Since President Trump’s inauguration, cybersecurity has been in the news almost daily – often on the front page. The U.S. Government is facing a wide array of challenges in cybersecurity, impacting both domestic and foreign policy, at the same time that many companies find themselves under attack. Although many of these issues preceded the election of President Trump, the Yahoo! data breach, the widespread allegations of hacking into Democratic National Committee emails (perhaps by a foreign government), and the ongoing congressional investigations into these incidents continue to keep cybersecurity concerns at the forefront of regulatory attention.
President Trump has made it clear that cybersecurity is high on his agenda. Throughout his presidential campaign, President Trump often discussed the importance of cybersecurity, and he has carried that message into his administration. President Trump has also repeatedly stated his view that the United States is not doing enough to improve its cybersecurity defenses in a way that is commensurate to the threats it faces.
It appears the initial approach of the Trump Administration will be to build on the work done under the Obama Administration, so a certain measure of continuity should be expected. But as the Trump Administration moves forward, we expect to see an aggressive effort to have Congress approve a robust budget increase for cybersecurity. Indeed, due to the near-universal agreement of Congress that the United States needs to be doing more on cybersecurity issues, cybersecurity initiatives should provide the Trump Administration with an ability to achieve impactful bipartisan legislation, despite an increasingly partisan environment in Washington.
Given the scope of the cybersecurity challenges, there are a variety of approaches the Trump Administration could take, many of which would have a substantial impact on the private sector. To help deal with this uncertainty, this client alert answers your “Top Ten” questions regarding cybersecurity and the Trump Administration, with a focus on (1) U.S. Government challenges, (2) cyber threats from abroad, and (3) concrete steps companies should undertake to prepare for the new administration. The goal is to provide in-depth insight into cybersecurity trends and developments over the next four years and to give practical advice for businesses in responding to those trends and developments.
This client alert is part of a series of “Top Ten” articles on the future of key international trade and regulatory issues expected to change under the Trump administration. Previously issued client alerts discuss the future of NAFTA1, U.S. Customs and Border Protection2, international trade litigation (including antidumping and countervailing duty actions) under the Trump Administration3, the future of the CFIUS review process4, and likely developments impacting white collar enforcement 5. Future client alerts will deal comprehensively with all international trade and regulatory areas where significant change could occur under the new administration, including with regard to export controls, OFAC sanctions, and the FCPA.
1. Who is running the Trump Administration cybersecurity team?
President Trump largely has looked outside of government to build his cybersecurity team, but some key members have experience in a previous administration or the military. Combining team members possessing government experience with private-sector outsiders makes for an interesting team. It remains to be seen whether this mix will serve to cross-fertilize public- and private-sector best practices or become a roadblock to true cooperation.
- Thomas Bossert will serve as Assistant to the President for Homeland Security and Counterterrorism. In this role, Mr. Bossert will be the senior White House official on cybersecurity issues. Mr. Bossert is a former cybersecurity aide to President George W. Bush. He has advocated for presidential power in cyber warfare and argued that the president can deploy U.S. cyber forces in military action without notifying Congress.
- Former New York Mayor Rudy Giuliani is leading the current task force on cybersecurity issues, set to report back to President Trump by the end of April. Mayor Giuliani currently runs a private-sector cybersecurity consulting firm and has stated that the focus of this task force is to improve the cyber-defense posture of the federal government. It is unclear what role Mayor Giuliani will play after the task force has reported back to President Trump.
- Joshua Steinman will be taking on the role of NSC cybersecurity coordinator, a role that was held by Michael Daniel in the Obama Administration. Mr. Steinman is an executive with the cybersecurity firm ThinAir and is also a Navy Reserve officer who has worked for the Department of Defense in Silicon Valley.
- Chris Liddell will serve as the Director of Strategic Initiatives. Mr. Liddell was formerly the CFO of Microsoft and General Motors. The Trump Administration has stated that Mr. Liddell will oversee a series of task forces to focus on systemwide improvement to the performance of the government.
- Reed Cordish will serve as the Assistant to the President for Intergovernmental and Technology Initiatives. Mr. Cordish has no government experience, as his background is in real estate and entertainment. Government officials speculate that Mr. Cordish will focus on modernizing the manner in which various agencies share cybersecurity information.
This mix of government and nongovernment cybersecurity team members reflects President Trump’s desire to bring more private-sector experience into the government. This is not only a matter of private-sector perspective but also reflects the importance of public-private partnerships. In cybersecurity, public-private partnerships are particularly important because cybersecurity issues arise in both sectors, which is why they were a substantial focus of the Obama Administration. With this cybersecurity team, it appears President Trump is looking to build on the Obama Administration’s collaborative approach. This would be a welcome development for many U.S. companies, which will be looking for practical approaches to stave off cyber attacks, rather than for costly fines and penalties as punishments for cybersecurity failures.
