Category: Regulators

May 23 2017

President Trump’s Budget Requests $1.5B For Homeland Security Cyber Unit

President Trump’s new budget includes a request to increase cybersecurity personnel and funding across several federal departments, including $1.5 billion for the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD). The NPPD is a DHS unit responsible for protecting US infrastructure from cyber threats. The DHS is responsible for protecting critical infrastructure and federal networks from cyber intrusions.

The budget document, released by the Office of Management and Budget earlier this morning, states: “The Budget supports the President’s focus on cybersecurity to ensure strong programs and technology to defend the Federal networks that serve the American people, and continues efforts to share information, standards, and best practices with critical infrastructure and American businesses to keep them secure[.]” The budget document also proposes to increase law enforcement and cyber personnel at DHS, the FBI and Department of Defense.

The President’s budget comes on the heels of his recent Executive Order aimed at strengthening cybersecurity across federal networks, critical infrastructure, and the nation writ large. It also comes in the wake of federal departments and agencies, such as DHS, Health and Human Services, and the Securities and Exchange Commission, focusing their efforts on cybersecurity in medical devicesmobile devices, financial services, and the Internet of Things (IoT).

 

May 19 2017

US Government Accountability Office Releases New Report On The Internet of Things (IoT)

On May 15, 2017, the US Government Accountability Office (GAO) released a new report entitled “Internet of Things: Status and implications of an increasingly connected world.” In the report, the GAO provides an introduction to the Internet of Things (IoT), describes what is known about current and emerging IoT technologies, and examines the implications of their use. The report was prepared by reviewing key reports and scientific literature describing current and developing IoT technologies and their uses, concentrating on consumers, industry, and the public sector, and interviewing agency officials from the Federal Trade Commission (FTC) and Federal Communications Commission (FCC). The GAO also convened a number of expert meetings during the drafting process, bringing together experts from various disciplines, including computer science, security, privacy, law, economics, physics, and product development.

Technological Advancements Leading To IoT Surge

The GAO identified four technological advancements that have contributed to the increase in IoT devices:

  • Miniaturized, inexpensive electronics. According to the GAO, the cost and size of electronics are decreasing, making it easier for the electronics to be embedded into objects and to be enabled as IoT devices. For example, the price of sensors has significantly declined over the past decade. One sensor called an accelerometer cost an average of $2 in 2006. The average price of the unit in 2015 was $.40.
  • Ubiquitous connectivity. The GAO notes that the expansion of networks and decreasing costs allow for easier connectivity, and for IoT devices to be used almost anywhere. The proliferation of Wi-Fi options and Bluetooth creates a more expansive space for IoT to operate.
  • Cloud computing. Cloud computing allows for increased computer processing. Because IoT devices create a large amount of data, they require large amounts of computing power to analyze the data. The increase and availability of cloud computing is helping IoT devices expand.
  • Data analytics. New advanced analytical tools can be used to examine large amounts of data to uncover hidden patterns and correlations. According to the GAO, advanced algorithms in computing systems can enable the automation of data analytics, and allow for valuable information to be collected by IoT devices.

Common Components Of IoT Devices

The GAO identifies three major components that make up nearly all IoT devices: (1) hardware, (2) network connectivity, and (3) software. The hardware used in IoT devices generally consists of embedded components, such as sensors, actuators, and processors. Sensors generally collect information about the IoT environment, such as temperature or changes in motion. Actuators perform physical actions, such as unlocking a door. And processors serve as the “brains” of the IoT device. The network component of an IoT device connects it to other devices and to networked computer systems. And the software in IoT devices perform a range of functions, from basic to complex. These three components are common across the IoT industry, and serve as the bedrock foundation for understanding the security challenges facing the IoT space.

Benefits and Uses

According to the GAO, the benefits and uses of IoT for consumers, industry and the public sector are widespread. From wearable IoT devices, such as fitness trackers, smart watches and smart glasses, to smart homes, buildings and vehicles, IoT is changing the landscape of consumer products and how people interact with their space. IoT is also impacting supply chain and agriculture industries, enhancing productivity and efficiency.

Potential Implications

With these benefits comes potential risk. The GAO report identifies five risk categories presented by the onset of new IoT technology: (1) information security; (2) privacy; (3) safety; (4) standards; and (5) economic issues.

  • Information security. The IoT brings the risks inherent in potentially unsecured information technology systems in homes, factories, and communities. IoT devices, networks, or the cloud servers where they store data can be compromised in a cyberattack.
  • Privacy. Smart devices that monitor public spaces may collect information about individuals without their knowledge or consent.
  • Safety. Researchers have demonstrated that IoT devices, such as connected automobiles and medical devices, can be hacked, potentially endangering the health and safety of their owners.
  • Standards. IoT devices and systems must be able to communicate easily. Technical standards to enable this communication will need to be developed and implemented effectively.
  • Economic issues. While impacts such as positive growth for industries that can use the IoT to reduce costs and provide better services is a beneficial outcome, economic disruption is also possible, such as the need for certain types of businesses and jobs that rely on individual interventions, including assembly line work or commercial vehicle deliveries.

