On Monday, May 11, 2017, President Donald Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The Executive Order comes after Trump had postponed signing a similar executive order on cybersecurity on Feb. 1, and another draft executive order had been circulated Feb. 10.
The final Executive Order aligns with the preceding Executive Order 13636, “Improving Critical Infrastructure Security,” signed by the Obama administration on Feb. 12, 2013. Like the 2013 order, Trump’s Executive Order directs federal agencies to take actions related to the cybersecurity of critical infrastructure and of federal networks. Trump’s order goes beyond its predecessor to address key public policy issues relating to cybersecurity, including workforce development and international cooperation.
Cybersecurity of Critical Infrastructure
The Executive Order provides that agencies will take actions both relating to the protection of critical infrastructure in general and to specific sectors and issues. At a general level, the order provides that the Secretary of Defense, the Attorney General, the Director of National Intelligence, and the Director of the FBI, and the heads of the appropriate agencies, including the Department of Health and Human Services, will identify “authorities and capabilities” agencies could use to support “critical infrastructure entities.” The order also directs the Secretaries of Commerce and Homeland Security to examine the market transparency of the cybersecurity risk management practices by critical infrastructure entities, and provide a report within 90 days.
At a sector-specific level, the Executive Order also addresses cybersecurity for the energy and defense sectors. The order stipulates that the Secretaries of Homeland Security and of Energy are to assess and provide a report within 90 days on the vulnerability of the energy sector, and the possibility for a “prolonged power outage” resulting from a cyber incident. With regard to defense, the Secretaries of Defense and of Homeland Security, and the Director of the FBI, are instructed to provide a classified report on the cybersecurity risks and recommendations for the defense industrial base, including supply chain and military platforms, systems, networks, and capabilities.
Finally, the order also specifically addresses the threat posed by botnets and other automated, distributed threats, providing that the Secretaries of Commerce and of Homeland Security shall take steps to reduce such threats by identifying and promoting actions by appropriate stakeholders, including private sector entities. The two agencies are to provide a preliminary report within 240 days. Threats posed by botnets have become increasingly prevalent as malware such as Mirai exploit “Internet of Things” devices (e.g., smart TVs, web cameras) to launch cyberattacks. This month, the WannaCry ransomware computer worm infected more than 230,000 computers in 150 countries, locking users out of their data and demanding a payment in exchange for the restoration of files.
Accordingly, organizations that operate critical infrastructure may expect increased engagement and scrutiny from federal agencies regarding their cybersecurity practices. This is particularly true for organizations in the energy, communications, and defense industrial base sectors. Critical infrastructure entities are organizations in sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These sectors were identified in Presidential Policy Directive 21 (PPD-21) and include, in addition to the sectors mentioned above, financial services, critical manufacturing, health care and public health, and transportation systems.
Cybersecurity of Federal Networks
The Executive Order furthermore addresses federal agencies’ own cybersecurity risk management and IT modernization. The order requires agencies to use the “Framework for Improving Critical Infrastructure Cybersecurity,” published by the National Institute of Standards and Technology (NIST) to manage cybersecurity risk, and to provide a risk-management report detailing their plan to implement the framework within 90 days. The NIST Framework is a set of industry standards and best practices intended to help organizations manage cybersecurity risk in a cost-effective way. With regard to IT modernization, the order directs agencies to show preference in procurement for shared IT services, such as email, cloud, and cybersecurity services, and instructs the Director of the American Technology Council to provide a report on the modernization of federal IT within 90 days.
Cybersecurity for the Nation
Finally, the Executive Order addresses several public policy issues relating to cybersecurity, including cybersecurity workforce development and international cooperation. The order directs the Secretary of State and several other agencies to provide a report documenting an engagement strategy for international cooperation in cybersecurity in 90 days. Likewise, the order directs that the Secretaries of Commerce and Homeland Security produce a report within 120 days assessing efforts to educate and train the American cybersecurity workforce, and providing recommendations. The Director of National Intelligence and the Secretary of Defense are similarly directed to produce their own reports respectively examining foreign cybersecurity workforce development practices, and assessing the sufficiency of U.S. efforts in maintaining its advantage in national cybersecurity capabilities.