2. What has President Trump promised?
The Trump Administration has promised to make cybersecurity a top priority and to improve America’s defense against attacks on critical infrastructure (industries such as financial services, utilities, food and agriculture, emergency services, health care, etc.) and government data. This is shown by President Trump’s “Contract with America,” where he promised he would work with Congress to pass a “Restoring National Security Act” that would, among other things, “protect our vital infrastructure from cyber attack.”6 Given this focus, it is not surprising that one of the initial actions President Trump has tried to advance is a cybersecurity executive order. But after preparing for its release in the first week of the Administration, the executive order was subsequently revised and currently is being reviewed inside the Trump Administration. We discuss a leaked, presumably authentic, version of the executive order below.
We believe the delay in a cybersecurity executive order is likely due to the desire to ensure an effective rollout of the order, rather than signaling any kind of backing off from the basic need to focus on cybersecurity. (The initial-draft executive order was being considered when the executive order on travel to the United States was challenged.) Based on the president’s prior statements on cybersecurity, we expect the Trump Administration will soon pivot back to cybersecurity, perhaps with a refined executive order starting the process.
In what we view to be a pro-business move, it is our expectation that the president will rely on the use of “carrots” to help corporate America raise its cyber capabilities, as opposed to penalties to punish breaches. By contrast, on the foreign side, we expect President Trump to use more “sticks” when dealing with international state and non-state actors who attack the American government, critical infrastructure, and use cyber intrusions to steal intellectual property from U.S. companies. These could take the form of the use of existing OFAC sanctions on persons who use cyber attacks, or perhaps more aggressive measures that could be developed as part of an ongoing review of the U.S. Government’s cyber defenses.
In this regard, one of the first actions President Trump has taken, as promised, is to review the Government’s cyber defenses – Mayor Giuliani is leading the task force on this issue. This was anticipated, as during the first presidential debate President Trump stated that the U.S. Government needed to get “very, very tough on cyber and cyberwarfare”7 while calling for the creation of a joint public-private team of experts to analyze U.S. Government cybersecurity protections. President Trump has also stated that he will hold his cabinet secretaries and agency heads directly accountable for the cybersecurity of their organization. Does this mean President Trump would fire a cabinet secretary over an agency-level cyber breach? Perhaps. President Trump has also said that the American military must have the deterrent ability to conduct “crippling cyber counterattacks” on our adversaries. Although the U.S. Government long has held this capability, it has been reluctant to use it, in part because it is believed that doing so gives away the scope and capabilities of the United States in this area.
As a general principle, we expect – at least at the outset – that the cybersecurity response of the Trump Administration will be similar to that of the Obama Administration, albeit perhaps paired with more aggressive remarks out of the new administration. Beyond that, further developments will depend on the results of the ongoing cybersecurity review and the postures of the full team of government officials who will have a hand in cybersecurity policy.
To the extent there are early indications regarding the posture of the new administration, the best place to read the tea leaves is in the leaked revised executive order from February 9, 2017, which as of this writing has not been signed by the president.8 An important element of the leaked executive order calls for agencies to use shared information technology and cybersecurity services whenever possible. IT consolidation and shared services fall in line with President Trump’s general promise to deliver lower costs for the government, making it likely the Trump Administration will try to push for consolidation. The draft executive order also calls for a White House task force, led by advisor Reed Cordish, to determine how the entire executive branch can be moved into a single IT infrastructure. This would be a massive federal undertaking, given all of the legacy systems at the department and agencies, and many would argue it is overdue just from an ease-of-communication perspective. Such an endeavor would cost billions of dollars and years to complete. Nevertheless, the fact that the Trump Administration is considering such a vast undertaking is a significant signal that they intend to try and avoid some of the major breaches (such as the OMB data breach) faced by the Obama Administration.
3. How will the Trump Administration change the current cybersecurity regulatory environment?
When attempting to predict legislative and regulatory action in this area, one must consider President Trump’s stated dislike of regulation in light of his pledge to strengthen the nation’s cybersecurity. President Trump has signed an executive order that requires two regulations to be eliminated before any single new regulation is passed.9 Thus, the administration can keep regulations consistent with its goals while making it harder for agencies to pass new ones. We believe that, at a minimum, agencies will look for obscure and largely meaningless regulations for repeal, enabling the Trump Administration to enact preferred regulations. Regardless, we do not believe that this regulatory initiative will be any barrier to the passage of new regulations in an area identified as a priority by the president himself.
