Oct 52018

White House and Pentagon Announce New Cyber Strategies

Christopher Fonzone and Feola Odeyemi
, , ,

The Trump Administration continued to put its stamp on federal cybersecurity policy last week, as the White House issued its National Cyber Strategy while the Pentagon announced the Department of Defense Cyber Strategy.  The former document is a helpful step forward that continues and advances the cyber policies the Trump Administration inherited from the Obama and Bush Administrations, while the Pentagon’s release primarily focused on the Strategy’s endorsement of “Defense Forward,” which was taken as a signal the United States would be adopting a more aggressive operational posture in the future.  Data Matters readers will want to study both strategies, as each contains interesting insights into how the Trump Administration envisions the development of the cybersecurity ecosystem and see the public and private sectors working together to mitigate cyber risks. 

White House National Cyber Strategy

The National Cyber Strategy outlines four broadly defined “pillars”:

  • Defend the homeland by protecting networks, systems, functions and data;
  • Promote American prosperity by nurturing a secure, thriving digital economy and fostering domestic innovation;
  • Preserve peace and security by strengthening the ability of the United States and its allies and partners to deter and if necessary, punish those who use cyber tools for malicious purposes; and
  • Expand American influence abroad to extend the key tenets of an open, interoperable and secure Internet.

These pillars would not seem out of place in either an Obama or Bush Administration document, and, indeed the Strategy is more about continuity of approach than dramatic change.  Beyond this, while this piece does not summarize the entire 40-page document, it is worth highlighting a few aspects here:

  • Increased Cybersecurity Measures for Federal Contractors:  While much of the Strategy’s first pillar either continues or builds on existing initiatives, its stance with respect to the vetting of federal contractors who host federal data is more aggressive than existing approaches. In particular, the Strategy notes that relevant contracts should allow agencies to assess data security along the supply chain by reviewing Federal contractor risk management practices and responding to incidents on contractor systems.
  • Foreign Investment and Cyber Workforce:  Emphasizing themes that have attracted much attention over the past couple of years, the second pillar of the strategy strongly endorses both updating mechanisms to review foreign investment and operation in the United States and investing in the development of a superior cybersecurity workforce.
  • Focus on legal development and reform:  In a couple of places, the Strategy recognizes the importance of developing an international and domestic legal architecture for cyber operations.  Specifically, the Strategy both called for reforms of domestic surveillance and computer crime laws to better enable detection, disruption, and accountability, while simultaneously – and perhaps more surprisingly – calling for the development of a “framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of responsible state behavior that apply during peacetime, and the consideration of practical confidence building measures to reduce the risk of conflict stemming from malicious cyber activity.”
  • Attribution and Deterrence: Finally, the plan makes a point to call for the attribution and deterrence of unacceptable cyber behavior, certainly a goal of the both the Bush and Obama Administrations.  To do so, the Strategy calls for the launch of an International Cyber Deterrence Initiative under which the United States, in conjunction with a coalition of like-minded nations, will take steps to address malign actors.

Summary of DoD Cyber Strategy

Not surprisingly, the summary of the DoD Cyber Strategy is primarily focused on securing military infrastructure and preserving the U.S. military’s ability to fight and win wars in any domain. Under the plan, which will not be unfamiliar to those who have followed the development of the Pentagon’s cyber strategy over time, the DoD also seeks to preempt, defeat or deter malicious cyber activity targeting U.S. critical infrastructure, and to work with allies to strengthen cyber capacity and facilitate information sharing.

Of particular note, the Strategy states that the Department of Defense is prepared to “defend forward to disrupt or halt malicious cyber activity at its source.”  While the precise meaning of the concept “defend forward” is unclear, it may contemplate cyber operations outside U.S. networks outside the context of armed conflict.  Along with the reporting that the Trump Administration has relaxed the interagency process the Obama Administration had in place to vet certain cyber operations, this raises a number of key question about such “defense forward” activities.  What type of operations will be undertaken and in response to what threats?  Where will the operations occur?  Who will have the authority to approve them?  And what agencies will be involved in vetting the operations?  As the above description suggestions, such operations raise interesting questions under both domestic (concerning, among other things, the separation of powers) and international law, and it will thus be worth watching whether the Trump Administration provides more information on this potentially important development.

Christopher Fonzone

cfonzone@sidley.com

Feola Odeyemi

fodeyemi@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.