June 7, 2017
Headlines regarding the “WannaCry” ransomware attack dominated recent global press. But a less-heralded cybersecurity development from the U.S. federal government—President Donald Trump’s signing of an expansive Executive Order on May 11, 2017—is likely to prove far more significant in the long run. The Executive Order, titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” focuses on cybersecurity protections for federal agencies and critical infrastructure, but the implications of the Order will be significant for virtually all medium- and large-sized businesses operating in the United States, the latest in a string of notable developments at the federal, state, and local level regarding cybersecurity.[1]
Following the first high-profile mention of cybersecurity in a U.S. State of the Union address, in February 2013, then-President Barack Obama issued an Executive Order calling for the development of a voluntary framework to establish common standards for managing cybersecurity risk.[2] Pursuant to this Order, a year later, following extensive industry collaboration, the U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) issued a framework for improving critical infrastructure cybersecurity in February 2014.[3] The NIST Framework created a set of industry standards and best practices, including a shared vocabulary about cybersecurity to help decision-makers manage cybersecurity using a risk-based approach.
Following up on this initiative, in February 2016 the Obama Administration unveiled a Cybersecurity National Action Plan (“CNAP”) to put in place a long-term strategy to enhance cybersecurity awareness and protections. The CNAP included efforts to modernize the federal government’s aging information technology infrastructure and the establishment of a Commission on Enhancing National Cybersecurity, which would involve leaders from the private sector in making recommendations regarding cybersecurity policy.[4] On December 1, 2016, the Commission on Enhancing National Cybersecurity issued recommendations in its Report on Securing and Growing the Digital Economy.[5]
Upon taking office, President Trump announced that his Administration would take steps to improve the United States’ cybersecurity posture—an announcement that came after an election in which alleged cybersecurity failures, such as the disclosure of emails covertly collected from the Democratic National Committee, were prominently featured in news reports. Until the May 11 Executive Order was finalized, however, the specifics of the Trump Administration’s plans remained unclear. Some observers pointed to the appointment of veteran national security advisers to key cybersecurity-related posts in the White House and Department of Homeland Security as evidence that the Trump Administration likely would continue on the path set by previous administrations. Other commentators anticipated a potential change in the federal government’s approach. The May 11 Executive Order proves each of these groups correct, at least in part: the Executive Order builds from existing initiatives by prioritizing the use of the NIST Framework and continuing the emphases of the CNAP, but breaks new ground with potentially industry-altering directives regarding coordination across federal agencies, as well as private sector information-sharing and transparency requirements.
A significant portion of the Executive Order focuses on improving the cybersecurity posture of executive branch agencies. Rather than imposing a prescriptive, one-size-fits all approach for maintaining and improving this posture, the Executive Order opts for a risk-based approach, requiring the use of the now regularly-used NIST Framework. Under the Executive Order, each executive branch agency must implement risk management measures commensurate “with the risk and magnitude of the harm” that would result from a cybersecurity incident. The intent of the Order is to increase protections against a cyberattack that would result in catastrophic effects on public safety, the economy, or national security.
The NIST framework was specifically intended to be adaptable to any organization, so its use as a tool for federal agencies is a natural progression from existing policy. While there are dozens of other tools available for performing risk assessments, the use of a single tool and uniform structure for assessing risk is intended to facilitate a consistent approach to managing cybersecurity across different federal agencies—a significant change from the status quo.
Each agency must provide a risk management report documenting risk mitigation and acceptance choices to DHS and the Office of Management and Budget (“OMB”) within 90 days of the Executive Order. In turn, OMB, in coordination with DHS and with support from the Department of Commerce, will submit a report to the President within 60 days outlining a plan for protecting all executive branch enterprises. The OMB report also will address additional budgetary needs for risk mitigation, and will establish a process for periodic reassessments of cybersecurity gaps.