In the short term, we do not see any immediate change to the current slate of cybersecurity regulations, including those passed in the last year of the Obama Administration, which supported cybersecurity regulation in key sectors through the SEC, FTC, and FCC. Unlike other policy areas, it appears more likely that President Trump will build on the cybersecurity regulations used by the Obama Administration, not remove them. For example, the SEC, through its Cybersecurity Examination Initiative , assessed cybersecurity preparedness in the securities industry, including vulnerability assessments, access rights and controls, and incident response ability.10 While President Trump seems likely to push for relaxed regulations on the financial sector in general, when it comes to cybersecurity preparedness, it is unlikely he will want the financial sector to do less than it is doing now. Further, the negative publicity that would occur if there is a cyberattack on the industry, following any easing of the requirements, would move the focus for any breaches from the companies to the administration. The desire to avoid such publicity, the financial sector’s importance to the economy, and the fact that the industry by and large is dealing with these regulations rather than protesting them makes it likely the regulatory status quo will remain.
The FTC has emerged as one of the key regulators in the cybersecurity area. Although President Trump has assailed regulatory overreach, we do not believe he will try to restrict the FTC’s ability to enforce penalties for data breaches. After the Wyndham decision,11 the FTC used its authority to regulate cybersecurity to bring suits against other companies for lack of data security. Since the courts have already ruled in Wyndham that the FTC has the power to regulate in this area, President Trump has little incentive to restrict the “stick” that the FTC wields to improve cybersecurity.
An additional regulation to look out for is the banking sector rulemaking involving the Federal Reserve, Treasury, and FDIC – the Enhanced Cyber Risk Management Standards. These standards, which will cover everything from board governance and cyber risk management to daily operations, will come up for the Trump Administration’s consideration in early 2017. Because of President Trump’s executive order on regulations, the Trump Administration will not be able to accept these new standards without revoking other regulations.
4. What new incentives could be proposed to promote the protection of critical infrastructure?
As previously observed, if the Trump Administration decides to reassess existing cybersecurity regulations, government-directed incentives could help ease the financial and legal burdens faced by critical infrastructure companies. These incentives could benefit the private sector by assisting it with upgrades to cybersecurity defenses. The Obama Administration proposed what these incentives would look like pursuant to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” EO 13636 was issued because of repeated cyber intrusions into American critical infrastructure and the shared interest of the government and the private sector in preventing further intrusions. None of the incentives was ever adopted.
To reduce the cost for critical infrastructure operators to comply, EO 13636 called for a proposal for incentives to influence markets and increase the adoption of improved cybersecurity practices.12 These incentives are tied to companies complying with the Cybersecurity Framework that the National Institute of Standards and Technology (NIST) developed, as directed in the executive order. The Cybersecurity Framework is intended to establish a path forward for how to reduce cybersecurity risks to critical infrastructure. Specifically, the Cybersecurity Framework was intended to “provide a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”13
Restarting this approach could appeal to the Trump Administration. While most of the incentives would require congressional action, the incentives are not partisan in nature and could potentially be approved through the current Congress.
In particular, it would not be difficult for the Trump Administration to adopt incentives as drafted in the DHS Incentives Study and to promote them.14 According to the DHS Incentives Study, the most straightforward way for the government to incentivize new investment in cybersecurity products and services is to create a new federal grant program.15 While grant programs in many areas could be subject to cuts under President Trump, cybersecurity may be an area where the Trump Administration is willing to invest and a grant program may be adopted. Such a program could reduce the costs of the duplicative development of cybersecurity measures, allow the rapid sharing of cybersecurity advances, and allow smaller companies to implement cybersecurity measures that otherwise would be beyond their financial reach. The DHS Incentives Study also proposes liability protection for companies that adopt the Cybersecurity Framework and also purchase cyber insurance.16 If the Trump Administration persuades Congress to limit the penalties that could be sought against companies that meet those standards, it could help U.S. companies take an important step in their cybersecurity protection. Given President Trump’s pro-business background, a limited liability incentive may be an approach in which he would see real value.
Further incentives proposed in the DHS Incentives Study include allowing the federal government to prioritize the order in which government cyber response teams help companies requesting assistance, based on whether a given company has adopted the Cybersecurity Framework.17 President Trump’s cyber team may like this approach, as it provides some “stick” to companies that do not comply and not just “carrots.” Further potential incentives to Framework adoption could also be tied to the federal procurement process, to incentivize Framework adoption for any companies seeking to do business with the government.18 This could be seen as a particularly effective approach for creating increased cybersecurity from companies that operate with sensitive information or provide essential government services.
