Amid the flurry following former FBI Director James Comey’s firing last week, President Trump marked his 111th day in office on Thursday, May 11th by signing an executive order targeting national cybersecurity.

The long-awaited order is the first step in fulfilling Trump’s promise to address national cybersecurity concerns and it arrives as threats of international hacking and cyberattacks reach an all-time high. It establishes three overarching cybersecurity priorities for the United States: (1) protecting federal networks, (2) reinforcing critical IT infrastructure, and (3) protecting the American public in the online space. The full text of the executive order can be found here.

While the order includes few actionable items, it sets strict deadlines for government agencies to produce risk reports and recommendations for improving their data security practices, signifying an important call to action from the executive branch that places risk management at the forefront.

Modernizing & consolidating federal networks

Consolidating to the cloud will likely be the first major step toward overhauling the government’s administration-wide cybersecurity protocol. In a press briefing last Thursday, White House Homeland Security Advisor Tom Bossert addressed what he views as fractured, agency-specific IT security practices across the government, noting that “[if] we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.”

The move to modernize is an extension of similar efforts from the Obama administration to bolster cybersecurity, an area in which Bossert says the administration made “a lot of progress … [but] not enough.” In line with advancing these efforts, the executive order requires federal agencies to use the Framework for Improving Critical Infrastructure Cybersecurity developed in 2014 by the National Institute of Standards and Technology (“NIST”) to manage cybersecurity risk. Coincidentally, the Framework may be revised soon as the NIST recently closed a comment period on an updated draft that it circulated in January 2017, and per the executive order any successor document to the Framework will become the operative version to be used by government agencies. Separately, Rep. Will Hurd (R-TX), Chairman of the House Information Technology Subcommittee, recently reintroduced H.R. 2227, the “Modernizing Government Technology Act,” which secures more efficient funding for the modernization of federal IT infrastructure and is expected to hit the floor of the House of Representatives within the next couple of weeks.

Reinforcing critical infrastructure

The second prong of the executive order requires the Secretary of Homeland Security to prepare an audit of potential vulnerabilities across the country’s infrastructure systems – from financial and telecommunications systems to utilities including water and electricity. Improving transparency about the security gaps in these systems is crucial, especially as traditional data breaches are losing ground to more devastating Distributed Denial of Service (DDoS) botnet attacks made possible by the growing Internet of Things, or “IoT” (see our blog post here for a discussion of the House’s efforts to address growing security concerns around the IoT).

Protecting the public online

Finally, President Trump’s executive order urges policies aimed at protecting U.S. citizens from domestic and foreign online threats. In addition to increasing the number of cybersecurity experts working with the White House, Bossert suggested that following through on such policies will require greater partnerships between the federal government and the private sector. Indeed, the government currently relies on technology from large, long-time vendors, many of which may not be prepared to grapple with the significant and evolving risks becoming apparent across the data security landscape. Independent technology startups are proving to be the heart of progress in new cybersecurity measures, and the government will need to cultivate solid relationships with these players if it wants to stay ahead in the cybersecurity arena.

President Trump’s executive order has received some criticism for its breadth, but overall has been commended by cybersecurity experts as a balanced step in the right direction. Time will tell whether the resulting policies will make a meaningful difference in the country’s ability to fend off attackers in the ever-evolving online battleground.

In another example of increased restriction on the rights of non-U.S. Citizens, last week the Department of Homeland Security (“DHS”) published a policy memorandum limiting the privacy rights of immigrants and foreign nationals under the Federal Privacy Act of 1974.  This new guidance was issued to bring DHS policy in line with President Trump’s January 25 executive order.

The Privacy Act was established to govern the collection, maintenance, use and dissemination of personally-identifiable information maintained by federal agencies.  The Privacy Act, with specific exceptions, prohibits disclosure of such records without the consent of the individual.  It also provides individuals a means to access and amend their records.

Previous DHS guidance stated that such personally-identifiable information would be treated the same, regardless of citizenship.  However, consistent with the January 25 executive order, the new guidance provides that immigrants and nonimmigrant foreign nationals may not utilize these provisions and may only access their information through a request made pursuant to the Freedom of Information Act (FOIA).  Additionally, they may not request amendments of their records.  Furthermore, in connection with the new guidance, DHS stated that it permits the sharing of such information about immigrants and nonimmigrant foreign nationals from agency records with federal, state and local law enforcement.

In response to the current Administration’s “citizen-centric” policies, we are seeing an increased interest in applications for naturalization by U.S. Lawful Permanent Residents.

Originally posted in Mintz Levin’s Immigration Law Blog on May 2, 2017

President Obama today signed an Executive Order granting authority to the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to impose sanctions on individuals and entities determined to be “responsible for or complicit in malicious cyber-enabled activities” that result in harms “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”  For purposes of the Executive Order, “malicious cyber-enabled activities” include deliberate activities accomplished through unauthorized access to a computer system, including

  • by remote access;
  • circumventing one or more protection measures, including by bypassing a firewall; or
  • compromising the security of hardware or software in the supply chain.

OFAC will work in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in the Executive Order and designate them for sanctions. Persons designated under this authority will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).   There are no immediate compliance obligations for U.S. companies under this Executive Order, however, once Treasury has made designations pursuant to this authority, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to this Executive Order or any entity owned by such persons.

 

The Executive Order is available here.   OFAC has issued a series of related Frequently Asked Questions here.

 

Written by Cynthia Larose and Heidi Lawson

UPDATE:  The House Permanent Select Committee on Intelligence passed the Cyber Intelligence Sharing and Protection Act (CISPA) this afternoon. The vote was 18 in favor and two (Adam Schiff (D-CA) and Jan Schakowsky (D-IL)) against.   For more information, read The Hill.

 

The last 24 hours have seen two important Washington developments on the cybersecurity front.

Senator Rockefeller’s Letter to the SEC

We’ve been discussing the Securities and Exchange Commission’s Cybersecurity Guidance since it was issued last year (including here just Monday).   Yesterday, Senator Jay Rockefeller (D-WV) sent a letter to the SEC, urging newly confirmed Chairman Mary Jo White to issue more authoritative guidance in order to encourage publicly traded companies to detail their cybersecurity risks and what steps they are taking to mitigate the threats.

The Senator’s letter said, “Investors deserve to know whether companies are effectively addressing their cyber security risks — just as investors should know whether companies are managing their financial and operational risks,” the letter said. “Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cyber security efforts seriously.”

The Senator’s letter is part of a rapidly growing trend to hold companies, and ultimately their board of directors, responsible for both oversight and making such disclosures.  The question is, are companies and their board of directors paying attention?

President Obama’s Budget — More $$$ for Cybersecurity

The second development came later yesterday when President Obama unveiled his 2014 budget proposal.   The 2014 budget specifically allocating billions for funding of research and development  and specifically to the Departments of Homeland Security, Commerce and Justice, for programs aimed at identifying and mitigating cyberthreats.

In his budget proposal, the President said, “Cyberthreats are constantly evolving and require a coordinated and comprehensive plan for protection and response…As we continue to see across the nation, no sector, network or system is immune from penetration by those who seek to make financial gain, to perpetrate malicious and disruptive activity, or to steal commercial or government secrets and property.”

The budget proposal can be seen as the President putting the money behind his statements regarding the importance of addressing cyberthreats in his State of the Union address as well as the recent Cybersecurity Executive Order.

 

 

 

As published in DataGuidance

USA: New cybersecurity framework has far-reaching effects on US economy

President Obama issued – on 12 February 2013 – the long-awaited Executive Order entitled ‘Improving Infrastructure Cybersecurity’ (the Order), alongside Presidential Policy Directive/PPD 21, to establish a nation-wide ‘Cybersecurity Framework’ and ‘enhance the security and resilience of the Nation’s critical infrastructure’.
The Order proposes an extensive data sharing mechanism with the private sector whereby the US Government will disclose unclassified reports on cyber threats so that private entities ‘may better protect and defend themselves’. By 12 June 2013, the Secretary of Homeland Security is directed to establish procedures to allow the US Government to share classified cyber threats and technical information to eligible entities in all critical infrastructure sectors.

In particular, the Order prioritises privacy safeguards by directing the Chief Privacy Officer of the Department of Homeland Security and other agencies to ‘assess the privacy […] risks of the functions and programs […] and recommend to the Secretary [of Homeland Security] ways to minimize or mitigate such risks, in a publicly available report, to be released [by 12 February 2014]’.

Cynthia J. Larose, Chair of the Mintz Levin’s Privacy & Security Practice, told DataGuidance: “Companies in any of the targeted industries will need to be aware of potential obligations arising out of data sharing. Work should be undertaken now to review customer-facing privacy policies and procedures to determine what representations are made to customers relating to information-sharing and how the [Order] might affect that. In-house counsel or government affairs offices at critical infrastructure companies should consider providing input into the regulatory process in order to shape the prospective new regulatory regime. It also represents an opportunity for critical infrastructure businesses to learn much more about the network threat environment and how to potentially contain the threats to their own business.”


The Order also directs the Secretary of Homeland Security to establish, in coordination with sector-specific agencies, a voluntary program ‘to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure’, and to ‘coordinate establishment of a set of incentives to promote participation in the program’.

The Cybersecurity Framework and voluntary program would apply only to public and private entities that form part of the critical infrastructure of the US. The Order defines critical infrastructure as ‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters’. However, entities that fall outside the scope of the critical infrastructure may still be affected.

The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, will lead the development of the Cybersecurity Framework. The Order requires NIST to publish a preliminary version of the Framework by 10 October 2013, and a final version by 12 February 2014. NIST stated that ‘the Framework will not dictate ‘one-size-fits-all’ solutions’.

NIST will request organizations to share their current risk management practices; use of frameworks, standards guidelines and best practices; and other industry practices. “The process for developing the [Cybersecurity Framework] reflects a core component of NIST’s work, bringing together various stakeholders to address a technical challenge”, said Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director. “By collaborating with industry to develop the framework, we will better protect our nation from the cybersecurity threat while enhancing America’s ability to innovate and compete in a global market.”

“Right now, there is a lack of immunity provisions for disclosure of information – only Congress can provide immunity from civil liability”, said Larose. “In the absence of legislative action, businesses should carefully consider how and whether to share information if they participate in these voluntary information sharing programs. Some suggested actions: (a) determine your organization’s critical infrastructure sector; (b) develop a strategy to combat reported threats – will the failure to act on reports produced by federal officials increase an organization’s exposure to liability? and (c) review policies and procedures for handling network threats.”

“America must … face the rapidly growing threat from cyber-attacks. Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.  We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

President Barack Obama, State of the Union Address, Tuesday, February 12, 2013

Just before delivering his State of the Union address, President Obama signed an Executive Order aimed at increasing information sharing between the government and private-sector businesses in order to move the issue of cybersecurity protection. The goal of the order is to achieve a “partnership with owners and operators of critical infrastructure to improve cybersecurity information sharing…” by developing and promoting a new cybersecurity framework.  The framework will partner critical infrastructure with sector-specific agencies to increase the flow of cybersecurity information between the government and private industry.   See the White House blog posts at http://www.whitehouse.gov/blog/2013/02/13/improving-security-nation-s-critical-infrastructure?utm_source=related

How will the Executive Order Potentially Affect You? 

(1)  The “Enhanced Cybersecurity Services” program is a voluntary program among federal agencies aimed at de-classifying information about cybersecurity threats and sharing that information with eligible private-sector businesses.  Establishing the program will require industry involvement to determine what types of information will be most helpful in combating cyber security threats. The a accompanying presidential policy directive identifies 16 critical infrastructure sectors with which the federal government aims to “increase the volume, timeliness, and quality of cyber threat information shared…”  and targets such industries as financial services, utilities and healthcare.

(2)  The order calls for the government to develop a “baseline framework” to reduce cyber risk.  This work will be led by the director of the National Institute of Standards and Technology.  The framework will attempt to align “policy, business, and technological approaches” in combating cyber risk.  The framework will also include a “voluntary consensus…and industry best practices…” Since the framework will be built around industry best practices it follows that it could become the standard for measuring cybersecurity programs.

(3)  The order requires the Secretary of Homeland Security (“Secretary”) and agencies to create a voluntary program to promote the adoption of the framework by creating incentives for private-sector businesses.  If targeted industries are receptive to the voluntary framework this definitely increases the odds that the baseline will be a measuring stick for all cybersecurity programs within those industries.

Other Measures in the Executive Order

The Order also requires agencies to establish safeguards based on the Fair Information Practice Principles to protect the customer information that companies may share with the government and calls for the Chief Privacy Officer and the Officer for Civil Liberties of the Department of Homeland Security to release a report assessing the privacy and civil liberties risks of the program.

The Secretary is also charged with identifying critical infrastructure at the greatest risk. “Greatest risks” means that if a cybersecurity incident occurred it could “reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This list will be updated on an annual basis and will not specifically identify commercial information technology products or consumer information technology services.

In addition, agencies that are responsible for regulating the security of critical infrastructure are required to work with Department of Homeland Security, Office of Management and Budget and National Security staff to determine if current cybersecurity regulatory requirements are sufficient, if not what actions need to be adopted to mitigate cyber risk and whether the agencies have regulatory authority to adopt the preliminary cybersecurity framework.  If the agencies find that they do not have the appropriate authority to adopt the framework they must identify what additional authority is required.

Finally, agencies are required to work with private-sector business owners and operators of critical infrastructure and determine which businesses, if any, are subject to “ineffective, conflicting, or excessively burdensome” cybersecurity requirements.

Cybersecurity concerns have been at the forefront of much debate and congressional leaders such as Senator Rockefeller have been trying to push legislation forward, but have not been successful. Last month Sen. Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 and this month the House is slated to reintroduce the Cyber Intelligence Sharing and Information Act (CISPA) which passed the House last year.

Developments and information regarding this Executive Order and potential Congressional action continue and you can find updates here.  We will also be presenting a webinar on how to prepare your business, so stay tuned for the date/time.

 

Written by Amy Malone