United States: Cybersecurity And The New Trump Administration: Your Top Ten Questions Answered

Introduction

Since President Trump's inauguration, cybersecurity has been in the news almost daily – often on the front page. The U.S. Government is facing a wide array of challenges in cybersecurity, impacting both domestic and foreign policy, at the same time that many companies find themselves under attack. Although many of these issues preceded the election of President Trump, the Yahoo! data breach, the widespread allegations of hacking into Democratic National Committee emails (perhaps by a foreign government), and the ongoing congressional investigations into these incidents continue to keep cybersecurity concerns at the forefront of regulatory attention.

President Trump has made it clear that cybersecurity is high on his agenda. Throughout his presidential campaign, President Trump often discussed the importance of cybersecurity, and he has carried that message into his administration. President Trump has also repeatedly stated his view that the United States is not doing enough to improve its cybersecurity defenses in a way that is commensurate to the threats it faces.

It appears the initial approach of the Trump Administration will be to build on the work done under the Obama Administration, so a certain measure of continuity should be expected. But as the Trump Administration moves forward, we expect to see an aggressive effort to have Congress approve a robust budget increase for cybersecurity. Indeed, due to the near-universal agreement of Congress that the United States needs to be doing more on cybersecurity issues, cybersecurity initiatives should provide the Trump Administration with an ability to achieve impactful bipartisan legislation, despite an increasingly partisan environment in Washington.

Given the scope of the cybersecurity challenges, there are a variety of approaches the Trump Administration could take, many of which would have a substantial impact on the private sector. To help deal with this uncertainty, this client alert answers your "Top Ten" questions regarding cybersecurity and the Trump Administration, with a focus on (1) U.S. Government challenges, (2) cyber threats from abroad, and (3) concrete steps companies should undertake to prepare for the new administration. The goal is to provide in-depth insight into cybersecurity trends and developments over the next four years and to give practical advice for businesses in responding to those trends and developments.

This client alert is part of a series of "Top Ten" articles on the future of key international trade and regulatory issues expected to change under the Trump administration. Previously issued client alerts discuss the future of NAFTA1, U.S. Customs and Border Protection2, international trade litigation (including antidumping and countervailing duty actions) under the Trump Administration3, the future of the CFIUS review process4, and likely developments impacting white collar enforcement 5. Future client alerts will deal comprehensively with all international trade and regulatory areas where significant change could occur under the new administration, including with regard to export controls, OFAC sanctions, and the FCPA.

1. Who is running the Trump Administration cybersecurity team?

President Trump largely has looked outside of government to build his cybersecurity team, but some key members have experience in a previous administration or the military. Combining team members possessing government experience with private-sector outsiders makes for an interesting team. It remains to be seen whether this mix will serve to cross-fertilize public- and private-sector best practices or become a roadblock to true cooperation.

More specifically:

  • Thomas Bossert will serve as Assistant to the President for Homeland Security and Counterterrorism. In this role, Mr. Bossert will be the senior White House official on cybersecurity issues. Mr. Bossert is a former cybersecurity aide to President George W. Bush. He has advocated for presidential power in cyber warfare and argued that the president can deploy U.S. cyber forces in military action without notifying Congress.
  • Former New York Mayor Rudy Giuliani is leading the current task force on cybersecurity issues, set to report back to President Trump by the end of April. Mayor Giuliani currently runs a private-sector cybersecurity consulting firm and has stated that the focus of this task force is to improve the cyber-defense posture of the federal government. It is unclear what role Mayor Giuliani will play after the task force has reported back to President Trump.
  • Joshua Steinman will be taking on the role of NSC cybersecurity coordinator, a role that was held by Michael Daniel in the Obama Administration. Mr. Steinman is an executive with the cybersecurity firm ThinAir and is also a Navy Reserve officer who has worked for the Department of Defense in Silicon Valley.
  • Chris Liddell will serve as the Director of Strategic Initiatives. Mr. Liddell was formerly the CFO of Microsoft and General Motors. The Trump Administration has stated that Mr. Liddell will oversee a series of task forces to focus on systemwide improvement to the performance of the government.
  • Reed Cordish will serve as the Assistant to the President for Intergovernmental and Technology Initiatives. Mr. Cordish has no government experience, as his background is in real estate and entertainment. Government officials speculate that Mr. Cordish will focus on modernizing the manner in which various agencies share cybersecurity information.

