Exec Order Could Ease Cybersecurity Bill PassageRidding Gov's Role in Setting Standards from Legislative Equation
A presidential executive order on cybersecurity, under review by the Obama administration, if issued might help ease passage of information security legislation in the 113th Congress, despite Republican objection to such a decree.
At the heart of the proposed executive order is a process in which the federal government, through the Department of Homeland Security, would collaborate with industry to establish IT security best practices that the mostly-private owners of the nation's critical infrastructure - banks, energy distribution companies, transportation networks, to name a few - could adopt voluntarily [see Administration Seeks Private Sector Counsel on Order].
See Also: 57 Tips to Secure Your Organization
Should President Obama issue the executive order, the need to include language on developing government-backed critical infrastructure protections wouldn't be necessary in any new legislation.
"Until we see the EO - assuming there is one - we won't know what they need to do in the law, but if it looks like the alleged drafts people say are floating around, they won't need to do much on critical infrastructure," says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, a Washington think tank.
Provisions calling for just such a process helped torpedo the Cybersecurity Act of 2012, which twice failed to surmount a Republican-led filibuster [see Senate, Again, Fails to Halt Filibuster]. GOP lawmakers - with backers in business, notably the U.S. Chamber of Commerce - contend that businesses themselves know best on how to defend their networks. Also, some fear voluntary standards could turn into regulations.
"The proposal is not just for government to work with industry, which everyone knows they already do - but that government (would) have the final say as to what comes out," says Larry Clinton, chief executive of the Internet Security Association, a trade group.
When it became clear that the Cybersecurity Act would not pass the Senate, several of its Democratic sponsors called on Obama to issue an executive order to implement some of its provisions, such as establishing IT security best practices. Republicans, even one of the bill's sponsors - Sen. Susan Collins of Maine - cautioned the president against bypassing Congress with an executive order [see 'We Can't Wait' for Cybersecurity].
The Information Sharing Predicament
Another contentious provision of the Cybersecurity Act, information sharing between the government and industry, could only be addressed partially in an executive order because providing liability protection from information sharing can only be granted by an act of Congress. Many companies would be reluctant to share information about threats and vulnerabilities without being assured they won't be sued for liability.
Allan Friedman, research director of the Center for Technology Innovation at Brookings, a Washington think tank, says there are many different types of information sharing, many of which would not involve the dicey liability issue, a point often lost on members of Congress. "Lawmakers tend to treat all info sharing the same," Friedman says. "Engineers know that there's a huge difference between an attack signature from an intrusion-detection system and a profile of a new type of attacker."
Friedman says the executive order could encourage more collaboration between business and government, modeling new efforts after existing initiatives such as those between military contractors and the Defense Department, the DoD-Defense Industrial Base Collaborative Information Sharing Environment, and InfraGard, an FBI-business information sharing program aimed at safeguarding critical infrastructure.
The more contentious matters dealing with information sharing, which also includes protecting the privacy and civil liberties of citizens whose personal information could be exposed during exchanges of data between business and government, must be addressed by legislation.