The trends of Trump’s Cyber Regulation

Digital Compliance

Posted on

On January 31, 2017, President Trump postponed the signature of the Executive Order on cybersecurity, which was expected to lay the groundwork of the United States’ efforts to fight cyber threats in the coming years.

The presidential race was marked by a strong emphasis on cybersecurity. The topic, considered during the campaigns as “one of the most important challenges the next president is going to face” (Hilary Clinton, Derry, New Hampshire, February 3, 2016) and “an immediate and top priority,” (Donald Trump, Herndon, Virginia, October 3, 2016) was on the agendas of both final candidates, who expressed a strong willingness to better protect the country’s “cyberspace.” Furthermore, the leakages from various political organizations during the electoral process highlighted the weaknesses of the society against cyber threats.

 

U.S. critical infrastructure sectors, such as financial services, transportation systems, and energy, will inevitably have a role to play.

The cyber community is now eager to see the new government’s cybersecurity plan. In addition to federal agencies, private institutions that are heavily involved in U.S. critical infrastructure sectors, such as financial services, transportation systems, and energy, will inevitably have a role to play.

Significant efforts have been made to increase cybersecurity in the U.S. and abroad. A common trend is to improve protection of what is generally called critical infrastructure. To that end, the previous U.S. administration launched several governmental initiatives, including the development of the Framework for Improving Critical Infrastructure Cybersecurity by NIST (“NIST Cybersecurity Framework”). The framework is used worldwide aside major standards and is now being updated. In 2016, the Cybersecurity National Action Plan (CNAP), planned to increase the country’s Federal budget for cybersecurity to $19 billion in 2017. In Europe, the Directive on Security of Network and Information Systems (“NIS Directive”) requires Member States to adopt and publish sufficient laws and regulations to protect essential services. This is a global trend which is already visible in many countries such as France with the LPM law and China through the recently enacted Cybersecurity Law. Even international organizations such as NATO are promoting critical infrastructure cybersecurity protection.

Will President Trump focus the country’s cybersecurity program on critical infrastructure?

The two draft Executive Orders released show the new administration is seriously considering the issue.

The first draft Executive Order Strengthening U.S. Cyber Security and Capabilities suggests President Trump will order an extensive review of the country’s weaknesses, strengths, and enemies within an aggressive timeline. The previous administration initiated similar effort less than a month after taking office in 2009, resulting in the rather theoretical Cyberspace Policy Review.

This draft focuses on the following initiatives:

  • Vulnerabilities – Review most critical cyber vulnerabilities and submit a list of initial recommendations for enhanced protection of national security systems and most critical infrastructure;
  • Adversaries – Review principal cyber adversaries and submit a first report on their identities, capabilities, and vulnerabilities;
  • Capabilities – Review relevant cyber capabilities and identify an initial set needing improvements to adequately protect critical infrastructure; review efforts to educate and train the cyber workforce and make recommendations for the future;
  • Incentives – Propose options to incentivize private sector adoption of effective cybersecurity measures and submit recommendations.

 

Leveraging incentives reduces the immediate need for additional regulation or legislation.

While the review of vulnerabilities, adversaries, and capabilities is consistent with actions taken by foreign governments, a more original approach may be taken to ensure adoption of cybersecurity measures by the private sector. Indeed, the focus on Leveraging incentives reduces the immediate need for additional regulation or legislation, which echoes well President Trump’s “Two-for-One” Regulation Executive Order. On the contrary, in Europe, the NIS Directive calls for “effective, proportionate, and dissuasive penalties” to ensure requirements are fulfilled.

Based on currently available information, it is difficult to discern how and to what extent the government would be able to fully execute these initiatives, as they are relatively sweeping in scope. However, the assessment of tangible vulnerabilities and adversaries may indicate a willingness to focus on launching concrete actions.

The second draft Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is similarly ambitious, ordering the government to produce no less than 11 reports and requiring the involvement of the whole executive branch of the Federal Government and critical infrastructure actors.

This draft retains the initiatives on vulnerabilities and capabilities from the first draft, but the scopes are quite different. It suggests more stringent effort will be made on the protection of executive branch and less on critical infrastructure. Among other things, the government here aims to:

The initiatives described in the two drafts are aligned with general market practices and are headed in the right direction.

Overall, the initiatives described in the two drafts are aligned with general market practices and are headed in the right direction. However, some uncertainty remains on a number of topics such as privacy and protection of PII, and private-public collaboration. Moreover, as American technology companies that have historically stored their data in the U.S. are opening more and more data centers abroad to meet local regulatory requirements, the U.S. will have to define their own data localization requirements.

 

The challenge for the new administration is to develop unified data protection policies to drive consistent regulations

The U.S. has led the effort in defining modern cybersecurity tools such as the NIST Cybersecurity Framework and the FFIEC Cybersecurity Assessment Tool but now needs to focus on execution. The challenge for the new administration is to develop unified data protection policies to drive consistent regulations, and move from a theoretical approach to concrete results.

If we are to expect actual results, the effort should enable a country-wide response that is transversal and coordinated, with sufficient oversight. Putting in charge a single agency, as announced by White House officials moments before the President’s signature was called off, may well be a first step in that direction. The new administration will have to define clear roles and responsibilities between the public and private sectors, a governance for collaboration, and a strategy to drive implementation.

Beyond this transformation, the upcoming challenge will be on the collaboration with other countries to align with foreign initiatives with a NATO-like approach, with the objective to drive harmonization of standards and requirements for a more efficient approach to cybersecurity. Stakes and expectations are higher than ever.