Additionally, the Trump Administration could look to incentivize the private sector by streamlining information security regulations by eliminating overlaps in existing laws and reconciling differences between U.S. and international law through treaties. There are a large number of actors in the cybersecurity area, and the regulatory approaches are not always uniform. Eliminating the overlap and establishing clearer lines of responsibility could lead to better regulation and enhanced security.
Beyond these items, it becomes difficult to predict the government response to the reality of daily cyber attacks on the U.S. Government and U.S. corporations. Some other items that could see some attention, however, include the following:
- The Creation of a Public-Private Standard Setting Body. As directed in the Cybersecurity Enhancement Act of 2014, NIST coordinates industry standards for the United States critical infrastructure through the Cybersecurity Framework. The Cybersecurity Framework is voluntary, however, so the standards are not enforced by any government entity. Establishing formalized standards through regulation could happen particularly if the amount of cybersecurity incidents or the severity of the incidents increases.
- Creating Protections for the Sharing of Cyber-threat Information. Through the Cybersecurity Information Sharing Act (CISA) of 2015, Congress created a voluntary process that provided liability protection as a way to encourage public- and private-sector cyber information sharing. The Trump Administration could build on CISA and pursue mandatory requirements to compel increased cyber information sharing.
- New Regulations Targeting Connected Devices. In November 2016, the Department of Homeland Security issued a set of Strategic Principles for Securing the Internet of Things (IoT).19 These guidelines serve as suggested best practices for IoT product developers, manufacturers, and consumers but are not legally required. Formal regulations could be forthcoming in this space. Along these lines, an FCC white paper released on January 18, 2017 has reinforced the potential need for regulators to step in, due to the rapid growth of network-connected consumer devices.20
- Increased Back Channel and Formal Cooperation Across Borders. Due to conflicting laws regarding data privacy, cross-border data sharing to detect and deter cyber attacks is challenging. Given the multinational nature of many American corporations, there could be action from the Trump Administration to encourage more sharing of cyber threat information with other nation states where American companies operate.
- Increased Actions at the State Level. The most recent example is in New York State, although we expect that other states will likely follow suit. Due to its role in the financial sector, New York is pursuing state level regulations to protect the financial system. On March 1, 2017, cybersecurity regulations will go into effect that require financial services institutions regulated by the New York Department of Financial Services to maintain a cybersecurity program to protect private data and help ensure the cybersecurity of the financial services industry.21
5. What changes can we expect regarding encryption and data privacy laws?
In addition to his interest in cybersecurity, the president has also been vocal, both during the campaign and now in office, regarding the importance of the fight on terrorism. This is likely to result in efforts to increase surveillance powers. In this regard, we believe the administration may push for increased government authority to compel technology companies to include backdoors into computers, mobile devices, and applications for law enforcement to access. At a minimum, we believe the DOJ will aggressively seek legal and technological measures to obtain access to encrypted information when it is believed to be relevant to a criminal investigation.
The issue of encryption came to the forefront during the debate between Apple Inc. and the government over access to the San Bernardino shooters’ iPhone. During the campaign, President Trump called for a boycott against all Apple products until Apple gave the government the access it requested. Currently, both FBI Director Comey and Attorney General Sessions have expressed support for requiring backdoors for law enforcement. Although such efforts date back to at least the 1980s, when the U.S. Government used similar arguments in the export control context to push for the creation of a decrypting key that would be available for the U.S. Government’s use (with the efforts failing, and later being abandoned), the arguments may take on new resonance where concerns about terrorism are at the forefront.
Getting legislation through Congress to give law enforcement these expanded search powers will remain thorny. While the Obama Administration felt that Apple should have allowed the government to access the San Bernardino shooters’ iPhone, the Obama Administration did not support the efforts to pass legislation to require it to do so. The reason for this was that the Obama Administration did not believe Congress would be able to get a bill passed because of its view that Congress was too dysfunctional to react in time. This ended up being the correct reading, as the draft legislation went nowhere. While President Trump has the advantage of Republican control of Congress, the technology industry generally opposes backdoors or the weakening of encryption protections. With some Republicans being concerned that government access to data devices could be misused, there is no guarantee the Republican caucus would take a consistent stand on the issue.
