White House Releases Cybersecurity Executive Order
On May 11, 2017, the White House released its long-awaited Executive Order on cybersecurity (EO). The EO directs Executive Branch agencies to develop plans to assess and improve the cybersecurity of their own operations, based on the 2014 NIST Cybersecurity Framework; directs law enforcement and national security agencies to work with providers of critical infrastructure to improve their security, with specific emphasis on resilience against botnets and other distributed threats; and directs a variety of agencies to report on how to deter cybersecurity problems that affect the public on the internet at large, with an emphasis on the need to develop a workforce capable of handling cyber-threats. These points are addressed in more detail below.
The EO directs numerous agencies to rapidly prepare a variety of assessments and recommendations on a range of cybersecurity issues. Private sector entities that provide services to, or interact with, the federal government – or whose own operations constitute part of the nation’s “critical infrastructure” – could be affected by actions taken in response to these reports and recommendations. As a result, such entities should monitor the development of these reports, and consider working with the affected agencies to ensure that an entity’s particular concerns are addressed.
The EO contains three substantive sections:
Section 1 addresses cybersecurity for the Executive Branch’s own operations. The EO chides the government for having “too long accepted antiquated and difficult-to-defend” information technology, and notes that “known but unmitigated vulnerabilities” are a particular concern. Each executive agency is given 90 days to generate a “risk management report,” based on application of the NIST Framework, which shall include an “action plan to implement the Framework.” Thereafter, the Office of Management and Budget (OMB) has 60 days to review the agency reports and issue its own report determining the adequacy of the agencies’ efforts, along with a plan to implement the identified cybersecurity measures.
Section 1 of the EO also declares the policy of the Executive Branch to “build and maintain a modern, secure, and more resilient” IT architecture, including, specifically, increased reliance on “shared IT services … including email, cloud, and cybersecurity services.” While increased sharing and reliance on cloud-based resources seems like an obvious improvement, it should be noted that this in itself reflects an implicit judgment that the increased potential risk associated with concentrating resources and applying similar methods across agencies is warranted by the potential resource savings and presumed improvement in cybersecurity practices that would be applied in the new, shared environment.
Section 2 addresses cybersecurity for critical infrastructure, and declares a policy to “support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure.” To that end, the EO directs law enforcement and intelligence agencies (along with sector-specific agencies) to identify what they can do to support the cybersecurity efforts of providers of critical infrastructure; work with those providers to identify what the Executive Branch can do to support them; and, within 180 days, provide a report on those efforts, along with findings and recommendations for future action.
Section 2 addresses other matters as well:
- Requires the Secretaries of Homeland Security and Commerce to report on the promotion of appropriate marketplace transparency regarding cybersecurity risk management by providers of critical infrastructure, and in particular providers that are publicly traded.
- Instructs those Secretaries, in consultation with the FBI, the Department of Defense, the FCC, and others, to “lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).” A “preliminary” report on this topic is to be produced within 240 days, with the final version due to within a year (that is, 4 months later).
- Directs the Secretaries of Energy and Homeland Security, in consultation with others, to develop a report assessing severe or prolonged electric power outages “associated with a significant cyber incident,” addressing the country’s readiness to manage the consequences of such an incident, and identifying gaps or shortcomings in the country’s ability to do so.
- Requires the Secretaries of Defense and Homeland Security and the Director of the FBI, in consultation with others, to provide a report within 90 days addressing “cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks.”
Section 3 addresses cybersecurity for the internet at large, in the following provisions:
- States that it is Executive Branch “policy … to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.”
- Directs a wide range of agency heads, within 90 days, to “jointly submit a report … on the Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats.”
- Addresses international cooperation on cybersecurity issues. It directs the Secretaries of State, Treasury, Defense, Commerce, and Homeland Security (in coordination with the Attorney General and the FBI), within 45 days, to “submit reports … on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation.” Within 90 days after that, the Secretary of State “shall provide a report … documenting an engagement strategy for international cooperation in cybersecurity.”
- Tackles workforce issues, in order to “ensure that the United States maintains a long-term cybersecurity advantage.” To that end, the Secretaries of Commerce and Homeland Security, in consultation with others, are given 120 days to assess “the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future,” including “findings and recommendations regarding how to support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.” Meanwhile, the Director of National Intelligence is given 60 days to provide a report that “review[s] the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness.” Finally, the Secretary of Defense is given 150 days to provide a report that assesses “the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national-security-related cyber capabilities.”