subscribe to Latest Legal News and Analysis

November 15, 2017

Subscribe to Latest Legal News and Analysis

November 14, 2017

Subscribe to Latest Legal News and Analysis

White House Issues New Cybersecurity Executive Order

On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”).  The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February.  Since then, revised drafts of the order were circulated, including a version from February 10, 2017 (the “Revised Draft”) that differed significantly from the initial draft order, but aligned with Executive Order 13636, “Improving Critical Infrastructure Security,” which was signed by President Obama on February 12, 2013.  With few exceptions, the Order signed yesterday mirrors the Revised Draft that we previously analyzed in our February 17, 2017 post titled “Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors.”  Here, we highlight key differences between the Revised Draft and the final Order.

Section 1:  Cybersecurity of Federal Networks

The first section of the Order continues to primarily address cybersecurity risk management and IT modernization within the executive branch consistent with the Revised Draft and Executive Order 13636 signed by President Obama.  The Order incorporates nearly all of the Revised Draft’s language in this section, with minor exceptions.

For instance, the Order specifies additional content for risk management reports, such as requiring each agency to include an action plan for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity.  The Order also departs from the Revised Draft by instructing the Director of the American Technology Council, a position recently established by an EO issued on May 1, 2017, instead of the Assistant to the President for Intragovernmental and Technology Initiatives to “coordinate a report to the President . . . regarding [the] modernization of Federal IT.”  Further, the modernization report must be completed within 90 days of the signing of the Order, not 150 days as initially stipulated in the Revised Draft.

Section 2:  Cybersecurity of Critical Infrastructure

Minor changes were also made to the second section of the Order, which details the executive branch’s support for critical infrastructure.  Section two of the Order now includes a paragraph titled “Resilience Against Botnets and Other Automated, Distributed Threats” that focuses specifically on the threats posed by botnets.  Pursuant to the final Order, the Department of Homeland Security (“DHS”) and Department of Commerce (“DOC”) are directed to “identify and promote action by appropriate stakeholders . . . in the internet and communications ecosystem . . . with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g. botnets).”

Moreover, the final Order arguably requires DHS and DOC to work with a much broader group of stakeholders in fulfilling this mandate.  The earlier draft order only required DHS and DOC to include stakeholders from “core communications infrastructure.”  However, the final Order requires DHS and DOC to work with stakeholders, including owners and operators, throughout the “internet and communications ecosystem.”  DHS and DOC are required to make public a preliminary report about these efforts within 240 days and submit a final report to the President within one year.

Section 3:  Cybersecurity for the Nation

The third section of the Order includes new requirements relating to international cooperation not found in the previous drafts.  The final Order also reincorporates a section from the first draft of the order focused on efforts to educate and develop a sustainable cybersecurity workforce.

With respect to international cooperation, the Order now recognizes that the U.S. is “especially dependent on a globally secure and resilient internet and must work with allies and other partners.”  To that end, the Order directs the Secretaries of States, Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and Director of the Federal Bureau of Investigation, to submit a report to the President outlining their international cybersecurity priorities, “including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation” within 45 days.

To encourage the sustained growth of the domestic cybersecurity workforce, the Order also instructs the Secretaries of Commerce and Homeland Security, in consultation with other agencies, to provide a report to the President within 120 days that assesses ongoing efforts to train and educate the “cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs.”  The report must also include findings and recommendations that “support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.”

The Director of National Intelligence (DNI) and Secretary of Defense are also required to coordinate and submit their own reports relating to workforce development.  The DNI’s report will focus on “foreign workforce development practices likely to affect long-term . . . cybersecurity competitiveness” in the U.S. and must be submitted within 60 days.  The Secretary of Defense’s report will examine U.S. efforts to maintain or increase “its advantage in national security-related cyber capabilities.”

As we explained in our February 17, 2017 post analyzing the Revised Draft, the final Order reflects a continuation of the efforts by the previous administration to adopt a risk-based approach to cybersecurity, based in part on adoption by federal agencies of the NIST Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity risk.

© 2017 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Weiss Nusraty, Covington, cybersecurity lawyer, national security matters attorney
Associate

Weiss Nusraty advises clients on cybersecurity and national security matters, including cyber and data security incident response, and government and internal investigations.

Mr. Nusraty joined Covington from the U.S. Department of the Treasury where he served as a Policy Advisor within the Office of Terrorism and Financial Intelligence. In that role, Mr. Nusraty developed and implemented strategies on a range of matters, including financial sanctions, anti-money laundering and counter-terrorist financing. He worked closely with the intelligence...

202-662-5703
Jennifer R. Martin, Covington, cyber incident response lawyer, forensics consulting attorney
Of Counsel

Jennifer Martin has worked at the intersection of law and cybersecurity for the past 15 years. Her expertise in this area has been uniquely honed through her experience managing cyber risks and responding to threats from a variety of perspectives: as the director of cyber incident response and operations, and as lead in-house internal investigations counsel at Symantec; as a managing director of a top cybersecurity and forensics consulting firm; and as a federal and local cybercrime prosecutor and policymaker.

As both in-house counsel and as a private consultant, Ms. Martin has managed and advised a multitude of organizations on cyber risk mitigation and information management, and has personally developed the people, processes, and holistic programs necessary for operational excellence, internal investigations, and crisis management. She has supervised countless cyber incident response matters, including data breaches, insider thefts of trade secrets, and intrusions, from initial detection through containment, notification, recovery and remediation. She is recognized for her skill in building effective cross-functional teams comprised critical stakeholders—impacted business units, and legal, technical, and communications departments. In addition, she has advised executive leadership on programmatic strategies for mitigating cyber risk, and on evolving legal, regulatory and ethical expectations and requirements.

212 841 1018