This mix of government and nongovernment cybersecurity team members reflects President Trump's desire to bring more private-sector experience into the government. This is not only a matter of private-sector perspective but also reflects the importance of public-private partnerships. In cybersecurity, public-private partnerships are particularly important because cybersecurity issues arise in both sectors, which is why they were a substantial focus of the Obama Administration. With this cybersecurity team, it appears President Trump is looking to build on the Obama Administration's collaborative approach. This would be a welcome development for many U.S. companies, which will be looking for practical approaches to stave off cyber attacks, rather than for costly fines and penalties as punishments for cybersecurity failures.

2. What has President Trump promised?

The Trump Administration has promised to make cybersecurity a top priority and to improve America's defense against attacks on critical infrastructure (industries such as financial services, utilities, food and agriculture, emergency services, health care, etc.) and government data. This is shown by President Trump's "Contract with America," where he promised he would work with Congress to pass a "Restoring National Security Act" that would, among other things, "protect our vital infrastructure from cyber attack."6 Given this focus, it is not surprising that one of the initial actions President Trump has tried to advance is a cybersecurity executive order. But after preparing for its release in the first week of the Administration, the executive order was subsequently revised and currently is being reviewed inside the Trump Administration. We discuss a leaked, presumably authentic, version of the executive order below.

We believe the delay in a cybersecurity executive order is likely due to the desire to ensure an effective rollout of the order, rather than signaling any kind of backing off from the basic need to focus on cybersecurity. (The initial-draft executive order was being considered when the executive order on travel to the United States was challenged.) Based on the president's prior statements on cybersecurity, we expect the Trump Administration will soon pivot back to cybersecurity, perhaps with a refined executive order starting the process.

In what we view to be a pro-business move, it is our expectation that the president will rely on the use of "carrots" to help corporate America raise its cyber capabilities, as opposed to penalties to punish breaches. By contrast, on the foreign side, we expect President Trump to use more "sticks" when dealing with international state and non-state actors who attack the American government, critical infrastructure, and use cyber intrusions to steal intellectual property from U.S. companies. These could take the form of the use of existing OFAC sanctions on persons who use cyber attacks, or perhaps more aggressive measures that could be developed as part of an ongoing review of the U.S. Government's cyber defenses.

In this regard, one of the first actions President Trump has taken, as promised, is to review the Government's cyber defenses – Mayor Giuliani is leading the task force on this issue. This was anticipated, as during the first presidential debate President Trump stated that the U.S. Government needed to get "very, very tough on cyber and cyberwarfare"7 while calling for the creation of a joint public-private team of experts to analyze U.S. Government cybersecurity protections. President Trump has also stated that he will hold his cabinet secretaries and agency heads directly accountable for the cybersecurity of their organization. Does this mean President Trump would fire a cabinet secretary over an agency-level cyber breach? Perhaps. President Trump has also said that the American military must have the deterrent ability to conduct "crippling cyber counterattacks" on our adversaries. Although the U.S. Government long has held this capability, it has been reluctant to use it, in part because it is believed that doing so gives away the scope and capabilities of the United States in this area.

As a general principle, we expect – at least at the outset – that the cybersecurity response of the Trump Administration will be similar to that of the Obama Administration, albeit perhaps paired with more aggressive remarks out of the new administration. Beyond that, further developments will depend on the results of the ongoing cybersecurity review and the postures of the full team of government officials who will have a hand in cybersecurity policy.

To the extent there are early indications regarding the posture of the new administration, the best place to read the tea leaves is in the leaked revised executive order from February 9, 2017, which as of this writing has not been signed by the president.8 An important element of the leaked executive order calls for agencies to use shared information technology and cybersecurity services whenever possible. IT consolidation and shared services fall in line with President Trump's general promise to deliver lower costs for the government, making it likely the Trump Administration will try to push for consolidation. The draft executive order also calls for a White House task force, led by advisor Reed Cordish, to determine how the entire executive branch can be moved into a single IT infrastructure. This would be a massive federal undertaking, given all of the legacy systems at the department and agencies, and many would argue it is overdue just from an ease-of-communication perspective. Such an endeavor would cost billions of dollars and years to complete. Nevertheless, the fact that the Trump Administration is considering such a vast undertaking is a significant signal that they intend to try and avoid some of the major breaches (such as the OMB data breach) faced by the Obama Administration.

3. How will the Trump Administration change the current cybersecurity regulatory environment?

When attempting to predict legislative and regulatory action in this area, one must consider President Trump's stated dislike of regulation in light of his pledge to strengthen the nation's cybersecurity. President Trump has signed an executive order that requires two regulations to be eliminated before any single new regulation is passed.9 Thus, the administration can keep regulations consistent with its goals while making it harder for agencies to pass new ones. We believe that, at a minimum, agencies will look for obscure and largely meaningless regulations for repeal, enabling the Trump Administration to enact preferred regulations. Regardless, we do not believe that this regulatory initiative will be any barrier to the passage of new regulations in an area identified as a priority by the president himself.