As IoT technology increases, so too will the regulatory landscape governing its use. Although there is no single US federal agency that has overall regulatory responsibility for IoT, various agencies oversee or regulate aspects of the IoT, such as specific sectors, types of devices, or data. If you or your business is operating, or plans to operate in the IoT space, the Dentons’ global Privacy and Cybersecurity group can help you navigate this fast-paced, and shifting environment.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

May 19 2017

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

On May 17, 2017, the US Securities and Exchange Commission (SEC), through its National Exam Program, issued a “Risk Alert” to broker-dealers, investment advisers and investment firms to advise them about the recent “WannaCry” ransomware attack and to encourage increased cybersecurity preparedness. The purpose of the alert, according to the SEC, was to “highlight for firms the risks and issues that the staff has identified during examinations of broker-dealers, investment advisers, and investment companies regarding cybersecurity preparedness.”

Based on a 2015 survey of 75 SEC registered broker-dealers, investment advisers and investment firms, the SEC National Exam Program staff recognized certain firm practices that registrants may find relevant when dealing with threats such as the WannaCry ransomware attack:

  • Cyber-risk Assessment: Five percent of the broker-dealers, and 26 percent of the investment advisers and investment companies examined “did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
  • Penetration Tests: Five percent of the broker-dealers, and 57 percent of the investment companies “did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
  • System Maintenance: All broker-dealers, and 96 percent of investment firms examined “have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.” And only ten percent of the broker-dealers, and four percent of the investment firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The SEC recommends registrants undertake at least two separate tasks: (1) assess supervisor, compliance and/or other risk management systems related to cybersecurity risks; and (2) make any changes, as may be appropriate, to address or strengthen such systems. To assistant registrants, the SEC highlights its Division of Investment Management’s recent cybersecurity guidance, and the webpage of the Financial Industry Regulatory Authority (FINRA), which has links to cybersecurity-related resources.

The SEC cautions that the recommendations described in the Risk Alert are not exhaustive, “nor will they constitute a safe harbor.” Factors other than those described in the Risk Alert may be appropriate to consider, and some factors may not be applicable to a particular firm’s business. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised in the Risk Alert. Ultimately, the “adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.”

The SEC recognizes that it is not possible for firms to anticipate and prevent every cyber-attack. However, “appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

May 12 2017

White House Signs New Cybersecurity Executive Order

On May 11, 2017, President Donald Trump signed a new Executive Order on cybersecurity entitled Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The new order is split up into three sections, and addresses cybersecurity in (1) federal networks, (2) critical infrastructure, and (3) the nation.

Section 1 – Cybersecurity of Federal Networks

Under Section 1, entitled “Cybersecurity of Federal Networks,” the President announced he “will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.” Agency heads will be “held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.” Agency heads will also be “held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes[.]”

Effectively immediately, every federal agency head must use the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) to manage their agency’s respective cybersecurity risk. Each agency must provide a “risk management report” to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the new Executive Order. That risk management report must document the risk mitigation and acceptance choices made by each agency head as of May 11, 2017, and must include: (1) the strategic, operational, and budgetary considerations that informed those choices; and (2) any accepted risk, including from unmitigated vulnerabilities. The report must also describe the agency’s action plan to implement the NIST framework.

Once received, the Secretary of Homeland Security and the Director of OMB will jointly assess each agency’s risk management report to determine “whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate (the determination).” The Director of OMB, in coordination with the Secretary of Homeland Security, and with appropriate support from the Secretary of Commerce and the Administrator of General Services, will then be required, within 60 days of receipt of the agency risk management reports, to submit to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the agency determination and a plan to:

  1. Adequately protect the executive branch enterprise, should the determination identify insufficiencies;
  2. Address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise;
  3. Establish a regular process for reassessing and, if appropriate, reissuing the determination, and addressing future, recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise;
  4. Clarify, reconcile, and reissue, as necessary and to the extent permitted by law, all policies, standards, and guidelines issued by an agency, and, as necessary and to the extent permitted by law, issue policies, standards, and guidelines in furtherance of this order; and
  5. Align these policies, standards, and guidelines with the NIST Framework.

The Director of the American Technology Council is also directed to coordinate a report to the President from the Secretary of Homeland Security, the Director of OMB, and the Administrator of General Services, in consultation with the Secretary of Commerce, as appropriate, regarding the modernization of the federal IT ecosystem. That report must be completed within 90 days of the new Executive Order and describe the legal, policy, and budgetary considerations “relevant to — as well as the technical feasibility and cost effectiveness, including timelines and milestones, of — transitioning all agencies, or a subset of agencies, to” (1) one or more consolidated network architectures; and (2) shared IT services, including email, cloud, and cybersecurity services.

