White House Issues New Cybersecurity Executive Order
President Trump recently signed the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Order). The Order sets forth the Trump Administration’s policy for cybersecurity of federal networks and calls for executive departments and agencies (Agencies) to secure their information technology and data using “all United States Government capabilities.” The Order also describes how agencies will be expected to support the cybersecurity risk management efforts of critical infrastructure entities, including the financial services sector, and take steps to protect against cyber threats that could result in catastrophic regional or national effects to the nation’s economic security and other critical sectors. Industry experts have generally been supportive of the Order, noting that it builds on President Obama’s 2013 Executive Order.
U.S. policy has focused on protecting critical infrastructure since the Commission on Critical Infrastructure Protection was established by President Clinton in 1996. In 2013, President Obama identified 16 critical infrastructure sectors in Presidential Policy Directive 21, including financial services, energy, health care, and communications. President Trump’s Order directs the Secretaries of Homeland Security and Defense, the Directors of National Intelligence and the Federal Bureau of Investigation, and the heads of all appropriate Agencies to take the following steps to help support the owners and operators of critical infrastructure:
- Increased Support: Agency heads will identify “authorities and capabilities” that could be employed to support cybersecurity risk management of critical infrastructure entities. The Order requires agencies to engage such entities and solicit their input on how best to support their cybersecurity risk management.
- Market Transparency: Within 90 days, President Trump will receive a report that examines the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities.
- Resilience Against Threats: The Secretaries of Commerce and Homeland Security will identify and promote action by the appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration, with the goal of reducing threats perpetrated by botnets and other automated and distributed attacks. A preliminary report on this effort will be made publicly available within 240 days of the Order.
The Order also addresses how agencies will ensure that cybersecurity threats to the internet and the American people are mitigated, while respecting privacy and guarding against disruption, fraud, and theft. Among other measures, the Order requires:
- Deterrence and Protection: The Order directs the Secretaries of State, Treasury, Defense, Commerce, and Homeland Security, along with the Attorney General, the U.S. Trade Representative, and the Director of National Intelligence to submit a report to the President on strategic options for “deterring adversaries and better protecting the American people from cyber threats.”
- International Cooperation: The Order also directs agencies to foster international cooperation in countering cyber threats. The President will receive a report within 45 days that outlines international cybersecurity priorities, including those concerning cyber threat information sharing, capacity building, and cooperation, and, in 90 days, a report that documents an engagement strategy for international cooperation on cybersecurity.
- Cybersecurity Workforce: To ensure that the United States maintains a cybersecurity advantage long term, the Order tasks the Secretaries of Commerce, Homeland Security, Defense, Labor, and Education, and the Director of the Office of Personnel Management with developing a plan to assess and bolster the cybersecurity workforce.
The Order is not intended to interfere with any existing cybersecurity laws, such as the Gramm-Leach-Bliley Act, or authority granted to any other federal agencies.