In the short term, we do not see any immediate change to the current slate of cybersecurity regulations, including those passed in the last year of the Obama Administration, which supported cybersecurity regulation in key sectors through the SEC, FTC, and FCC. Unlike other policy areas, it appears more likely that President Trump will build on the cybersecurity regulations used by the Obama Administration, not remove them. For example, the SEC, through its Cybersecurity Examination Initiative , assessed cybersecurity preparedness in the securities industry, including vulnerability assessments, access rights and controls, and incident response ability.10 While President Trump seems likely to push for relaxed regulations on the financial sector in general, when it comes to cybersecurity preparedness, it is unlikely he will want the financial sector to do less than it is doing now. Further, the negative publicity that would occur if there is a cyberattack on the industry, following any easing of the requirements, would move the focus for any breaches from the companies to the administration. The desire to avoid such publicity, the financial sector's importance to the economy, and the fact that the industry by and large is dealing with these regulations rather than protesting them makes it likely the regulatory status quo will remain.

The FTC has emerged as one of the key regulators in the cybersecurity area. Although President Trump has assailed regulatory overreach, we do not believe he will try to restrict the FTC's ability to enforce penalties for data breaches. After the Wyndham decision,11 the FTC used its authority to regulate cybersecurity to bring suits against other companies for lack of data security. Since the courts have already ruled in Wyndham that the FTC has the power to regulate in this area, President Trump has little incentive to restrict the "stick" that the FTC wields to improve cybersecurity.

An additional regulation to look out for is the banking sector rulemaking involving the Federal Reserve, Treasury, and FDIC – the Enhanced Cyber Risk Management Standards. These standards, which will cover everything from board governance and cyber risk management to daily operations, will come up for the Trump Administration's consideration in early 2017. Because of President Trump's executive order on regulations, the Trump Administration will not be able to accept these new standards without revoking other regulations.

4. What new incentives could be proposed to promote the protection of critical infrastructure?

As previously observed, if the Trump Administration decides to reassess existing cybersecurity regulations, government-directed incentives could help ease the financial and legal burdens faced by critical infrastructure companies. These incentives could benefit the private sector by assisting it with upgrades to cybersecurity defenses. The Obama Administration proposed what these incentives would look like pursuant to Executive Order 13636, "Improving Critical Infrastructure Cybersecurity." EO 13636 was issued because of repeated cyber intrusions into American critical infrastructure and the shared interest of the government and the private sector in preventing further intrusions. None of the incentives was ever adopted.

To reduce the cost for critical infrastructure operators to comply, EO 13636 called for a proposal for incentives to influence markets and increase the adoption of improved cybersecurity practices.12 These incentives are tied to companies complying with the Cybersecurity Framework that the National Institute of Standards and Technology (NIST) developed, as directed in the executive order. The Cybersecurity Framework is intended to establish a path forward for how to reduce cybersecurity risks to critical infrastructure. Specifically, the Cybersecurity Framework was intended to "provide a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks."13

Restarting this approach could appeal to the Trump Administration. While most of the incentives would require congressional action, the incentives are not partisan in nature and could potentially be approved through the current Congress.

In particular, it would not be difficult for the Trump Administration to adopt incentives as drafted in the DHS Incentives Study and to promote them.14 According to the DHS Incentives Study, the most straightforward way for the government to incentivize new investment in cybersecurity products and services is to create a new federal grant program.15 While grant programs in many areas could be subject to cuts under President Trump, cybersecurity may be an area where the Trump Administration is willing to invest and a grant program may be adopted. Such a program could reduce the costs of the duplicative development of cybersecurity measures, allow the rapid sharing of cybersecurity advances, and allow smaller companies to implement cybersecurity measures that otherwise would be beyond their financial reach. The DHS Incentives Study also proposes liability protection for companies that adopt the Cybersecurity Framework and also purchase cyber insurance.16 If the Trump Administration persuades Congress to limit the penalties that could be sought against companies that meet those standards, it could help U.S. companies take an important step in their cybersecurity protection. Given President Trump's pro-business background, a limited liability incentive may be an approach in which he would see real value.

