CQ NEWS – POLICY
Feb. 12, 2013 – 3:48 p.m.
By Tim Starks, CQ Roll Call
With Congress thus far unable to enact cybersecurity legislation, President Barack Obama signed an executive order Tuesday to protect computer networks. But the president said later in his State of the Union address that he still needs Congress’ help.
“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” Obama said, explaining why he signed the order. “Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”
The executive order directs agencies to take steps to expand cyberthreat information sharing with companies. It also tells them to come up with incentives for owners of the most vital and vulnerable digital infrastructure — like those tied to the electricity grid or banking system — to voluntarily comply with a set of security standards. And it orders them to review their regulatory authority on cybersecurity and propose new regulations in some cases.
“At this point, since the prospects for a bill remain uncertain, and given the risk, the administration is in a position where it has to take some action,” a senior administration official said Tuesday. “An executive order is not a substitute for legislation and is not the end of the conversation. It’s just the beginning of it.”
There are many things an executive order cannot do, senior administration officials told reporters during a conference call, among them creating incentives for companies to share threat information with the federal government; removing barriers for companies to share threat information between themselves; increasing criminal penalties for cybercrimes; unifying a patchwork of state laws governing how consumers are notified of a data breach at a company; and updating a law requiring mandatory reporting about the federal government’s efforts to protect its computer networks.
Earlier Tuesday, leaders of key House and Senate panels took different approaches to the news that Obama would issue an executive order and discuss it in his speech.
House Intelligence Chairman Mike Rogers, R-Mich., and top panel Democrat C.A. Dutch Ruppersberger of Maryland were already scheduled to reintroduce their own information sharing-based legislation — identical to last year’s House-passed bill — on Wednesday afternoon, even before the administration finalized the rollout of its executive order. That legislation includes incentives, such as liability protection, that the executive branch cannot offer on its own to businesses that share threat information with the government.
“We are pleased to hear that the president will mention cyber security in tonight’s State of the Union address,” the two lawmakers said in a news release. “We will closely review the president’s executive order once it is released, but we agree that our biggest barriers to bolster our cyber defenses can be fixed only with legislation. That’s why we will introduce tomorrow our legislation to help U.S. companies better protect themselves, and the privacy and civil liberties of their customers, from Chinese and Iranian hackers.”
Senate Homeland Security and Governmental Affairs Chairman Thomas R. Carper, D-Del., said he plans to review the executive order and follow it up with a hearing soon, perhaps a joint hearing with the Intelligence and Commerce, Science and Transportation panels on cybersecurity legislation that would be needed to “wrap around” the executive order. He also said it was a good idea for Obama to mention the topic in his speech because over the next 10 years, the cybersecurity threat could become predominant.
Carper was a cosponsor of an unsuccessful Senate bill last year that the executive order mimics in part. That legislation included information-sharing provisions, like the House-passed bill. But unlike the House-passed measure, the Senate version encountered resistance from business groups that opposed language creating new security standards for the most vital privately owned networks.
Other Democrats praised Obama’s move and pledged follow-up action.
“I also strongly support President Obama’s action to strengthen our economic and national security,” Sen. Jay Rockefeller, D-W.Va., the chairman of the Commerce, Science and Transportation Committee, said in a written statement. “I will continue my efforts this Congress to enact legislation that bolsters the cooperation between the federal government and private sector to protect our country from cyber attacks.”
Several Senate Republicans involved in last year’s debate, who ended up rejecting the final version of the bill, were more cautious Tuesday, saying that the White House cannot address the threat by itself.
“The President’s Executive Order cannot achieve the balanced approach that must be accomplished collaboratively through legislation and with the support of the American people,” said a written statement from John McCain, R-Ariz.; Saxby Chambliss, R-Ga., ranking member of the Intelligence Committee; and John Thune, R-S.D. “We will closely examine the Executive Order and ensure that there is thorough Congressional oversight of any action it directs. As the 113th Congress gets underway, the Senate should follow regular order and craft legislation that will have an immediate impact on our nation’s cybersecurity without adding or prompting regulations that could discourage innovation and negatively impact our struggling economy.”
The new chairman of the House Homeland Security Committee, Michael McCaul, R-Texas, said in a written statement that he was worried Obama’s executive order would open the door to excessive regulation, and added that he planned his own legislation “to enhance coordination between the private sector and government in order to protect our critical infrastructure including communications networks, information technology, pipelines, dams, and transportation systems.”
Brian Finch, a partner in Dickstein Shapiro’s Washington office who heads the firm’s global security practice, said it could take some time, but he expects Congress to move ahead with its own cybersecurity agenda. “There’s really only so much the administration can do,” said Finch, who is also a professor at the George Washington University Law School. “This is them saying, ‘We’ve acted. Now Congress needs to step up.’”
Privacy advocates have been another major faction trying to influence cybersecurity policy. Michelle Richardson, legislative counsel in the American Civil Liberties Union’s Washington legislative office, said Tuesday before the executive order’s release that based on her understanding of it, she was “happy they are focusing on privacy-neutral provisions for cyber” such as security standards for industry. She also praised the order’s emphasis on integrating privacy protection standards into its information-sharing provisions.
Also Tuesday, the administration issued a presidential policy directive on critical infrastructure that it said would create a “stronger alliance between these two intertwined components” of physical security and cybersecurity.