On May 11, the White House released its long-awaited executive order entitled “Strengthening the Cybersecurity for Federal Networks and Critical Infrastructure.” The order is divided into three main parts, each addressing cybersecurity for: (1) federal networks; (2) critical infrastructure and (3) the nation. As described below, the order has generally received positive reviews, but its ultimate impact will be determined by the drafting process and ultimate conclusions of the various reports required by the order.
Summary of Order
· Federal Networks. The first section holds federal agency heads accountable for implementing cybersecurity risk management measures using the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and for ensuring that such measures are aligned with strategic operational and budgetary planning processes. Each agency must report their measures to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), which shall jointly assess each agency’s choices and submit an assessment and plan to adequately protect the executive branch as a whole, to address unmet budgetary needs, and to clarify and reissue relevant agency policies, standards, and guidelines consistent with the NIST Framework. The newly formed American Technology Council will also coordinate a report from DHS, OMB, and the General Services Administration (GSA) on the modernization of Federal IT and assessing the potential transition of all agencies (or a subset thereof) to one or more consolidated network architectures and shared IT services, including email, cloud and cybersecurity services. For National Security Systems, the Department of Energy (DOE) Secretary and Director of National Intelligence (instead of DHS and OMB) shall provide reports to the president describing their risk management implementations and justifying any deviations from the above requirements.
· Critical Infrastructure. The second section calls on various agency heads to produce numerous reports. The first report, to be updated annually, will identify agency authorities and capabilities to support cybersecurity efforts of certain critical infrastructure entities, engage those entities to evaluate whether and how such authorities and capabilities might be employed, and report to the president including findings and recommendations for better supporting those entities’ risk management efforts. A second report will address the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities. A third report calls on the Department of Commerce (DOC) and DHS to lead a process to identify and promote action by “appropriate stakeholders” to improve the resilience of internet and communication ecosystems and to encourage collaboration to reduce threats by botnets. A fourth report will jointly assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident, against the U.S. electric subsector; the readiness of the U.S. to manage such an incident’s consequences, and any gaps or shortcomings in assets or capabilities required to mitigate such an incident’s consequences. Finally, a fifth report by the Secretaries of DOD and DHS, and the FBI Director, coordinating with the Director of National Intelligence, shall report on cybersecurity risk and mitigation recommendations regarding the defense industrial base, including supply chain and U.S. military platforms, networks, and capabilities.
· National Cybersecurity. The final section requires reports regarding: strategic options for deterring adversaries and protecting the U.S. from cyber threats; international cybersecurity priorities and an engagement strategy for international cooperation; and an assessment of the scope and sufficiency of efforts to educate and train America’s future cybersecurity workforce and recommendations on how to support its growth and sustainment in both public and private sectors. The Director of National Intelligence will review the workforce development efforts of potential foreign cyber peers and report on the scope and sufficiency of efforts to maintain or increase the U.S.’s advantage in national security-related cyber capabilities.
Impacts on Electricity Sector
President Trump’s order has generally been well-received by various industry sectors, as it responds to calls for more modernized federal systems and a more coordinated defense. The modernization of federal networks and adoption of risk management practices may also signal a trend towards mitigating concerns over public/private information sharing of critical infrastructure information. The next step towards implementing these directives will be ensuring that enough financial resources are appropriated to the agencies to modernize their IT systems as directed.
However, the future positive or negative impacts on the electric sector of the various reports will largely depend on the level of input or participation allowed from industry and subject matter experts, as well as the reports’ ultimate findings or recommendations. For example, the report on a prolonged cyber-related outage and associated response capabilities would likely be similar to many of the reports already being developed on a regular basis by FERC, NERC, and the industry. However, it remains unclear from the order the extent to which these pre-existing analyses will be brought to bear in this report. Ideally, the report will build upon, as opposed to simply adding redundancy to, the pre-existing body of work to date.
Similarly, the report on federal policies and practices to promote market transparency of cybersecurity risk management practices by critical infrastructure entities (with a focus on publicly traded critical infrastructure entities) could also be a double-edged sword. Information sharing and lessons learned can often streamline a path forward. However, appropriate care will need to be taken to ensure the risk management practices described and examined in the report, as well as the level of recommended market transparency, do not inappropriately identify vulnerabilities that can then be exploited, or otherwise publish information regarding risk management practices (whether cyber-related or not) that could arm adversaries. The order does specify that the reports may be classified in full or in part, as appropriate. It is also unclear why there is an explicit focus on publicly traded entities over private owners and operators of critical infrastructure, which seems to be a distinction irrelevant to the expressed fundamental concerns. Both of these reports could be very positive if their findings and recommendations are developed in the context of, and are sensitive to, the realities faced by the electric grid’s owners and operators.
Several other reports look quite promising: one will study ways to encourage collaboration to reduce threats by botnets; another will identify ways to support the growth and sustainment of the nation’s cybersecurity workforce in both public and private sectors. The key to success with all of these reports will be the extent to which they encourage and incentivize public/private partnerships (proven to be relatively successful in recent history), versus imposing top-down requirements devoid of the context of operational and industry knowledge and experience.
About the author: Brandon N. Robinson (CIPP/US) is a partner in Balch & Bingham’s Birmingham, Alabama, office and a member of the Energy and Privacy and Data Security Practices. He counsels public utilities and energy companies on cybersecurity and data privacy, assisting them with proactively managing risks while maintaining innovative customer service in terms of data breach management and response, compliance with federal, state, and sectoral privacy laws and regulations, and the review and drafting of contracts with vendors and other third parties.