Further incentives proposed in the DHS Incentives Study include allowing the federal government to prioritize the order in which government cyber response teams help companies requesting assistance, based on whether a given company has adopted the Cybersecurity Framework.17 President Trump's cyber team may like this approach, as it provides some "stick" to companies that do not comply and not just "carrots." Further potential incentives to Framework adoption could also be tied to the federal procurement process, to incentivize Framework adoption for any companies seeking to do business with the government.18 This could be seen as a particularly effective approach for creating increased cybersecurity from companies that operate with sensitive information or provide essential government services.

Additionally, the Trump Administration could look to incentivize the private sector by streamlining information security regulations by eliminating overlaps in existing laws and reconciling differences between U.S. and international law through treaties. There are a large number of actors in the cybersecurity area, and the regulatory approaches are not always uniform. Eliminating the overlap and establishing clearer lines of responsibility could lead to better regulation and enhanced security.

Beyond these items, it becomes difficult to predict the government response to the reality of daily cyber attacks on the U.S. Government and U.S. corporations. Some other items that could see some attention, however, include the following:

  • The Creation of a Public-Private Standard Setting Body. As directed in the Cybersecurity Enhancement Act of 2014, NIST coordinates industry standards for the United States critical infrastructure through the Cybersecurity Framework. The Cybersecurity Framework is voluntary, however, so the standards are not enforced by any government entity. Establishing formalized standards through regulation could happen particularly if the amount of cybersecurity incidents or the severity of the incidents increases.
  • Creating Protections for the Sharing of Cyber-threat Information. Through the Cybersecurity Information Sharing Act (CISA) of 2015, Congress created a voluntary process that provided liability protection as a way to encourage public- and private-sector cyber information sharing. The Trump Administration could build on CISA and pursue mandatory requirements to compel increased cyber information sharing.
  • New Regulations Targeting Connected Devices. In November 2016, the Department of Homeland Security issued a set of Strategic Principles for Securing the Internet of Things (IoT).19 These guidelines serve as suggested best practices for IoT product developers, manufacturers, and consumers but are not legally required. Formal regulations could be forthcoming in this space. Along these lines, an FCC white paper released on January 18, 2017 has reinforced the potential need for regulators to step in, due to the rapid growth of network-connected consumer devices.20
  • Increased Back Channel and Formal Cooperation Across Borders. Due to conflicting laws regarding data privacy, cross-border data sharing to detect and deter cyber attacks is challenging. Given the multinational nature of many American corporations, there could be action from the Trump Administration to encourage more sharing of cyber threat information with other nation states where American companies operate.
  • Increased Actions at the State Level. The most recent example is in New York State, although we expect that other states will likely follow suit. Due to its role in the financial sector, New York is pursuing state level regulations to protect the financial system. On March 1, 2017, cybersecurity regulations will go into effect that require financial services institutions regulated by the New York Department of Financial Services to maintain a cybersecurity program to protect private data and help ensure the cybersecurity of the financial services industry.21

5. What changes can we expect regarding encryption and data privacy laws?

In addition to his interest in cybersecurity, the president has also been vocal, both during the campaign and now in office, regarding the importance of the fight on terrorism. This is likely to result in efforts to increase surveillance powers. In this regard, we believe the administration may push for increased government authority to compel technology companies to include backdoors into computers, mobile devices, and applications for law enforcement to access. At a minimum, we believe the DOJ will aggressively seek legal and technological measures to obtain access to encrypted information when it is believed to be relevant to a criminal investigation.

The issue of encryption came to the forefront during the debate between Apple Inc. and the government over access to the San Bernardino shooters' iPhone. During the campaign, President Trump called for a boycott against all Apple products until Apple gave the government the access it requested. Currently, both FBI Director Comey and Attorney General Sessions have expressed support for requiring backdoors for law enforcement. Although such efforts date back to at least the 1980s, when the U.S. Government used similar arguments in the export control context to push for the creation of a decrypting key that would be available for the U.S. Government's use (with the efforts failing, and later being abandoned), the arguments may take on new resonance where concerns about terrorism are at the forefront.

Getting legislation through Congress to give law enforcement these expanded search powers will remain thorny. While the Obama Administration felt that Apple should have allowed the government to access the San Bernardino shooters' iPhone, the Obama Administration did not support the efforts to pass legislation to require it to do so. The reason for this was that the Obama Administration did not believe Congress would be able to get a bill passed because of its view that Congress was too dysfunctional to react in time. This ended up being the correct reading, as the draft legislation went nowhere. While President Trump has the advantage of Republican control of Congress, the technology industry generally opposes backdoors or the weakening of encryption protections. With some Republicans being concerned that government access to data devices could be misused, there is no guarantee the Republican caucus would take a consistent stand on the issue.