Section 2 – Cybersecurity of Critical Infrastructure

Under Section 2, entitled “Cybersecurity of Critical Infrastructure,” the White House makes clear it is the “policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure (as defined in section 5195c(e) of title 42, United States Code)[.]” In carrying out this policy, the new Executive Order identifies five critical areas for focus: (1) supporting critical infrastructure at greatest risk; (2) supporting transparency in the marketplace; (3) resilience against botnets and other automated, distributed threats; (4) assessment of electricity disruption incident response capabilities; and (5) Department of Defense warfighting capabilities and industrial base.

Support to Critical Infrastructure at Greatest Risk

To support critical infrastructure at greatest risk, the Secretary of Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, the heads of appropriate sector-specific agencies, and all other appropriate agency heads, shall:

  • Identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities to be at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security;
  • Engage said entities and solicit input as appropriate to evaluate whether and how the authorities and capabilities might be employed to support cybersecurity risk management efforts and any obstacles to doing so;
  • Provide a report to the President, which may be classified in full or in part, through the Assistant to the President for Homeland Security and Counterterrorism, within 180 days of the date of the new Executive Order, that includes: (1) the authorities and capabilities identified in the Executive Order; (2) the results of the engagement and determination as defined in the Executive Order; and (3) findings and recommendations for better supporting the cybersecurity risk management efforts of critical infrastructure entities; and
  • Provide an updated report to the President on an annual basis thereafter.

Supporting Transparency in the Marketplace

To support transparency in the marketplace, the Secretary of Homeland Security, in coordination with the Secretary of Commerce, is required to provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, that “examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days” of the date of the Executive Order.

Resilience Against Botnets and Other Automated, Distributed Threats

The Secretary of Commerce and the Secretary of Homeland Security are required to jointly lead an “open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).” The Secretary of Commerce and the Secretary of Homeland Security are also required to consult with the Secretary of Defense, the Attorney General, the Director of the Federal Bureau of Investigation, the heads of sector-specific agencies, the Chairs of the Federal Communications Commission and Federal Trade Commission, other interested agency heads, and appropriate stakeholders in carrying out the Executive Order. Within 240 days of the date of the Executive Order, the Secretary of Commerce and the Secretary of Homeland Security shall also make publicly available a preliminary report on this effort. And within 1 year of the date of the Executive Order, the Secretaries shall submit a final version of the report to the President.

Assessment of Electricity Disruption Incident Response Capabilities

The Secretary of Energy and the Secretary of Homeland Security, in consultation within the Director of National Intelligence, with State, local, tribal, and territorial governments, and with others as appropriate, are required to jointly assess: (1) the potential scope and duration of a prolonged power outage associated with a significant cyber incident against the United States electric subsector; (2) the readiness of the United States to manage the consequences of such an incident; and (3) any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident. The assessment must be provided to the President, through the Assistant to the President for Homeland Security and Counterterrorism, within 90 days of the date of the Executive Order, and may be classified in full or in part.

Department of Defense Warfighting Capabilities and Industrial Base

Within 90 days of the date of the Executive Order, the Secretary of Defense, the Secretary of Homeland Security, and the Director of the Federal Bureau of Investigation, in coordination with the Director of National Intelligence, shall provide a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks.

Section 3 – Cybersecurity for the Nation

Section 3 of the Executive Order, entitled “Cybersecurity for the Nation,” provides that it is the policy of the executive branch to promote an “open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” This section focuses on: (1) deterrence and protection; (2) international cooperation; and (3) workforce development.

Deterrence and Protection

Within 90 days of the date of the Executive Order, the Secretary of State, the Secretary of Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence, shall jointly submit a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on the Nation’s strategic options for deterring adversaries and “better protecting the American people from cyber threats.”

International Cooperation

Within 45 days of the date of the Executive Order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of the submission of those reports, and in coordination with the agency heads, the Secretary of State must provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, documenting an engagement strategy for international cooperation in cybersecurity.

Workforce Development

Commerce and Homeland Security

The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Secretary of Labor, the Secretary of Education, the Director of the Office of Personnel Management, and other agencies identified jointly by the Secretary of Commerce and the Secretary of Homeland Security shall:

  • Jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education; and
  • Within 120 days of the date of the Executive Order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations regarding how to support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.

Office of National Intelligence

The Director of National Intelligence, in consultation with the heads of other agencies, shall:

  • Review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness; and
  • Within 60 days of the date of the Executive Order, provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism on the findings of the review.

Department of Defense

The Secretary of Defense, in coordination with the Secretary of Commerce, the Secretary of Homeland Security, and the Director of National Intelligence, shall:

  • Assess the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national-security-related cyber capabilities; and
  • Within 150 days of the date of the Executive Order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations on the assessment carried out.

The Dentons Privacy and Cybersecurity Group will continue to monitor the respective agency reports, as they are issued, and examine any additional efforts relating to this new Executive Order and its impact on industry as they develop.