White House Releases Cybersecurity Report and Implementation Plan
White House report acknowledges lack of federal data privacy law, outlines other efforts to protect data
In May 2024, the White House issued a first-of-its kind report that assesses the cybersecurity posture of the United States, the effectiveness of national cyber policy and strategy, and the status of the implementation of national cyber policy and strategy by Federal departments and agencies. Overall, the White House reports that the U.S. national cybersecurity posture has improved over the last year, but the threats we face remain daunting.
The report highlights five trends, in addition to enduring cybersecurity challenges, that drove change in the strategic environment in 2023: evolving risks to critical infrastructure, ransomware, supply chain exploitation, commercial spyware, and artificial intelligence.
The report then outlines current efforts at the federal level to bolster cybersecurity and “proactively shape the digital ecosystem to align with U.S. national objectives.” This includes efforts like improving incident preparedness and response, advancing software security, and investing in resilient, next-generation technologies.
Of note, the report acknowledges that, in the absence of a federal data privacy law, the White House is pursuing other avenues to help protect data security and privacy. Three efforts are highlighted:
1. Executive Order 14117, which seeks to restrict access by "countries of concern" to Americans' bulk sensitive personal data and US Government-related data when such access would pose "an unacceptable risk to the national security of the United States."
This Executive Order aims to protect the privacy and security of Americans' personal information by limiting the ability of certain countries to access sensitive data that may be used for malicious purposes. By restricting access to bulk sensitive personal data and US Government-related data from countries that pose a risk to national security, the government can better safeguard against potential threats and prevent unauthorized access to sensitive information.
This order emphasizes the importance of protecting national security and the privacy of American citizens, while also recognizing the need for international cooperation on data sharing and security. It sends a message that the United States will take strong measures to protect sensitive information from being exploited by foreign entities for malicious purposes.
Overall, Executive Order 14117 serves as a critical step in strengthening data security measures and safeguarding Americans' personal information from potential threats posed by countries of concern.
2. Executive Order 14110, which establishes a policy framework to manage the risks of artificial intelligence. The Executive Order 14110, titled "Policy Framework for Artificial Intelligence Risk Management," aims to provide guidelines and regulations to address the potential risks associated with the proliferation and use of artificial intelligence (AI) technologies.
The order outlines the following key components:
- Establishing a National Artificial Intelligence Risk Management Task Force: The order mandates the creation of a task force composed of industry experts, academics, and government officials to assess the risks and benefits of AI technologies. The task force will be responsible for providing recommendations on how to mitigate potential risks and ensure the safe and responsible deployment of AI.
- Developing a National AI Risk Management Strategy: The order directs federal agencies to collaborate on the development of a comprehensive strategy to mitigate the risks associated with AI technologies. This strategy will include guidelines for regulating the use of AI in various sectors, such as healthcare, transportation, and finance.
- Promoting International Cooperation: The order emphasizes the importance of collaborating with international partners to establish global standards for AI risk management. This includes sharing best practices and coordinating efforts to ensure the safe and ethical development of AI technologies.
- Ensuring Transparency and Accountability: The order calls for increased transparency in the development and deployment of AI systems, as well as mechanisms for holding developers and users accountable for any negative consequences of their AI applications. This includes establishing clear guidelines for data privacy, security, and bias mitigation.
Overall, Executive Order 14110 seeks to create a comprehensive policy framework to address the risks associated with AI technologies while promoting innovation and economic growth. By implementing these guidelines and regulations, the government aims to ensure that AI technologies are developed and used responsibly, ethically, and in the best interest of society.
3. The EU-US Data Privacy Framework, which provides a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law. This Framework is comprised of two main components: the Privacy Shield Program and Standard Contractual Clauses.
- The Privacy Shield Program is a self-certification mechanism that requires companies to adhere to a set of privacy principles when transferring personal data from the EU to the US. These principles include requirements such as providing notice to individuals about data processing, obtaining consent for data sharing, providing mechanisms for individuals to access and correct their data, and ensuring data security measures are in place.
- Standard Contractual Clauses are model contracts approved by the European Commission that provide a legal mechanism for companies to transfer personal data outside of the EU in compliance with EU data protection laws. These clauses contain contractual obligations that ensure the protection of personal data and give individuals enforceable rights against data controllers and processors.
The EU-US Data Privacy Framework is designed to provide a level of protection for personal data transferred between the EU and the US, while still allowing for the free flow of data necessary for transatlantic business activities. Adherence to this Framework is important for companies that process personal data of EU individuals, as failure to comply can result in fines and legal sanctions.
While all three efforts are a step in the right direction, it is reflective of what is happening across the country. Despite multiple versions of a federal law being introduced, Congress can’t seem to come to agreement and actually pass data privacy legislation. Just like states stepping up and enacting their own data privacy laws, so too, is the White House doing what it can at the Executive Branch level to address the issue. But still, we are left with a patchwork of state laws and Executive Orders - the direct benefits of which are difficult to discern.
What may be more promising to the everyday consumer is several efforts outlined in the National Cybersecurity Strategy Implementation Plan (NCSIP) – an accompaniment to the cybersecurity report. As part of national efforts to “shape market forces to drive security and resilience,” the White House says it will undergo efforts to “hold the stewards of our data accountable” and “drive the development of secure IoT devices.”
Concord will be monitoring these issues and will bring you the latest updates.