Risky Business: A Closer Look at the May 2017 Cybersecurity Executive Order & Its Effects on Business

By Pritika Ramesh

On May 11, 2017, President Trump signed an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure[1] (“EO”). In the wake of recent cyber-attacks, such as WannaCry[2], cybersecurity vulnerability and risk management is essential to data security and privacy across the world.[3] The new EO is a step in the right direction because it forces key public sector agencies, and certain private sector companies, to turn their attention to better cybersecurity practices.[4] Nonetheless, understanding how these new regulations will impact business and legal transactions through compliance is important for legal practitioners in both the public and private sectors.

The EO is broken up into three sections: (1) Cybersecurity of Federal Networks, (2) Cybersecurity of Critical Infrastructure, and (3) Cybersecurity for the Nation.[5] The first section places responsibility for compliance with appropriate cybersecurity risk management measures at the heads of executive departments and agencies.[6] It also promotes the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework.[7] Additionally, the EO required the heads of the public sector departments and agencies to submit their reports on risk management and anticipated budget allocations for cybersecurity by August 11, 2017.[8] Following these submissions, a more comprehensive plan of action for cybersecurity risk management is likely to emerge. The second section of the EO outlines the tasks associated with cybersecurity risk management for certain public and private sector companies, specifically strategies for “critical infrastructure” entities.[9] Reporting requirements for critical infrastructure entities have been added to the EO to help determine how federal resources could better support entities’ cybersecurity risk management.[10] Finally, the third section addresses the executive branch’s policy goals for the future, including the implementation of an open and secure internet, cooperative international cybersecurity strategies, and the empowerment of the nation’s cybersecurity workforce through new standard curricula and training programs.[11]

Justin Callaway, Assistant General Counsel for Tenable, Inc.[12] (“Tenable”), deals daily with clients looking to minimize their cybersecurity vulnerabilities and better manage risk. Callaway’s prior experience in software license, service negotiations, and compliance[13], combined with his current responsibilities, all offer him a unique perspective on the requirements set forth in the EO and the potential practical effects it has on business from a legal standpoint.

According to Callaway, one of the best things the EO does is bring the topic of cybersecurity to the forefront of the departments and agencies of the federal government affected by this.[14] However, since the field of cybersecurity is constantly evolving, the EO does not lay out a clear path for entities to ensure they are in compliance with “appropriate” cybersecurity standards.[15]

For example, Callaway explained that the NIST framework referred to in the EO[16] is a guideline for industry standards that offers a “best practices” approach to cybersecurity, but that it may not necessarily be enforceable with certainty because it is so broad.[17] With this lack of clarity and direction, Callaway believes the future of cybersecurity risk management is dependent on entities allocating large budgets to assess and address vulnerabilities specific to the entity.[18]

Parties in a negotiation should look at the practical effects of the EO on the cybersecurity industry to evaluate risk allocation in a contract with a fresh perspective. Callaway explains that it is important for attorneys involved in these discussions to learn about the services provided by the cybersecurity risk management company before entering into any negotiations. By understanding the type of services provided in the transaction, it is easier to assess which party should ultimately bear the risk associated with implementing a security solution.[19] This risk assessment allows for a more practical negotiation as opposed to both parties trying to pass off all the risk to the other.[20] He explains this requires more lawyers to be more tech savvy and understand what information is actually coming in contact with the vendor and what practices the vendor has in effect to protect that flow of information.[21] This will become increasingly important, as he has observed that negotiations are becoming more of a hybrid conversation between technical information and legal concepts.[22] Moreover, while case law is still evolving on topics of cybersecurity, Callaway explained that it is more important for lawyers to include provisions in their negotiated agreements that limit liability and disclaim against warranties.[23]

 

[1] See Donald J. Trump, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House (May 11, 2017), https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.

[2] See generally Ian Sherr, WannaCry ransomware: Everything you need to know, CNet (May 19, 2017, 12:29 PM PDT), https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/ (explaining the effects of the WannaCry cyber-attack in 2016 after a vulnerability uncovered by the National Security Agency was released by hackers to lock out users from their computers with the threat of losing all data unless a ransom was paid).

[3] See Brian E. Finch & Aimee P. Ghosh, Executive Order on Cybersecurity: Considerations for Business, Pillsbury Winthrop Shaw Pittman LLP (May 31, 2017), https://www.pillsburylaw.com/en/news-and-insights/executive-order-cybersecurity-business.html.

[4] See id.

[5] See Donald J. Trump, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House (May 11, 2017), https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.

[6] See id.

[7] Nat’l Inst. of Standards and Tech., Framework for Improving Critical Infrastructure Cybersecurity (2014).

[8] See Donald J. Trump, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House (May 11, 2017), https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.

[9] See id.; see also Barack Obama, Executive Order – Improving Critical Infrastructure Cybersecurity, The White House (Feb. 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity (defining “critical infrastructure” as entities “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”).

[10] See Brian E. Finch & Aimee P. Ghosh, Executive Order on Cybersecurity: Considerations for Business, Pillsbury Winthrop Shaw Pittman LLP (May 31, 2017), https://www.pillsburylaw.com/en/news-and-insights/executive-order-cybersecurity-business.html.

[11] See Donald J. Trump, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House (May 11, 2017), https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.

[12] See generally Tenable Delivers Record Results in Q2 and the First Half of 2017, Tenable (July 24, 2017), http://www.tenable.com/press-releases/tenable-delivers-record-results-in-q2-and-the-first-half-of-2017 (showcasing Tenable’s growth in 2017 and branding Tenable as the Cyber Exposure company).

[13] Interview with Justin Callaway, Assistant General Counsel, Tenable, Inc., in Columbia, Md. (July 28, 2017).

[14] Id. (explaining Callaway primarily deals with software license and service negotiations, as well as compliance issues, but he has previously worked for government contractors, which gives him a better understanding of how the government procures business and how prominent vendors and partners expect to do business with the government).

[15] Id.

[16] Id.

[17] See id.

[18] Interview with Justin Callaway, Assistant General Counsel, Tenable, Inc., in Columbia, Md. (July 28, 2017).

[19] Id.

[20] Id.

[21] Id.

[22] Id.

[23] Id.

Leave a Reply

Your email address will not be published. Required fields are marked *