On the international front, the EU-U.S. Privacy Shield presents potentially conflicting concerns for the administration. The Privacy Shield is seen as pro-business, as it facilitates and legitimizes the flow of personal data from the EU to the U.S., thereby enhancing and benefiting commerce between the two regions. The Privacy Shield could, however, come under attack by the Trump Administration; because the Privacy Shield limits the ability of American law enforcement and intelligence to collect and store European citizens’ data, President Trump may consider this an unacceptable risk to American security.
The first annual joint review of the Privacy Shield will occur in 2017. This could be an opportunity for the Trump Administration to advocate for changes. It is important to note that, contrary to some of the commentary in the media, President Trump’s executive order on enhancing public safety did not invalidate any part of the Privacy Shield. But given that the Trump Administration likely will target noncitizens, it may attempt to take on certain provisions of the Privacy Shield. This possibility has already raised concerns among U.S. companies that are complying with the Privacy Shield to avoid running afoul of EU data privacy laws. European lawmakers and stakeholders opposed to the Privacy Shield, on the basis that it does not provide adequate protection to EU citizens, will be looking to use any erosion of privacy protections for non-U.S. citizens to argue against the validity of the Privacy Shield.
In the end, we believe the administration will opt for a path that does not unduly jeopardize the flow of data essential to commerce between the U.S. and the EU. With many of the largest U.S.-based multinational companies relying on being able to freely communicate with their European affiliates, there will be strong pressure from these companies to take steps to ensure that the basic operation of the Privacy Shield remains in place.
6. What actions will the Trump Administration take against states identified as tolerating or failing to extradite cyber criminals?
State-backed hackers threaten both government and private-sector systems and security. A strong response to foreign threats can provide another prong of cybersecurity for U.S. businesses. The primary methods the Trump Administration can deploy in response to states protecting bad actors include some mix of (1) indictments, (2) sanctions, and/or (3) counteroffensive cyber attacks. During his campaign, President Trump stated that he would instruct the Department of Justice to form a task force organized to “crush this still-developing area of crime.”22 Given that, it is likely we will see some combination of the three above tactics to compel foreign states to arrest or extradite cyber criminals to the United States. The Obama Administration issued indictments of cyber criminals, but often those were viewed as a signaling effort intended more to communicate that the U.S. Government could identify its adversaries rather than to lead to criminal apprehension. These were the first state-based indictments and sent a powerful message, but they were never likely to lead to any arrests or extraditions.
Similar indictments could be used for more than mere signaling under the Trump Administration, which could demand that cyber criminals be extradited to the United States, invoking mutual assistance obligations that require cooperation in criminal matters. If opposed, the United States could level sanctions or even respond with offensive cyber attacks. Since President Trump has stated that “America’s dominance in this arena [cybersecurity] must be unquestioned,” the potential for an offensive cyber arms race with China and Russia must be considered if President Trump decides to use offensive cyber attacks against either nation.
Given that a cyber arms race would decrease global cooperation on cybersecurity issues in ways that would damage the national interest, and could have other negative impacts, it is more likely the Trump Administration would seek sanctions before launching offensive attacks against states that tolerate or refuse to extradite cyber criminals. Nonetheless, the general tone of the new administration, as well as what seems to be bolder moves by foreign interests in the realm of cyber attacks, makes such a response more likely.
Another possible escalation by the Trump Administration would be to push for what is known as private-sector “active defense.” The Center for Cyber and Homeland Security (CCHS) published a recent report that could serve as the blueprint for an active defense policy.23 Pursuing a policy of active defense would mean allowing private-sector entities to take proactive actions against an attacker, including collecting intelligence by using techniques that “fall between traditional passive defense and offense.” The issue the report seeks to address is that, no matter how strong the government’s capabilities are, the government will never be able to defend private industry from the malicious cyber attacks against it. By allowing certain advanced private-sector entities to help defend companies in cyberspace, the government could expand the fight against cyber criminals. To ensure an orderly program of active defense, the Trump Administration would likely task the Department of Justice with publishing guidance.24 Given the economic imperatives for private-sector entities to defend themselves, and the Trump Administration’s desire to be more aggressive against cyber criminals, active defense could soon be on the administration’s agenda for consideration.
7. What can we expect from China, given President Trump’s more aggressive approach in dealing with them?
We cannot separate progress in cybersecurity from the broader U.S.-China relationship. (The topics of the likely coming trade war with China, and the likelihood of more stringent reviews of Chinese investment in the United States, are covered in other Foley client alerts.25) For example, even though the Trump Administration has recently indicated its support for the “One China” policy, if there is an expansion of American partnership with Taiwan, this will empower hardliners in Beijing and could foster greater strategic competition, including in the area of cybersecurity. Unpredictability could lead to a “cyber cold war,” as ratcheting up the rhetoric against China on issues like international trade, foreign direct investment, and territorial rights may indirectly lead to more cyber attacks/cold war-type maneuvering.
