White House May Try Cybersecurity End Run
In the wake of Congress' failed attempt to pass a cybersecurity bill this summer, the White House has been working on an executive order to fill the gap. The order is aimed at protecting the nation's critical infrastructure from harm. It might not be enough, however. Democrats in Congress continue to try to drum up support for some government action on the matter.
Sep 21, 2012 12:24 PM PT
The White House is close to completing an executive order on cybersecurity, Homeland Security secretary Janet Napolitano has reportedly stated.
This order aims to protect the United States' critical infrastructure -- our electric grid, water systems and transportation networks -- from cyberattacks.
More than 90 percent of the United States' critical infrastructure is in the hands of the private sector, and the order seeks to get those companies to voluntarily meet a set of security standards that have been developed.
The White House began working on the executive order shortly after Congress voted down the Cybersecurity Act of 2012 in August.
What's in the Order?
The executive order includes some elements of the Cybersecurity Act of 2012, according to Techdirt, which obtained a leaked copy.
It also talks about the Department of Homeland Security and its responsibilities to investigate cybersecurity issues, and lists out 16 critical infrastructures.
However, the draft was vague and open to generous interpretation, which might impinge on civil liberties, Techdirt warned. For example, social networking is listed under communications, one of the 16 critical infrastructures.
The plan needs to be specific, Techdirt said. On the other hand, it had only examined a draft, and that might be changed before a final version is released.
Not Going Quietly Into the EO Night
News that the executive order is being drafted has stirred up debate.
Proponents of the executive order, most of whom are Democrats, are ratcheting up the pressure in its support. For example, Sen. Jay Rockefeller is writing the chief executives of Fortune 500 companies asking them to describe how their firms handle cybersecurity, according to The Wall Street Journal.
On the other hand, there's a perception among some that the executive order as an end run around Congress.
That might be a red herring because "to the extent Congress doesn't like it, it always has the option of overturning an EO through legislation," Daniel Castro, a senior analyst at the Information Technology & Innovation Foundation, remarked.
"It is clear that we do need better protection of vulnerable networks," John Simpson, consumer advocate at Consumer Watchdog, told TechNewsWorld. "Congress was unable to act, so I suppose the Administration is taking steps." He cautioned, however, that he had not seen a copy of the draft order.
Volunteer or Die?
Another argument that might be advanced against the upcoming executive order is that participation in it may not be voluntary.
The Cybersecurity Act of 2012 called for the creation of voluntary, sector-specific cybersecurity standards but "the federal agency responsible for regulating each industry could then make those standards mandatory," the ITIF's Castro told TechNewsWorld. "So these standards may be voluntary, depending on the industry."
Will Privacy Be a Problem?
Concerns about privacy protection have always loomed large in the national debate over cybersecurity.
"There are concerns that there is not enough attention paid to privacy protections in the most recently seen drafts of the executive order," Rainey Reitman, activism director of the Electronic Frontier Foundation, told TechNewsWorld. However, "these are still early drafts so there is still time to ensure that privacy safeguards are put in place."
On the other hand, an executive order "won't have the legal authority to undo existing privacy law," Reitman pointed out. "So, at the end of the day, it can never be as dangerous for individual privacy as a new piece of legislation."
The EO vs. Legislation
"The benefit of [beefing up cybersecurity] through legislation is that it can create a clear and consistent process that involves active private-sector participation and isn't tied to a single administration," the ITIF's Castro pointed out.
"An EO also cannot accomplish other goals such as reorganizing the roles of various federal agencies, [and] funding cybersecurity R&D and workforce training," Castro added. Nevertheless, it's an important stop-gap measure.
The White House did not respond to our request to comment for this story.