Data Protection Report - Norton Rose Fulbright

On May 11th, 2017, the White House released an executive order on strengthening the cybersecurity of federal networks and critical infrastructure (the “Order”).  The Order marks the administration’s first successful effort to address cybersecurity, after an earlier draft executive order on cybersecurity was postponed in January.

The Order is divided into three substantive sections covering the cybersecurity of federal networks, the cybersecurity of critical infrastructure, and cybersecurity for the nation.

A summary of each section is as follows:

Cybersecurity of Federal Networks

  • The Order places responsibility for the cybersecurity of federal networks on federal agency heads.
  • Federal agency heads must implement risk-based cybersecurity measures using the NIST Framework for Improving Critical Infrastructure Cybersecurity.
  • Agency heads must provide a risk management report documenting these efforts to the Secretary of Homeland Security and the Office of Management and Budget (or, for National Security Systems, the Secretary of Defense and the Director of National Intelligence) for approval. The Secretary of Homeland Security and the OMB must then submit a report to the President with the agencies’ risk determination and its own plan for addressing the cybersecurity of the executive branch.
  • The Order calls for the modernization of the executive branch’s IT architecture, with an emphasis on procuring shared IT services when possible.

Cybersecurity of Critical Infrastructure

  • Relevant departments must identify ways to support critical infrastructure entities that are at the greatest risk of cyberattack.
  • Federal practices and policies will be reviewed to promote transparency of cyber risk management practices in critical infrastructure entities.
  • The Order calls for improving the resilience of the internet and communications ecosystem of critical infrastructure entities, to enable such entities to better defend against cyberattacks.
  • Relevant departments must review and assess the potential impact of an incident that would cause a major power outage, including the ability of the United States to respond to such an incident.
  • Relevant departments must provide a report to the President identifying risks to the US defense industrial base, and a plan for mitigating those risks.

Cybersecurity for the Nation

  • The Order requests reports on the United States’ options for deterring cyber threats to the American people, as well as on international cybersecurity priorities, including how to work with international agencies to facilitate information sharing, investigation, and cooperation in the event of a cyberattack.
  • Relevant departments must assess the current state of the cybersecurity workforce and create a plan for sustaining and promoting cybersecurity education and training to promote private and public sector growth in this area.
  • The Order directs relevant departments to report on the United States’ ability to maintain or increase its advantage over other nations in cybersecurity-related national security matters.

Our Take

Many of the aforementioned reports are due within 90 days of the date of the Order, at which point we expect the administration to direct the relevant agencies to begin taking action to implement the enhanced risk-management and cybersecurity prevention measures. While the practical impact is still too esoteric to predict, the administration’s focus on cybersecurity is at least likely to manifest by increasing scrutiny into the cybersecurity practices of government contractors and critical infrastructure entities, such as utilities. We will be monitoring developments related to the Order on our blog.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.