Written by Rebekah Lewis
This installment of KCGC | In Practice highlights the key takeaways and potential implications of the recently issued cybersecurity Executive Order and offers some recommendations for private-sector organizational leaders.
On the campaign trail, U.S. President Donald Trump vowed that improving cybersecurity would be "an immediate and top priority" of his administration. Last week, the president issued a long-awaited Executive Order aimed at "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" (the "Order"). Although many of its provisions are not surprising, the Order does signal where the new administration intends to build on past approaches to cybersecurity and depart from others - with some notable implications even for entities that may not be directly impacted by the Order's requirements:
The Cybersecurity Framework (CSF) - Time to Get Onboard
Perhaps most significant, though not unexpected, the Order requires executive agency heads to use the Cybersecurity Framework (the "CSF" or "Framework") developed by the National Institute of Standards and Technology (NIST) to manage their agency's cybersecurity risk, effective immediately. While this requirement applies only to executive agencies, it has a number of implications for everyone else. For the reasons described below, the bottom line is this: leaders of any organization, whether federal, state, private, would be wise to adopt and implement the CSF at the enterprise level if they have not done so already and, if they have, to take a closer look and ensure that the implementation is operational and meaningful, and not just in name only.
Since its original issuance as a voluntary framework in early 2014 pursuant to executive action by President Obama, the CSF has been adopted by organizations of different sizes and across industries. Although it has continued to gain traction over the past few years, this action modifying the Framework from voluntary to compulsory for executive agencies significantly elevates its primacy and permanency as a well-recognized and rapidly growing approach to cybersecurity risk management. It also further reinforces one of the Framework's key purposes - serving as a common denominator for evaluating and communicating about cybersecurity risk. Consequently, adoption of the Framework has a snowball effect - as more entities adopt it, adoption becomes more useful, encouraging other entities to adopt, and so on. Mandatory adoption by all executive agencies will significantly accelerate this process.
Compulsory implementation of the CSF by federal entities will also provide a significant data point for regulators, courts and other parties (including cybersecurity insurance carriers or information sharing organizations) who may seek to articulate or rely upon a cybersecurity "standard of care" at some point in the future. While 2017 is not likely to bring real clarity regarding a definitive cybersecurity standard of care, the president's action reinforces the CSF as a critical cornerstone of effective cybersecurity risk management and responsible cybersecurity governance.
The Order will also likely increase pressure for entities contracting with the government (including subcontractors) to implement the Framework. While other government actions, including recent updates to the Federal Acquisition Regulation (FAR), also address security requirements for government contractors, this action elevates a risk management strategy that, in turn, requires federal agencies to assess their suppliers' risk management strategies. In its current form, the Framework incorporates supply chain risk management (SCRM) through several of the categories and subcategories included in its core functions.
A recently proposed update to the Framework, issued by NIST in January, includes even more explicit emphasis on SCRM, adding it as a separate category under the core function "Identify" and incorporating a section describing how the Framework can be used to inform and manage procurement. The new SCRM category includes specific subcategories that highlight the importance of requiring suppliers and partners, by contract, to meet the purchaser's cyber SCRM plan objectives (which, for executive agencies, will now be based in part on CSF adoption) as well as monitoring purchaser's ongoing compliance with these objectives.
As agencies adopt the Framework, they will have to assess how well they implement and achieve the CSF's categories, subcategories and outcomes, including the above provisions with respect to supply chain. During this process and throughout their contract period, suppliers who are also using the Framework will be able to demonstrate more effectively and readily that they enable the federal agency to achieve its own Framework implementation goals.
In addition, much like the executive actions of Presidents Obama and Bush before him, the Order calls for assessments and reports of various executive branch entities. These assessments may also shine a brighter light on contract requirements and ongoing compliance with those requirements; all the more reason for entities contracting with the government to adopt the CSF as a way to improve their cybersecurity strategy and demonstrate compliance.
- For the above reasons, organizations of all sizes and in any industry would be wise to adopt and implement the CSF, even if they are not required to do so. Adopting the Framework will not only provide organizations with a comprehensive and flexible structure for approaching cybersecurity risk management, it will also give them an increasingly well-recognized mechanism for publicly demonstrating their commitment to cybersecurity while also getting ahead of any potential future requirements to implement the Framework as a standard of care.