On the international front, the EU-U.S. Privacy Shield presents potentially conflicting concerns for the administration. The Privacy Shield is seen as pro-business, as it facilitates and legitimizes the flow of personal data from the EU to the U.S., thereby enhancing and benefiting commerce between the two regions. The Privacy Shield could, however, come under attack by the Trump Administration; because the Privacy Shield limits the ability of American law enforcement and intelligence to collect and store European citizens' data, President Trump may consider this an unacceptable risk to American security.

The first annual joint review of the Privacy Shield will occur in 2017. This could be an opportunity for the Trump Administration to advocate for changes. It is important to note that, contrary to some of the commentary in the media, President Trump's executive order on enhancing public safety did not invalidate any part of the Privacy Shield. But given that the Trump Administration likely will target noncitizens, it may attempt to take on certain provisions of the Privacy Shield. This possibility has already raised concerns among U.S. companies that are complying with the Privacy Shield to avoid running afoul of EU data privacy laws. European lawmakers and stakeholders opposed to the Privacy Shield, on the basis that it does not provide adequate protection to EU citizens, will be looking to use any erosion of privacy protections for non-U.S. citizens to argue against the validity of the Privacy Shield.

In the end, we believe the administration will opt for a path that does not unduly jeopardize the flow of data essential to commerce between the U.S. and the EU. With many of the largest U.S.-based multinational companies relying on being able to freely communicate with their European affiliates, there will be strong pressure from these companies to take steps to ensure that the basic operation of the Privacy Shield remains in place.

6. What actions will the Trump Administration take against states identified as tolerating or failing to extradite cyber criminals?

State-backed hackers threaten both government and private-sector systems and security. A strong response to foreign threats can provide another prong of cybersecurity for U.S. businesses. The primary methods the Trump Administration can deploy in response to states protecting bad actors include some mix of (1) indictments, (2) sanctions, and/or (3) counteroffensive cyber attacks. During his campaign, President Trump stated that he would instruct the Department of Justice to form a task force organized to "crush this still-developing area of crime."22 Given that, it is likely we will see some combination of the three above tactics to compel foreign states to arrest or extradite cyber criminals to the United States. The Obama Administration issued indictments of cyber criminals, but often those were viewed as a signaling effort intended more to communicate that the U.S. Government could identify its adversaries rather than to lead to criminal apprehension. These were the first state-based indictments and sent a powerful message, but they were never likely to lead to any arrests or extraditions.

Similar indictments could be used for more than mere signaling under the Trump Administration, which could demand that cyber criminals be extradited to the United States, invoking mutual assistance obligations that require cooperation in criminal matters. If opposed, the United States could level sanctions or even respond with offensive cyber attacks. Since President Trump has stated that "America's dominance in this arena [cybersecurity] must be unquestioned," the potential for an offensive cyber arms race with China and Russia must be considered if President Trump decides to use offensive cyber attacks against either nation.

Given that a cyber arms race would decrease global cooperation on cybersecurity issues in ways that would damage the national interest, and could have other negative impacts, it is more likely the Trump Administration would seek sanctions before launching offensive attacks against states that tolerate or refuse to extradite cyber criminals. Nonetheless, the general tone of the new administration, as well as what seems to be bolder moves by foreign interests in the realm of cyber attacks, makes such a response more likely.

Another possible escalation by the Trump Administration would be to push for what is known as private-sector "active defense." The Center for Cyber and Homeland Security (CCHS) published a recent report that could serve as the blueprint for an active defense policy.23 Pursuing a policy of active defense would mean allowing private-sector entities to take proactive actions against an attacker, including collecting intelligence by using techniques that "fall between traditional passive defense and offense." The issue the report seeks to address is that, no matter how strong the government's capabilities are, the government will never be able to defend private industry from the malicious cyber attacks against it. By allowing certain advanced private-sector entities to help defend companies in cyberspace, the government could expand the fight against cyber criminals. To ensure an orderly program of active defense, the Trump Administration would likely task the Department of Justice with publishing guidance.24 Given the economic imperatives for private-sector entities to defend themselves, and the Trump Administration's desire to be more aggressive against cyber criminals, active defense could soon be on the administration's agenda for consideration.

7. What can we expect from China, given President Trump's more aggressive approach in dealing with them?

We cannot separate progress in cybersecurity from the broader U.S.-China relationship. (The topics of the likely coming trade war with China, and the likelihood of more stringent reviews of Chinese investment in the United States, are covered in other Foley client alerts.25) For example, even though the Trump Administration has recently indicated its support for the "One China" policy, if there is an expansion of American partnership with Taiwan, this will empower hardliners in Beijing and could foster greater strategic competition, including in the area of cybersecurity. Unpredictability could lead to a "cyber cold war," as ratcheting up the rhetoric against China on issues like international trade, foreign direct investment, and territorial rights may indirectly lead to more cyber attacks/cold war-type maneuvering.

