The Trump Administration has taken office at a time when cybersecurity has increasingly entered the public consciousness as a major challenge facing both the United States government and the business community. Cyberattacks from both criminal and state actors have bedeviled businesses and roiled politics over the past year. Against this backdrop, the administration has professed a strong commitment to cybersecurity, for instance designating former New York City Mayor Rudy Giuliani as a high-profile cybersecurity liaison to the private sector, and drafting an early Executive Order on cybersecurity in federal agencies. However, the administration has remained characteristically reluctant to advance a concrete cybersecurity and data privacy agenda, remaining far vaguer on the issue than the prior Obama and Bush Administrations. Immediate attention to cybersecurity has also seemingly been placed on hold as the Administration focuses on defending its Executive Orders on immigration and refugee policy both legally and politically. There are thus relatively few early indications as to how the Trump Administration will approach the significant cybersecurity challenges that the government will need to address both in terms of protecting itself and regulating the private sector.
An immediate and crucial challenge, of course, is improving the cybersecurity infrastructure of the federal government itself and its ability to defend critical national infrastructure — for instance in energy, telecommunications, and transportation. In 2015, a high-profile attack on the Office of Personnel Management, believed to have been perpetrated by the Chinese government, resulted in the theft of vast amounts of background-check data and digital images of federal employee fingerprints. Although this attack and other agency breaches “have highlighted some vulnerabilities that have been addressed, others remain outstanding,” as former Department of Defense Director for Plans and Operations for Cyber Policy Michael Sulmeyer recently told Law360. A report prepared by the Center for Strategic and International Studies (CSIS) has recommended making the protection of civilian agency networks one of the key elements of the Department of Homeland Security’s (DHS’) cyber mission. This would include working with National Security Council, Office of Management and Budget, and General Services Administration and extending its success with the Continuous Diagnostics and Mitigation (CDM) program.
Indications are that the Trump Administration plans to begin addressing federal government cybersecurity issues in an early Executive Order. This order, however, has seemingly been delayed due to the Administration’s focus on its ongoing battle over immigration. What is believed to be the most recent draft of the Order appears have changed considerably from more aggressive earlier drafts, promoting continuity with and improvement upon the cybersecurity initiatives of the Obama Administration. It aligns with certain recommendations of the CSIS report, requiring agency heads to utilize the National Institute for Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity to manage agency cyber risk and instructing them to “show preference in their procurement for shared IT services to the extent permitted by law, including email, cloud, and cybersecurity services.” These indications of continuity are, however, called into question by the removal from his position of Cory Louie, the Chief Information Security Officer for the White House’s Executive Office of the President, under somewhat unclear circumstances. And of course, the veritable live-leaking of updated drafts of Executive Orders raises concerns about the ability of the new Administration itself to successfully implement needed cybersecurity improvements within the federal government.
Private sector data privacy and cybersecurity is another area in which the new Administration will have the opportunity to make its mark. The CSIS report recommends a number of initiatives to promote the development of clearer data privacy and security standards in the private sector. These include directing NIST to develop a set of recommended data privacy standards and practices, amending the Federal Trade Commission (FTC) Act to establish a Division of Date Protection, and working with Congress and state agencies to harmonize breach responses across states with the ultimate goal of passing a national data breach law and developing a regulatory framework under FTC authority. Outside of the protection of individual information, the report also encourages the Trump Administration to work with NIST and the private sector to develop security standards and principles for the Internet of Things, and to create a clearinghouse for entities that have experienced cyberattacks to share information anonymously and without fear of liability.
The prospects for major cybersecurity and data privacy legislation at this juncture are difficult to assess, though President Obama was able to preside over the passage of the Cybersecurity Information Sharing Act of 2015 through a much more hostile Congress than the one currently faced by President Trump. Significant regulatory action within executive branch agencies may be hamstrung by the Administration’s January 30, 2017 Executive Order mandating the offset of new regulations. Regulations pertaining to cybersecurity could, in theory, be exempted from the Executive Order under Section 4(a), which excludes “regulations issued with respect to a military, national security, or foreign affairs function of the United States,” though this would be a strained reading. Notably, according to February 2, 2017 guidance from the Office of Information and Regulatory Affairs (OIRA) interpreting the Executive Order, independent agencies such as the FTC are exempt. However, the Trump Administration’s general wariness of regulations is likely to influence independent agencies as well.
Beyond improving regulation of data privacy and cybersecurity in the private sector, some have urged the Trump Administration to address two of the major underlying challenges facing American cybersecurity—a lack of broad, everyday societal awareness of cybersecurity’s importance, and a dearth of trained cybersecurity experts. A report developed by the Center for Long Term Cybersecurity at the University of California-Berkeley encourages the Administration to launch a cybersecurity public awareness campaign similar to previous campaigns promoting seatbelts and opposing smoking. The same report also suggests promoting expertise in cybersecurity by forgiving or deferring student loans for cybersecurity professionals. Finally, both the UC-Berkeley report and the CSIS report urge the Administration to make it easier for foreign-born cybersecurity professionals to work in the United States, for instance by establishing a new visa category allocating 25,000 visas for foreign cybersecurity professionals or computer scientists to work at companies building cybersecurity products. Given the Administration’s immigration priorities, implementation of this last proposal seems unlikely.
The wide variety of policy proposals available to the Trump Administration underscores the fact that the Administration is beginning at a time of considerable cyber peril to the United States government and businesses, and a growing public awareness of these risks. Cybersecurity should be a priority for the new Administration, as building on the considerable but insufficient progress made by the Obama Administration in this area is a necessary endeavor. Although the Trump Administration has verbally expressed its commitment to cybersecurity, it has been vague about what it intends to do, and early signals have been mixed. It remains to be seen how an administration highly skeptical of active government regulation in many areas will contend with a problem that, because of its scope, likely requires the federal government to take a leading role.