Expect Continued Regulation and Oversight (and See Recommendation 1)
Despite President Trump's promises to curtail regulation, the Order generally indicates no significant change in government oversight related to cybersecurity and may actually lead to increased oversight, particularly with respect to disclosure. Section 2(c) of the Order directs the Departments of Homeland Security and Commerce to "examine the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities."
Although the Order uses the term "promote," which suggests incentives rather than obligations, it does not rule out the use of the stick, rather than the carrot, and by its very terms calls into question the sufficiency of existing policies and practices. In addition to new regulations aimed at improving transparency, other approaches could include more rigorous interpretation and enforcement of existing statutes and regulations, many of which already provide a sufficient basis for regulatory action. Relying upon existing regulations to increase oversight would not necessarily trigger the president's Executive Order related to reducing regulation, which is both limited and ambiguous in scope and applicability.
Recent regulatory actions have already evidenced growing scrutiny of corporate disclosures (or the lack thereof) regarding cybersecurity. For example, reports indicate that the Securities and Exchange Commission (SEC) may be investigating Yahoo for failure to disclose its blockbuster breaches in a timely manner. Similarly, the Consumer Financial Protection Bureau last year brought an action against the start-up company, Dwolla, based solely on its representations regarding security practices, even absent an alleged breach. Given the number of other high-profile issues crowding the federal government's agenda in the short-term, a top-down shift in the cybersecurity-related activities of federal agencies seems somewhat unlikely.
Moreover, even if federal regulation were curtailed or stalled, state regulators may also step in to fill the void. The New York State Department of Financial Services' recently issued cybersecurity requirements for financial services companies are just one example of a growing interest in cybersecurity by a range of state regulators (even absent any change in federal regulatory trends). Particularly as the Internet of Things (IoT) continues to grow and both consumers and investors have an increasing interest and stake in cybersecurity, federal and state regulators may face pressure to implement consumer protection measures. Even if government regulation were to decrease in the short term, a sufficiently catastrophic cyber incident could lead to even greater consumer concern and scrutiny, especially if it were linked to the production and distribution of less secure products. The longer-term effect may be, in fact, redoubled calls for even greater regulation.
Given growing consumer awareness of cybersecurity and the increasing threat that cybersecurity failures pose to critical infrastructure, national health, safety and security, federal oversight in this area is likely to either hold steady or continue increasing under the Trump Administration. With this most recent order's focus on promoting transparency, it would not be surprising to see greater federal scrutiny of disclosure practices including, potentially, more formal disclosure requirements by the SEC and other regulators.
- So what does all this mean for private sector enterprises? First, organizations should not count on reduced government oversight when planning their cybersecurity risk management strategy. Instead, a more prudent approach would be to prepare for continued or increased scrutiny of cybersecurity-related disclosures, including erring on the side of prompt disclosure in the event of an arguably material cyber incident.
Given the potential for increased disclosure requirements, entities should also consider reframing their view of cybersecurity risks and incidents, shifting from the perspective of "public relations nightmare" to an opportunity to showcase incident prevention, response and recovery capabilities. With transparency and disclosure in the spotlight, demonstrating a proactive approach is likely to outweigh the potential benefits of appearing to have had no significant security incidents.
- In addition, this increasing focus on transparency will continue to draw more attention to the responsibility of Boards of Directors and other senior executives with respect to cybersecurity. Accordingly, organizational leaders would be wise to take demonstrable steps to address cybersecurity as an issue that could have a significant impact on corporate value - starting with (see above) their thoughtful consideration, formal adoption and properly-resourced implementation of the CSF.
Collaboration, Coordination, Participation
Section 2(d) of the Order calls for the Secretaries of Commerce and Homeland Security to lead an open and transparent process aimed at improving the "resilience of the internet and communications ecosystem" and encouraging collaboration towards reducing widespread and automated attacks, such as those carried out by botnets. This subsection yields a couple important and broadly applicable implications for both private and public sector entities.
