President Trump's Executive Order On Cybersecurity: Potential Impacts And Opportunities For Industry

On May 11, 2017, President Trump signed a long-anticipated executive order entitled "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" (Executive Order). As addressed below, the Executive Order triggers a cyber policy review across critical infrastructure sectors (communications, defense industrial base, financial, IT, electric, transportation, health care, and others), as well as a focus on the federal Government securing its own systems. This review process, by definition, creates risks and opportunities for critical infrastructure companies. The focus on the Government's own systems also presents a clear opportunity for companies who are able to optimize their product and service offerings to match the Order's stated preference for shared IT services and consolidated network architecture in the federal Government.

The Executive Order triggers no less than 19 reports to be written by agency heads, covering a full range of topics affecting cybersecurity stakeholders, including private companies (both vertical and horizontal), universities, federal agencies, and other governments. While many of these reports are status reports to capture where agencies think we presently are on cyber topics, many are also forward looking with a potential to set the path for future cyber policies by the Administration. Most of the reports are to be submitted to the President without review by traditional intermediaries such as the Office of Management and Budget (OMB) or the Office of the Director of National Intelligence. While it is not clear how the 19 reports will be coordinated—or rationalized, given that different agencies and constituencies will no doubt have different priorities, approaches, and policy directions—stakeholders would be wise to take the reports seriously, and to recognize that the clock has started in the race to influence them.

Industry stakeholders, in particular, will want to map their interests to each of the 19 work streams, identify their core principles and care-abouts for a given stream, and create strategies for ensuring the drafters of the reports understand their worldviews, including the potential impact and importance of a given report's recitation of the current state of affairs and recommended path forward. This will be no small task, especially since the reports will trickle out on varying time schedules over a period of months and many may be classified. As usual in Washington, particularly with a new administration, stakeholders cannot assume the past to be prologue on policy direction and, therefore, should not underestimate the importance and power of the individual holding the pen. Views and directions will be debated, directions will be set, and there will be winners and losers.

A look at the main topics addressed in the Executive Order, which are discussed in greater detail below, reveals who from industry should be interested in the direction of the reports: (a) IT modernization and shared services affects IT companies, service providers (including Fintech), managed security services, cloud providers, AI firms, systems integrators, small innovators, foreign IT companies, and others; (b) cybersecurity for critical infrastructure affects the owners of Section 9 Entities and members of the defense industrial base, including its supply chain, platforms, and systems;1 (c) "transparency" affects all public companies; (d) the section on "botnets," by its terms, affects the entire "internet and communications ecosystem" (an expansive definition both vertically and horizontally); (e) the "electric subsector" concerns generation, transmission, distribution, and alternative energy; (f) deterrence and international cooperation affects all multinational companies; and (g) the section on the workforce affects traditional academia (universities and K-12 institutions), for-profit schools, and any company that benefits from a cyber skilled workforce.

This Advisory addresses these areas of interest. It is organized by each of the Executive Order's three substantive sections. First, it distills what each section says. Then it provides analysis of the section's key implications for industry.

SECTION 1. THE CYBERSECURITY OF FEDERAL NETWORKS

What The Executive Order Says

Section 12 begins with a finding that "antiquated" information technology (IT) is "difficult to defend."3 It adds that "known but unmitigated vulnerabilities," such as "using operating systems or hardware beyond the vendor's support lifecycle, declining to implement a vendor's security patch, or failing to execute security-specific configuration guidance," are "among the highest cybersecurity risks" that the Government faces.

To solve these problems, the Section observes that the Government must plan such that "maintenance, improvements, and modernization" of federal IT "occur in a coordinated way and with appropriate regularity," in addition to "protecting IT and data currently in place." This planning requires "information sharing," and agency heads "lead[ing] integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources."

From a high-level policy standpoint, these ideas will be implemented through two mechanisms. First, the executive branch will manage cybersecurity risk as a Governmentwide enterprise "because risk management decisions made by [individual] agency heads can affect the risk to the executive branch as a whole." Second, the President will hold individual agency heads accountable for: (a) "implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data" at their agencies; and (b) "ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes."

In terms of concrete action, the Section prescribes the following workflows, which can be subdivided into three broad categories:

1. Procurement Preference for Shared IT Services

   Effective immediately. Agency heads shall preference "shared IT services" in their procurement "to the extent permitted by law."

   By August 9, 2017 (90 days from May 11, 2017). The Secretary of Homeland Security, Administrator of General Services, and Directors of OMB and the American Technology Council4 shall submit a report to the President describing both the "legal, policy, and budgetary considerations" relevant to and the "technical feasibility and cost effectiveness" of transitioning all or some federal agencies to "one or more consolidated network architectures" and "shared IT services, including email, cloud, and cybersecurity services." The report shall specifically consider consistency and compliance with policies and practices issued pursuant to FISMA, 44 U.S.C. §3553, and Section 227 of the Homeland Security Act, 6 U.S.C. §148. All agency heads "shall supply such information concerning their current IT architectures and plans as is necessary to complete [the] report on time."5

2. Risk Management Assessment and NIST Framework Implementation

   Effective immediately. Agency heads shall manage their respective agency's cybersecurity risk using "The Framework for Improving Critical Infrastructure Cybersecurity" previously developed by the National Institute of Standards and Technology (NIST Framework) pursuant to Section 7 of Executive Order 13636 (Feb. 12, 2013).

   By August 9, 2017 (90 days from May 11, 2017). Each agency head shall provide a "risk management report" to the Secretary of Homeland Security and the Director of OMB. These reports shall include "the strategic, operational, and budgetary considerations that informed" the agency head's "risk mitigation and acceptance choices," as well as documentation of "any accepted risk, including from unmitigated vulnerabilities." The reports shall also include an "action plan to implement" the NIST Framework. The...