Cyber Reports Directed by the 2017 Executive Order on Cybersecurity Are Rolling In
June 5, 2018
The President’s May 11, 2017 Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” required a number of reports and assessments to be submitted by government agencies. A year later, several key reports have been released in full or in summary form—many, like the Botnet Report, being churned out in May. Below we provide a high-level overview of some of the major reports, which could alter how the U.S. government handles cybersecurity issues and raise expectations for the private sector.
- International Engagement and Deterrence Reports: The State Department released summaries of two reports that may alter how the U.S. government handles international engagement and state sponsored adversaries. First, in Recommendations to the President on Protecting American Cyber Interests through International Engagement, the State Department outlines a strategy that “advances the goal of strengthening coordinated U.S. government cooperation with foreign partners and allies to address shared threats in cyberspace, thereby improving the cybersecurity of the nation. It describes the United States’ priority policies, five primary objectives and corresponding actions, and three principal means of engagement to ensure continued benefits and minimized risks in cyberspace.” Second, in Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats, the State Department “suggests a new U.S. vision to help guide efforts to deter adversaries and better protect the American people from cyber threats and recommends follow-on work aimed at advancing these efforts; the following unclassified overview touches on these efforts in brief, which have been ongoing.”
- Transparency in the Marketplace Report: The Commerce Department (“Commerce”) and Department of Homeland Security (“DHS”) were tasked with developing supporting transparency related to cybersecurity matters in the marketplace, specifically for publicly traded critical infrastructure entities. The summary of the report on Supporting Transparency in the Marketplace, which was released this May, (1) identifies existing federal policies and practices; and (2) identifies and reviews third-party evaluations of transparency practices and systems from independent sources. DHS notes that due to the short timeframe for the report, there was “limited private industry engagement.” The report also makes suggestions for further research and policy considerations.
- Botnet Report: The highly-anticipated Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (“Botnet Report”) released by Commerce and DHS in May aims to combat botnets by focusing on six principle themes and five goals. Each goal includes several action items, with a heavy emphasis on private sector activity and accountability. The Botnet Report includes a section on next steps for stakeholder action, which calls for the development of a road map with government, industry, civil society, and international partner coordination, and a “status update that will evaluate the level of progress made by stakeholders in countering automated, distributed threats.” We discussed the actions called for in the Botnet Report in more detail here.
- Cyber Workforce Report: DHS and Commerce also issued Supporting the Growth and Sustainment of the Nation's Cybersecurity Workforce: Building the Foundation for a More Secure American Future. This report assesses the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, finding that the U.S. “needs immediate and sustained improvements in its cybersecurity workforce situation.” Key recommendations include increased focused on developing the American cybersecurity workforce with greater collaboration between the public and private sectors.
- Section 9 Report: DHS released a summary of Support to Critical Infrastructure at Greatest Risk (“Section 9 Report”) Summary, which it prepared in consultation with the Departments of Defense, Justice, and others. The report focuses on supporting critical infrastructure at greatest risks. It sets forth several findings and recommendations for better supporting these Section 9 entities relating to cyber risk management.
- Federal Risk Report: Also in May, the Office of Management and Budget published a Federal Cybersecurity Risk Determination Report and Action Plan, which reviews cybersecurity risk management capabilities across federal agencies. It finds nearly three-quarters of the 96 participating agencies are “At Risk” or “High Risk” regarding their ability to detect and respond to cyber attacks.
- Electricity Report: In another report called for by the Executive Order, the Department of Energy and DHS identified (1) “known capability gaps” in critical infrastructure sectors’ ability to respond to cyber incidents; and (2) propose “recommendations to address major gaps and accelerate the adoption of cybersecurity measures in the electricity subsector.” The report, Section 2(e): Assessment of Electricity Disruption Incident Response Capabilities, is dated in 2017 but was posted to agency websites on May 30, 2018.
These latest initiatives have significant implications for many stakeholders. For private industry, this includes network owners and operators, software designers, cloud computing companies, hardware and device manufactures, and others. These reports amplify calls for more public-private partnerships, sustained engagement, possible certification or standards regimes, supply chain and procurement mandates, the possibility of regulation, and greater international coordination.