First, while many organizations remain skeptical of the value of collaborating with government entities, including law enforcement, with respect to cybersecurity, this provision provides some good reason to continue (or start) building public-private relationships. The collaborative public-private process outlined in the Order bears resemblance to the process leading to the creation and refinement of the CSF, a process that has been generally lauded even by those who find fault with the end product. By calling for a similar process in the Order, the new administration is effectively endorsing this approach as a workable way for government and industry to problem-solve in a fast-paced cyber world.
In addition, previously successful efforts to take down botnets have relied on strong collaboration between law enforcement, courts and private entities, in part due to the current legal risks associated with unilateral action. While the legislative branch could act to address some of these risks, perhaps paving the way for more independent action, they have not done so to-date. In the meantime, by including this provision in the Order, the president has signaled that: i) he is interested in taking action on the issue of botnets and similar attacks - and, much more generally, related to improving the resilience of the internet and communications ecosystem; and, ii) that the action he intends to take, at least initially, will involve public-private collaboration and coordination.
Lastly, if the Section 2(d) work resembles the CSF process, then non-government entities have a very real opportunity to weigh-in. The CSF process was and continues to be open and inclusive, involving numerous workshops and ways to provide comments and feedback to the drafters. And the Order's text suggests that the Section 2(d) process will be similarly open and inclusive, broadly defining the "appropriate stakeholders" who will be involved in the process as any entity that elects to participate.
- What does this mean for private sector entities? Elect to participate. Organizations that want a say in how the federal government should and will try to improve the resilience of cyberspace, including combatting widespread cyberattacks that may harm the networks and infrastructures on which they rely, have an opportunity to participate in the process and they should elect to do so. Electing to participate will include staying informed about this process as it develops and then showing up, speaking up and following up with government officials and others involved in the process.
Public-Private Agreement on Key Principles
Starting with its introductory provisions and throughout, the Order sets forth a number of principles and findings regarding cybersecurity risk management. The majority of these findings are not unique to the federal government and should serve as foundational principles across all sectors and enterprises - be they private, state, federal or otherwise. They are often repeated and already appear, in some form, in many publications and reports. For the most part, they may seem fairly basic and obvious.
However, for many organizations, the foundational undertaking of recognizing, understanding and acting on these basic principles still represents the greatest hurdle to effective cybersecurity risk management and responsible governance. It is, therefore, noteworthy that the Order further reinforces the significance of the following core findings and principles, which do bear repeating:
- Effective cybersecurity risk management requires accountability at the highest level of enterprise leadership and should include implementation of risk management measures and alignment of risk management processes with other strategic goals and processes;
- Effective risk management requires organizational leaders to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources;
- Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity;
- Known but unmitigated vulnerabilities are among the highest cybersecurity risks. Mitigating this risk is just as much, if not more, about processes, people and resources, than it is about technology.
- Organizations of all stripes and sizes should revisit basic concepts, including those listed above, in order to ensure that they have built a solid foundation for cybersecurity risk management. The latest technology and brightest minds will not be used most effectively unless they are operating in accordance with the core principles and structures underpinning good management, accountability and best practices.
In sum, while the new administration's cybersecurity "tea leaves" may be relatively few and far between, as they appear they can provide some direction. Moreover, due to the rapidly evolving and interconnected nature of information and communication technologies and the so-called "internet and communications ecosystem," even actions not aimed directly at one group of entities will still likely have implications for other members of the ecosystem. Accordingly, organizational leaders would be wise to take heed of the implications of the president's early executive actions dedicated to cybersecurity and consider implementing the following recommendations (summarized from above):
- Adopt and implement the Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology, even absent a requirement to do so.
- Prepare for continued or increased government scrutiny of cybersecurity-related disclosures and start reframing cybersecurity risks and incidents as an opportunity to showcase incident prevention, response and recovery capabilities.
- Start or continue taking demonstrable steps to address cybersecurity as an issue that could have a significant impact on corporate value - starting with thoughtful consideration, formal adoption and properly-resourced implementation of the CSF.
- Actively participate in opportunities for public-private collaboration, which the president has signaled he will continue to support with respect to certain cybersecurity efforts.
- Establish a strong cybersecurity risk management and governance foundation before investing in other approaches and products.