This would be a clear shift from the Obama Administration's approach to China, including its much-vaunted "pivot" to Asia. The U.S. approach to China during the Obama Administration was two-pronged: address threats from China, while cooperating on areas of mutual interest. On the threats side, the Obama Administration was direct with Chinese senior leadership about the Chinese government's role in the hacking of American companies, even going so far as to indict members of the Chinese military.26 This approach was designed to make Chinese leadership recalculate what had been a largely consequence-free domain, where Chinese leadership hid behind claims of having no knowledge of hacking. On the cooperation side, the goal was to enhancing mutual understanding of one another's government cybersecurity structures, instituting closer law enforcement cooperation (black markets, child pornography, phishing in the banking sector, antiterrorism), fostering cooperation between computer emergency response teams (CERTs), sharing crisis prevention measures, and developing a reliable hotline to share threat information to stop the spread of dangerous malware.

The Trump Administration may shift the balance more to combating threats from China, with less emphasis on collaboration. This could reduce information sharing and push the two countries closer to cyber hostilities. The concern is that if either the United States or China crosses an undefined cybersecurity redline, even inadvertently, either country could use that as an opportunity to escalate tensions. Both sides may feel the need to push the limits to try to acquire sensitive information, increasing the risk of cyber attacks. In this environment, U.S. companies would not be immune, especially to the extent that they hold information of advantage to the Chinese government: patents, classified information, technical know-how, export-controlled technical data, and so forth.

While not letting its guard down, the private sector should be looking to avoid or mitigate escalating tensions between the two countries. As U.S. companies seek to balance participating in the Chinese economy and taking advantage of global economies of scale against the risks of intellectual property theft, they will likely pressure the administration to avoid cyber conflicts with China and instead to look for areas of mutual interest. In particular, after the recent Third U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues, both countries agreed to hold a U.S.-China government and technology company roundtable to discuss cybersecurity issues of mutual concern.27 This is the first time such a meeting appears likely to happen. If the Trump Administration can build on that progress, it may end up in a less radical position with China than appears to be the current path.

8. Will President Trump continue to abide and promote United Nations-proposed cyber norms and principles?

With the support of 20 nations, including the United States, China, Russia, France, the United Kingdom, and Germany, the United Nations Group of Governmental Experts (UN GGE) released a 2015 report on international cybersecurity norms.28 These norms included principles of agreement such as that states should not knowingly and intentionally damage critical infrastructure or impede another state's emergency response teams.29 The UN GGE report also states that governments should cooperate to increase stability and security in the use of information and communications technology and to respond to appropriate requests for assistance from other states whose critical infrastructure is under attack.30 The UN GGE is planning an updated report to the UN General Assembly in 2017. During the Obama Administration, the United States was supportive of the UN GGE process, and the President's International Strategy for Cyberspace was written to promote a strategic framework of international cyber stability that dovetailed with the UN GGE efforts.31

Given President Trump's stated concerns about the United Nations, it remains to be seen what U.S. engagement will be with the UN GGE. While the United States will remain a part of the group to ensure its interests are heard, it is likely that any recommendations of the UN GGE seen as tying the hands of the United States will come under close scrutiny. Yet this impetus to ignore the GGE recommendations will need to be balanced against the value of unified standards. As more nation states agree to abide by voluntary norms, the result is increased cyber stability, making conflicts between nations more manageable. The Trump Administration will have to balance its promise to show progress in protecting America's government, intellectual property, and critical infrastructure with its caution when dealing with the United Nations. Due to the benefits of consistent international cyber norms, we believe the administration will maintain a favorable position with respect to the UN GGE.

9. How will the president's hiring freeze and stated desire to cut the size of government affect the administration's ability to carry out its cybersecurity agenda?