This would be a clear shift from the Obama Administration’s approach to China, including its much-vaunted “pivot” to Asia. The U.S. approach to China during the Obama Administration was two-pronged: address threats from China, while cooperating on areas of mutual interest. On the threats side, the Obama Administration was direct with Chinese senior leadership about the Chinese government’s role in the hacking of American companies, even going so far as to indict members of the Chinese military.26 This approach was designed to make Chinese leadership recalculate what had been a largely consequence-free domain, where Chinese leadership hid behind claims of having no knowledge of hacking. On the cooperation side, the goal was to enhancing mutual understanding of one another’s government cybersecurity structures, instituting closer law enforcement cooperation (black markets, child pornography, phishing in the banking sector, antiterrorism), fostering cooperation between computer emergency response teams (CERTs), sharing crisis prevention measures, and developing a reliable hotline to share threat information to stop the spread of dangerous malware.
The Trump Administration may shift the balance more to combating threats from China, with less emphasis on collaboration. This could reduce information sharing and push the two countries closer to cyber hostilities. The concern is that if either the United States or China crosses an undefined cybersecurity redline, even inadvertently, either country could use that as an opportunity to escalate tensions. Both sides may feel the need to push the limits to try to acquire sensitive information, increasing the risk of cyber attacks. In this environment, U.S. companies would not be immune, especially to the extent that they hold information of advantage to the Chinese government: patents, classified information, technical know-how, export-controlled technical data, and so forth.
While not letting its guard down, the private sector should be looking to avoid or mitigate escalating tensions between the two countries. As U.S. companies seek to balance participating in the Chinese economy and taking advantage of global economies of scale against the risks of intellectual property theft, they will likely pressure the administration to avoid cyber conflicts with China and instead to look for areas of mutual interest. In particular, after the recent Third U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues, both countries agreed to hold a U.S.-China government and technology company roundtable to discuss cybersecurity issues of mutual concern.27 This is the first time such a meeting appears likely to happen. If the Trump Administration can build on that progress, it may end up in a less radical position with China than appears to be the current path.
8. Will President Trump continue to abide and promote United Nations-proposed cyber norms and principles?
With the support of 20 nations, including the United States, China, Russia, France, the United Kingdom, and Germany, the United Nations Group of Governmental Experts (UN GGE) released a 2015 report on international cybersecurity norms.28 These norms included principles of agreement such as that states should not knowingly and intentionally damage critical infrastructure or impede another state’s emergency response teams.29 The UN GGE report also states that governments should cooperate to increase stability and security in the use of information and communications technology and to respond to appropriate requests for assistance from other states whose critical infrastructure is under attack.30 The UN GGE is planning an updated report to the UN General Assembly in 2017. During the Obama Administration, the United States was supportive of the UN GGE process, and the President’s International Strategy for Cyberspace was written to promote a strategic framework of international cyber stability that dovetailed with the UN GGE efforts.31
Given President Trump’s stated concerns about the United Nations, it remains to be seen what U.S. engagement will be with the UN GGE. While the United States will remain a part of the group to ensure its interests are heard, it is likely that any recommendations of the UN GGE seen as tying the hands of the United States will come under close scrutiny. Yet this impetus to ignore the GGE recommendations will need to be balanced against the value of unified standards. As more nation states agree to abide by voluntary norms, the result is increased cyber stability, making conflicts between nations more manageable. The Trump Administration will have to balance its promise to show progress in protecting America’s government, intellectual property, and critical infrastructure with its caution when dealing with the United Nations. Due to the benefits of consistent international cyber norms, we believe the administration will maintain a favorable position with respect to the UN GGE.
9. How will the president’s hiring freeze and stated desire to cut the size of government affect the administration’s ability to carry out its cybersecurity agenda?