The Executive Order sets the federal government on a path for building and maintaining a more modern IT architecture. The Order directs the American Technology Council—a group of industry representatives established by a different Executive Order dated May 1, 2017[6]—to report on the legal, policy, and budgetary considerations related to transferring all executive branch agencies to “one or more consolidated network architectures” and to utilizing shared IT services. The Executive Order also directs agencies to show preference in their procurement for shared IT services, including email, cloud, and cybersecurity services.
Many observers have cautiously praised this portion of the Executive Order, given the antiquated (and potentially vulnerable) technology on which many federal agencies currently rely. The success of this effort is far from guaranteed, however. Notably, modernizing and potentially unifying the technology used by various agencies would require significant funding, and the Executive Order, which is not a budgeting document, is silent on that front. In addition, given that the American Technology Council has been in existence for just a few weeks, succeeding in this large-scale, extremely complex, and expensive undertaking will be particularly challenging.
If the Administration were to push agencies toward shared IT services in a significant way, the results could be profound. Each agency now has discretion to determine the extent to which it will utilize such services, and a variety of different approaches are used. Moving to cloud-based solutions would require a re-working of a variety of procurement contract provisions and monitoring mechanisms. It also could result in a massive increase in demand for such services, which could put pressure on available capacity to handle and secure the type of highly sensitive data currently processed and maintained by many federal agencies.
The Executive Order includes a number of provisions addressing the cybersecurity of the United States’ critical infrastructure. For purposes of the Order, “critical infrastructure” is construed broadly, and includes everything from power generation and electricity transmission to communications facilitation and chemical manufacturing. The Order focuses on both high-level strategy-setting and the development of tactical fixes for several specific threats, although it is primarily an appraisal tool.
As a strategic matter, the Executive Order directs DHS to collaborate with other federal agencies to determine their ability to support the cybersecurity efforts of critical infrastructure entities, a classified group of companies that the U.S. government has identified as being at the greatest risks of cyber attacks that could result in catastrophic effects on public health, economic security, or national security (so-called “section 9 entities”). The agencies also must examine existing federal policies and practices to determine whether they are sufficient to promote “appropriate market transparency” regarding cybersecurity risk management practices, especially by publicly-traded critical infrastructure companies.
On a tactical level, the Executive Order takes aim at automated cyberattacks, prolonged power outages caused by cyber incidents, and cyberattacks on the defense industrial base. The Order directs the Department of Commerce and DHS to jointly lead “an open and transparent process” to identify and spur collaboration around reducing automated cyber-attacks. It directs the Department of Energy to coordinate an assessment of the potential for prolonged power outages associated with cyber incidents. And the Order tasks the Department of Defense with coordinating an assessment of the risks facing the defense industry.
The Order’s focus on critical infrastructure underscores a key reality: many infrastructure providers rely on older technology that is particularly vulnerable to attack. And its focus on tactical responses to particular threats builds from actual attacks in the recent past, including the Mirai botnet attack on the domain name service Dyn that took down several prominent websites, as well as a well-publicized attack on several national power grids.
The Order underscores the importance of information sharing and collaboration, including with international partners, to manage cybersecurity risk. It will be important to see whether the Order leads the government to provide greater incentives for information-sharing by private companies (or penalties for failing to share such information). For years, the federal government has encouraged greater information-sharing by private companies regarding cyberthreats. Eighteen months ago, Congress passed the Cybersecurity Act of 2015, which provided incentives for such sharing. The Department of Justice and the Federal Trade Commission have issued guidance delineating that such sharing, if performed within certain parameters, does not raise antitrust concerns. And the Federal Bureau of Investigation has engaged in concerted information-sharing campaigns through InfraGard and other public-private partnerships. Still, many companies have remained reluctant to share such cyber data based on concerns that the information could be used in future enforcement actions or civil litigation. This calculus may change as the government develops additional policies, although the Executive Order largely continues the same aspirational approach to information sharing.
The Order’s focus on the need for market transparency by publicly-traded critical infrastructure providers is also notable, but again simply calls for a report on the sufficiency of existing policies to promote transparency. While awaiting further guidance from this report, companies should carefully consider whether they have undertaken a sufficiently documented risk assessment to protect themselves against second-guessing if an attack is successful, and whether they have adequately disclosed to investors and regulators the nature of the cybersecurity risks they face.