Shortly after his inauguration, President Trump announced a hiring freeze on federal jobs.32 Subsequently, in early February, the Department of Defense released a memorandum exempting certain areas, including cybersecurity operations, particularly positions required for cybersecurity operations or planning, or for the execution of cyber and intelligence lifecycle operations, planning, and support.33 This reflects an understanding within the administration that a hiring freeze of all the government's cybersecurity workforce would have a demonstrably negative impact on the president's ability to carry out his cybersecurity agenda. Furthermore, for any federal agency to obtain a waiver, the relevant agency head can submit a report describing the role or position to be filled, and justify the exemption decisions on a position-by-position basis.34

We believe that as cyber personnel depart, it is imperative that the government be able to replace them, or readiness and responsiveness to incidents will decline. Exemptions to any hiring freeze are essential, as many of these positions are "critical" to the execution of cybersecurity functions. The exemption requests and rulings (to the extent they are not classified) should provide the guidance on the priorities for cybersecurity in the administration. This process could lead to different levels of cybersecurity personnel being considered essential and exempt from any hiring freeze, depending on the role the personnel play at any agency, the importance of cyber security at the agency and in its efforts to fight cyber intrusions, and due to variations regarding how some agencies determine which "critical" IT and cybersecurity personnel should be exempt. While the details need to be implemented properly, the memorandum establishing exemptions is further evidence of the administration's prioritization in the area of cybersecurity.

10. What steps do companies need to take to prepare for the changes ahead?

As discussed, there are many ways in which cybersecurity issues could arise over the next four years, with clarity regarding the issues of concern being in some cases impossible. Nonetheless, even in this era of uncertainty, there are concrete steps that companies worried about possible cyber-intrusions should be undertaking:

  • Conducting internal compliance and risk assessments, to determine the organization's vulnerability to cyber attacks.
  • Developing and implementing corporate policies and procedures required for compliance with federal and state privacy and security laws.
  • Developing quick-response teams to handle potential cyber attacks, using preformulated decision trees and procedures so that these do not have to be developed under the fire of an ongoing attack.
  • Establishing secure data backup protocols to ensure that, even if the company is under attack, important company records are secure.
  • Establishing protocols to deal with common forms of cyber attacks (denial of service, etc.).
  • Lining up outside experts, if necessary based upon the risk profile of the company, to swing into action if company processes are overwhelmed by a cyber attack.
  • Performing periodic auditing of cybersecurity practices against industry norms, accepted best practices, and the risk profile of the organization.
  • Implementing information security best practices, reflecting them in information security policies, records retention and management policies, and in internal controls/standard operating procedures.
  • Making certain the CEO and executive leadership are properly informed about the cyber risks to the company and are involved in oversight and the decision-making process related both to cyber attacks and proactive cybersecurity measures.
  • Reviewing funding of all electronic security measures to ensure they are adequate to cover not only routine compliance measures but also to allow for proactive testing and probing of systems in light of increasingly sophisticated measures being used by hackers.
  • Collecting only that personally identifiable information from clients, customers, or company personnel that is needed for identified business needs, with the retention of such information being only for as long as it serves those business needs, with storage being accomplished in a way that minimizes the chance of it being of any use outside the organization (encryption, etc.).
  • Reviewing cybersecurity programs to ensure they apply industry standards and best practices.
  • Coordinating cyber incident response planning across the entire company.
  • Storing sensitive information securely (encrypting where appropriate) and away from other data that does not require the same level of protection. Use a layered defense approach to protect "crown jewel" information.
  • Conducting appropriate data security due diligence on third-party service providers with access to personal information and sensitive business information, and requiring them to enter into agreements that they are implementing robust data security procedures, following up to ensure these requirements are in fact implemented.
  • Assessing ways in which the company's access vulnerabilities (website, VPNs, remote access, and so forth) are configured to minimize potential intrusion risk, with regular testing and probing to update and address identified risks.
  • Performing companywide training, tailored to the personnel at issue, to ensure the importance of adherence to all electronic security measures are followed.

Conclusion

While (as with any new administration) there remains some uncertainty surrounding the current administration's new policies, including in the relatively new area of cybersecurity, it does appear that the Trump Administration views public and private cybersecurity as a priority and will build on the efforts of the Obama Administration to continue to develop a coherent cybersecurity policy. Because of President Trump's very public commitment to cybersecurity, it is our view that the administration will spend both funding and political capital to improve the nation's cybersecurity. Additionally, given that most of the nation's critical infrastructure is owned by the private sector, the Trump Administration is likely to see itself as a "willing partner" to get the private sector what it needs, rather than to act as a burdensome regulator.

Want more help? Regardless of how events unfold, the types of compliance measures discussed above are a prudent investment in securing crucial company data and the ability to operate even when under constant probing by unauthorized outsiders.

* * *

The international climate for U.S.-based multinational companies and non-U.S.-based companies that sell into the United States has never been more uncertain. This client alert is the sixth of a series of alerts prepared to help companies navigate the uncertain international trade and regulatory environment. As noted in the introduction, existing "Top Ten" articles cover the future of NAFTA, International Trade (antidumping and countervailing duty) actions, U.S. Customs and Border Protection, likely changes in how the Committee of Foreign Investment in the United States (CFIUS) evaluates investment in the United States, and the future of white collar enforcement under the new administration. Future client alerts will cover the Office of Foreign Asset Controls (OFAC economic sanctions) and Export Controls, the Foreign Corrupt Practices Act, anti-money laundering, and the regulatory concerns of private equity firms.

