After years of abortive attempts by Congress to enact comprehensive cybersecurity legislation, the President took matters into his own hands on February 12, signing an Executive Order, Improving Critical Infrastructure Cybersecurity. Identifying the cyber threat as “one of the most serious national security challenges we must confront,” this Order, along with its contemporaneous Presidential Policy Directive, lays out the policy goals for the President’s cybersecurity program, as well as some specific initiatives.

Overview. The Order is long on plans for coordinating government cyber efforts, but it is short on concrete details for just how to implement such a unified whole-of-government approach. The specifics in the eight-page document include two major initiatives relating to information sharing and cybersecurity standards.

Information Sharing. The Order lays out the goals and requirements for information sharing on cyber threats. Within 120 days, the Order provides: (1) the Secretary of Homeland Security(“the Secretary”), the Director of National Intelligence (“DNI”), and the Attorney General (“AG”) shall issue instructions on producing unclassified reports of cyber threats to specifically targeted entities; (2) the Secretary, the DNI, and the AG shall include in these instructions a process for disseminating classified reports to those entities authorized to receive such information; and (3) the Secretary, in coordination with the Secretary of Defense, shall establish a voluntary information-sharing network called the “Enhanced Cybersecurity Services Program,” which will provide classified threat information to eligible companies.

Cybersecurity Standards. The Order also requires the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology (“NIST”) to develop a set of standards and processes, incorporating “voluntary consensus standards and industry best practices to the fullest extent possible,” to address cyber risks. The Order designates this set of standards as the “Baseline Framework.” In addition, the Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program, using the Baseline Framework as the foundation for entry into the program. The Order directs the Secretary to establish a set of incentives for private companies to enter into the Program, noting that some of the preferred incentives may require legislation. Finally, the Order directs the Federal Acquisition Regulatory Council to develop recommendations on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration,” thus signaling a likely push for new cybersecurity acquisition regulations for government contractors and the private sector.

No Safe Harbors. The Order is almost as notable for what it lacks as for what it includes. The executive branch lacks the legal authority to indemnify companies that meet certain minimum security standards or to exempt from FOIA any information shared by private entities. These steps will be vital to ensure private sector cooperation and buy-in to the federal government’s cybersecurity plans.

The Future. In his State of the Union address, the President underscored the continuing need for cyber legislation, concluding that “Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.” Until Congress acts, questions will remain on just what sort of public-private partnership can exist without protections for participating private entities.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
The Three C’s to Mitigate Preservation Risks in a Remote Work Environment (Collaboration, Communication, and Compliance)
July 21, 2020
How to Limit Litigation Risk from the Increased Use of Chat Programs During the COVID-19 Pandemic
June 12, 2020
Court Rules Personal Privacy Interests May Impact Scope of Discovery for Text Messages
March 18, 2020