Portions of the Executive Order venture beyond addressing the security of federal networks and critical infrastructure. For example, the Order identifies as one of its underlying policies an intent to maintain the U.S. competitive advantage in cybersecurity, and requires certain agencies and departments to provide reports relating to fostering a cybersecurity-skilled workforce in both the public and private sectors. The Order identifies as its other underlying principle: “to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” Despite this reference to privacy considerations, the Order’s substantive provisions do not expressly provide that agency reports assess or address risks to individual privacy.
The Executive Order’s focus on risk-based cybersecurity assessments has implications even for companies that are not directly affected by the Order. When the NIST Framework first was introduced, we predicted that it would become a de facto standard of care. Its adoption as a required tool of all federal executive agencies by the President is a further step toward this result. Companies that have not used the NIST Framework to conduct a well-documented assessment of their cybersecurity vulnerabilities should consider doing so. Relatedly, the Order makes a number of “findings” reflecting its views as to what constitutes “effective risk management,” including that it involves regular maintenance and modernization, addressing known vulnerabilities, and consultation with individuals with appropriate expertise. While these are not novel positions, to the extent they reflect administration thinking on appropriate risk management, companies may hear similar views from regulators and enforcement agencies.
The Executive Order primarily requests numerous assessment reports across a broad range of governmental agencies and departments in a relatively short time period. One obstacle to completing the reports, however, is that many cybersecurity leadership positions in key agencies remain unfilled by permanent appointees. What happens next will depend heavily on whether the time periods are sufficient to allow for the development of effective recommendations, and what the reports propose. Potentially affected companies should continue to monitor the news from Washington as the 60- and 90-day deadlines for submitting the reports pass.
[1] The White House, Office of the Press Secretary, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (May 11, 2017), available at https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.
[2] See The White House, Office of the Press Secretary, Executive Order—Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013), available at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
[3] See Alexander H. Southwell, Ryan T. Bergsieker & Stephenie Gosnell Handler, “The Cybersecurity Framework: Risk Management Process . . . And Pathway to Corporate Liability?” Westlaw Journal (Dec. 2013), available at https://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellCyberSecurityFramework.pdf; Alexander H. Southwell & Stephenie Gosnell Handler, “NIST Debuts Cybersecurity framework,” Law Technology News (Feb. 20, 2014), available at https://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellHandlerNIST.pdf.
[4] See The White House, Office of the Press Secretary, FACT Sheet: Cybersecurity National Action Plan (Feb. 9, 2016), available at https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.
[5] See National Institute of Standards and Technology, Commission on Enhancing National Cybersecurity, Report on Securing and Growing the Digital Economy (Dec. 1, 2016), available at https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf.
[6] See The White House, Office of the Press Secretary, Presidential Executive Order on the Establishment of the American Technology Council (May 1, 2017), available at https://www.whitehouse.gov/presidential-actions/presidential-executive-order-establishment-american-technology-council/.
The following Gibson Dunn lawyers assisted in the preparation of this client alert: Alexander Southwell, Caroline Krass, Ryan Bergsieker, Jeana Bisnar Maute, and Casper Yen.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group.
United States
Alexander H. Southwell – Chair, PCCP Practice, New York (+1 212-351-3981, [email protected])
Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])
Jeana Bisnar Maute – Palo Alto (+1 650-849-5348, [email protected])
Europe
Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0)20 7071 4250, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Andrés Font Galarza – Brussels (+32 2 554 7230, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Nicolas Autet – Paris (+33 (0)1 56 43 13 00, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Sarah Wazen – London (+44 (0)20 7071 4203, [email protected])
Emanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, [email protected])
Eryk L. Dziadykiewicz – Brussels (+32 2 554 72 03, [email protected])
Alejandro Guerrero Perez – Brussels (+32 2 554 7218, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2017 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.