Footnotes

1. See Gregory Husisian & Robert Huey, NAFTA and the Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Dec. 1, 2016), https://www.foley.com/nafta-and-the-new-trump-administration-12-01-2016/.

2. See Gregory Husisian & Robert Huey, U.S. Customs and the Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Feb. 7, 2017), https://www.foley.com/us-customs-and-the-new-trump-administration-your-top-ten-questions-answered-02-07-2017/.

3. See Gregory Husisian & Robert Huey, International Trade Litigation and the Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Jan. 6, 2017), https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/.

4. See Gregory Husisian, CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered, Foley & Lardner LLP (Jan. 25, 2017), https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.

5. Scott Fredericksen & Gregory Husisian, White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered, Foley & Lardner LLP (Feb. 9, 2017), https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.

6. See President Donald J. Trump, Address at Gettysburg, PA: Groundbreaking Contract for the American Voter in Gettysburg (Oct. 22, 2016), https://www.donaldjtrump.com/press-releases/donald-j.-trump-delivers-groundbreaking-contract-for-the-american-vote1.

7. See "Donald Trump: 'We have to get very, very tough on cyber and cyberwarfare,'" Newsday, http://www.newsday.com/long-island/politics/donald-trump-we-have-to-get-very-very-tough-on-cyber-and-cyberwarfare-1.12369169.

8. See Paul Rosenzweig, Revised Draft Trump EO on Cybersecurity, Lawfare (Feb. 9, 2017), https://www.lawfareblog.com/revised-draft-trump-eo-cybersecurity.

9. See "Presidential Executive Order on Reducing Regulation and Controlling Regulatory Costs," https://www.whitehouse.gov/the-press-office/2017/01/30/presidential-executive-order-reducing-regulation-and-controlling.

10. See Office of Compliance Inspections and Examinations, OCIE's 2015 Cybersecurity Examination Initiative (2015), https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.

11. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). In this proceeding, the FTC sued a global hotel company for failure to adequately safeguard its computer network, allowing hackers to steal customer information. Wyndham marked the first time the FTC's authority to regulate data security had been confirmed by a federal court.

12. See Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.

13. Id.

14. See U.S. Dep't of Homeland Sec., Executive Order 13636: Improving Critical Infrastructure Cybersecurity (2013), https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurity-incentives-study_0.pdf.

15. Id.

16. Id.

17. Id.

18. Id.

19. See U.S. Dep't of Homeland Sec., Strategic Principles for Securing the Internet of Things (IoT), (2016),https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf.

20. See Fed. Comm. Commission, White Paper: Cybersecurity Risk Reduction (2017), http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0118/DOC-343096A1.pdf.

21. See N.Y. State Dep't of Fin. Servs, 23 NYCRR 500, http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf.

22. See President Donald J. Trump, Remarks on Immediate Action on Cybersecurity (Oct, 3, 2016) https://www.donaldjtrump.com/press-releases/donald-j.-trump-remarks-on-cybersecurity.

23. See Center for Cyber & Homeland Sec., Into The Gray Zone: The Private Sector and Active Defense against Cyber Threats (2016), https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf.

24. Id.

25. See Gregory Husisian & Robert Huey, "International Trade Litigation and the New Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/; Gregory Husisian, "CFIUS and the New Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.

26. See U.S. Dep't of Justice, U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage (May 19, 2016), https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor.

27. See U.S. Dep't of Justice, Third U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues (Dec. 8, 2016), https://www.justice.gov/opa/pr/third-us-china-high-level-joint-dialogue-cybercrime-and-related-issues.

28. See Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174.

29. Id.

30. Id.

31. See International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf.

32. See "Presidential Memorandum Regarding the Hiring Freeze," https://www.whitehouse.gov/the-press-office/2017/01/23/presidential-memorandum-regarding-hiring-freeze.

33. See "Implementation of Civilian Workforce Hiring Freeze,"https://www.defense.gov/Portals/1/Documents/pubs/OSD000999-17-RES-Final.pdf.

34. See "Presidential Memorandum Regarding the Hiring Freeze," https://www.whitehouse.gov/the-press-office/2017/01/23/presidential-memorandum-regarding-hiring-freeze.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Cadwalader, Wickersham & Taft LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Cadwalader, Wickersham & Taft LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions