President Trump recently signed the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Order). The Order sets forth the Trump Administration's policy for cybersecurity of federal networks and calls for executive departments and agencies (Agencies) to secure their information technology and data using "all United States Government capabilities." The Order also describes how agencies will be expected to support the cybersecurity risk management efforts of critical infrastructure entities, including the financial services sector, and take steps to protect against cyber threats that could result in catastrophic regional or national effects to the nation's economic security and other critical sectors. Industry experts have generally been supportive of the Order, noting that it builds on President Obama's 2013 Executive Order.

U.S. policy has focused on protecting critical infrastructure since the Commission on Critical Infrastructure Protection was established by President Clinton in 1996. In 2013, President Obama identified 16 critical infrastructure sectors in Presidential Policy Directive 21, including financial services, energy, health care, and communications. President Trump's Order directs the Secretaries of Homeland Security and Defense, the Directors of National Intelligence and the Federal Bureau of Investigation, and the heads of all appropriate Agencies to take the following steps to help support the owners and operators of critical infrastructure:

  • Increased Support: Agency heads will identify "authorities and capabilities" that could be employed to support cybersecurity risk management of critical infrastructure entities. The Order requires agencies to engage such entities and solicit their input on how best to support their cybersecurity risk management.

  • Market Transparency: Within 90 days, President Trump will receive a report that examines the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities.

  • Resilience Against Threats: The Secretaries of Commerce and Homeland Security will identify and promote action by the appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration, with the goal of reducing threats perpetrated by botnets and other automated and distributed attacks. A preliminary report on this effort will be made publicly available within 240 days of the Order.

The Order also addresses how agencies will ensure that cybersecurity threats to the internet and the American people are mitigated, while respecting privacy and guarding against disruption, fraud, and theft. Among other measures, the Order requires:

  • Deterrence and Protection: The Order directs the Secretaries of State, Treasury, Defense, Commerce, and Homeland Security, along with the Attorney General, the U.S. Trade Representative, and the Director of National Intelligence to submit a report to the President on strategic options for "deterring adversaries and better protecting the American people from cyber threats."

  • International Cooperation: The Order also directs agencies to foster international cooperation in countering cyber threats. The President will receive a report within 45 days that outlines international cybersecurity priorities, including those concerning cyber threat information sharing, capacity building, and cooperation, and, in 90 days, a report that documents an engagement strategy for international cooperation on cybersecurity.

  • Cybersecurity Workforce: To ensure that the United States maintains a cybersecurity advantage long term, the Order tasks the Secretaries of Commerce, Homeland Security, Defense, Labor, and Education, and the Director of the Office of Personnel Management with developing a plan to assess and bolster the cybersecurity workforce.

The Order is not intended to interfere with any existing cybersecurity laws, such as the Gramm-Leach-Bliley Act, or authority granted to any other federal agencies.

Ballard Spahr's Privacy and Data Security Group helps clients navigate the many laws designed to safeguard health, financial, and other private information. The Group focuses on financial privacy and security by design—evaluating new products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.