Shortly after his inauguration, President Trump announced a hiring freeze on federal jobs.32 Subsequently, in early February, the Department of Defense released a memorandum exempting certain areas, including cybersecurity operations, particularly positions required for cybersecurity operations or planning, or for the execution of cyber and intelligence lifecycle operations, planning, and support.33 This reflects an understanding within the administration that a hiring freeze of all the government’s cybersecurity workforce would have a demonstrably negative impact on the president’s ability to carry out his cybersecurity agenda. Furthermore, for any federal agency to obtain a waiver, the relevant agency head can submit a report describing the role or position to be filled, and justify the exemption decisions on a position-by-position basis.34
We believe that as cyber personnel depart, it is imperative that the government be able to replace them, or readiness and responsiveness to incidents will decline. Exemptions to any hiring freeze are essential, as many of these positions are “critical” to the execution of cybersecurity functions. The exemption requests and rulings (to the extent they are not classified) should provide the guidance on the priorities for cybersecurity in the administration. This process could lead to different levels of cybersecurity personnel being considered essential and exempt from any hiring freeze, depending on the role the personnel play at any agency, the importance of cyber security at the agency and in its efforts to fight cyber intrusions, and due to variations regarding how some agencies determine which “critical” IT and cybersecurity personnel should be exempt. While the details need to be implemented properly, the memorandum establishing exemptions is further evidence of the administration’s prioritization in the area of cybersecurity.
10. What steps do companies need to take to prepare for the changes ahead?
As discussed, there are many ways in which cybersecurity issues could arise over the next four years, with clarity regarding the issues of concern being in some cases impossible. Nonetheless, even in this era of uncertainty, there are concrete steps that companies worried about possible cyber-intrusions should be undertaking:
- Conducting internal compliance and risk assessments, to determine the organization’s vulnerability to cyber attacks.
- Developing and implementing corporate policies and procedures required for compliance with federal and state privacy and security laws.
- Developing quick-response teams to handle potential cyber attacks, using preformulated decision trees and procedures so that these do not have to be developed under the fire of an ongoing attack.
- Establishing secure data backup protocols to ensure that, even if the company is under attack, important company records are secure.
- Establishing protocols to deal with common forms of cyber attacks (denial of service, etc.).
- Lining up outside experts, if necessary based upon the risk profile of the company, to swing into action if company processes are overwhelmed by a cyber attack.
- Performing periodic auditing of cybersecurity practices against industry norms, accepted best practices, and the risk profile of the organization.
- Implementing information security best practices, reflecting them in information security policies, records retention and management policies, and in internal controls/standard operating procedures.
- Making certain the CEO and executive leadership are properly informed about the cyber risks to the company and are involved in oversight and the decision-making process related both to cyber attacks and proactive cybersecurity measures.
- Reviewing funding of all electronic security measures to ensure they are adequate to cover not only routine compliance measures but also to allow for proactive testing and probing of systems in light of increasingly sophisticated measures being used by hackers.
- Collecting only that personally identifiable information from clients, customers, or company personnel that is needed for identified business needs, with the retention of such information being only for as long as it serves those business needs, with storage being accomplished in a way that minimizes the chance of it being of any use outside the organization (encryption, etc.).
- Reviewing cybersecurity programs to ensure they apply industry standards and best practices.
- Coordinating cyber incident response planning across the entire company.
- Storing sensitive information securely (encrypting where appropriate) and away from other data that does not require the same level of protection. Use a layered defense approach to protect “crown jewel” information.
- Conducting appropriate data security due diligence on third-party service providers with access to personal information and sensitive business information, and requiring them to enter into agreements that they are implementing robust data security procedures, following up to ensure these requirements are in fact implemented.
- Assessing ways in which the company’s access vulnerabilities (website, VPNs, remote access, and so forth) are configured to minimize potential intrusion risk, with regular testing and probing to update and address identified risks.
- Performing companywide training, tailored to the personnel at issue, to ensure the importance of adherence to all electronic security measures are followed.
While (as with any new administration) there remains some uncertainty surrounding the current administration’s new policies, including in the relatively new area of cybersecurity, it does appear that the Trump Administration views public and private cybersecurity as a priority and will build on the efforts of the Obama Administration to continue to develop a coherent cybersecurity policy. Because of President Trump’s very public commitment to cybersecurity, it is our view that the administration will spend both funding and political capital to improve the nation’s cybersecurity. Additionally, given that most of the nation’s critical infrastructure is owned by the private sector, the Trump Administration is likely to see itself as a “willing partner” to get the private sector what it needs, rather than to act as a burdensome regulator.
Want more help? Regardless of how events unfold, the types of compliance measures discussed above are a prudent investment in securing crucial company data and the ability to operate even when under constant probing by unauthorized outsiders. If you would like further information regarding practical steps that can be undertaken to help prevent cyber intrusion, you can contact [email protected] or +1 904.359.8745.
* * *
The international climate for U.S.-based multinational companies and non-U.S.-based companies that sell into the United States has never been more uncertain. This client alert is the sixth of a series of alerts prepared to help companies navigate the uncertain international trade and regulatory environment. As noted in the introduction, existing “Top Ten” articles cover the future of NAFTA, International Trade (antidumping and countervailing duty) actions, U.S. Customs and Border Protection, likely changes in how the Committee of Foreign Investment in the United States (CFIUS) evaluates investment in the United States, and the future of white collar enforcement under the new administration. Future client alerts will cover the Office of Foreign Asset Controls (OFAC economic sanctions) and Export Controls, the Foreign Corrupt Practices Act, anti-money laundering, and the regulatory concerns of private equity firms. If you would like to be added to the mailing list for these alerts, please contact the chair of the Foley & Lardner LLP Export Controls and National Security practice, at [email protected] or +1 202.945.6149.
1See Gregory Husisian & Robert Huey, NAFTA and the Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Dec. 1, 2016), https://www.foley.com/nafta-and-the-new-trump-administration-12-01-2016/.
2See Gregory Husisian & Robert Huey, U.S. Customs and the Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Feb. 7, 2017), https://www.foley.com/us-customs-and-the-new-trump-administration-your-top-ten-questions-answered-02-07-2017/.
3See Gregory Husisian & Robert Huey, International Trade Litigation and the Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Jan. 6, 2017), https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/.
4See Gregory Husisian, CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered, Foley & Lardner LLP (Jan. 25, 2017), https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.
5Scott Fredericksen & Gregory Husisian, White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Feb. 9, 2017), https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.
6See President Donald J. Trump, Address at Gettysburg, PA: Groundbreaking Contract for the American Voter in Gettysburg (Oct. 22, 2016), https://www.donaldjtrump.com/press-releases/donald-j.-trump-delivers-groundbreaking-contract-for-the-american-vote1.
7See “Donald Trump: ‘We have to get very, very tough on cyber and cyberwarfare,’” Newsday, http://www.newsday.com/long-island/politics/donald-trump-we-have-to-get-very-very-tough-on-cyber-and-cyberwarfare-1.12369169.
8See Paul Rosenzweig, Revised Draft Trump EO on Cybersecurity, Lawfare (Feb. 9, 2017), https://www.lawfareblog.com/revised-draft-trump-eo-cybersecurity.
9See “Presidential Executive Order on Reducing Regulation and Controlling Regulatory Costs,” https://www.whitehouse.gov/the-press-office/2017/01/30/presidential-executive-order-reducing-regulation-and-controlling.
10See Office of Compliance Inspections and Examinations, OCIE’s 2015 Cybersecurity Examination Initiative (2015), https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
11See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). In this proceeding, the FTC sued a global hotel company for failure to adequately safeguard its computer network, allowing hackers to steal customer information. Wyndham marked the first time the FTC’s authority to regulate data security had been confirmed by a federal court.
14See U.S. Dep’t of Homeland Sec., Executive Order 13636: Improving Critical Infrastructure Cybersecurity (2013), https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurity-incentives-study_0.pdf.
19See U.S. Dep’t of Homeland Sec., Strategic Principles for Securing the Internet of Things (IoT), (2016), https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf.
20See Fed. Comm. Commission, White Paper: Cybersecurity Risk Reduction (2017), http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0118/DOC-343096A1.pdf.
21See N.Y. State Dep’t of Fin. Servs, 23 NYCRR 500, http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf.
22See President Donald J. Trump, Remarks on Immediate Action on Cybersecurity (Oct, 3, 2016) https://www.donaldjtrump.com/press-releases/donald-j.-trump-remarks-on-cybersecurity.
23See Center for Cyber & Homeland Sec., Into The Gray Zone: The Private Sector and Active Defense against Cyber Threats (2016), https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf.
25See Gregory Husisian & Robert Huey, “International Trade Litigation and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/</a>; Gregory Husisian, “CFIUS and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.
26See U.S. Dep’t of Justice, U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage (May 19, 2016), https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor.
27See U.S. Dep’t of Justice, Third U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues (Dec. 8, 2016), https://www.justice.gov/opa/pr/third-us-china-high-level-joint-dialogue-cybercrime-and-related-issues.
28See Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174.
31See International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf.
32See “Presidential Memorandum Regarding the Hiring Freeze,” https://www.whitehouse.gov/the-press-office/2017/01/23/presidential-memorandum-regarding-hiring-freeze.
33See “Implementation of Civilian Workforce Hiring Freeze,”https://www.defense.gov/Portals/1/Documents/pubs/OSD000999-17-RES-Final.pdf.
34See “Presidential Memorandum Regarding the Hiring Freeze,” https://www.whitehouse.gov/the-press-office/2017/01/23/presidential-memorandum-regarding-hiring-freeze.