By David J. Smith
Copyright © 2012 Potomac Institute for Policy Studies
“As Congress recesses for the national election,” Government Security News (GSN) reports, “the White House is close to issuing an Executive Order (EO) on cyber security in the coming days.” The EO is meant as at least partial compensation for Congress’s failure to pass cyber security legislation last August. Despite a standoff between Congressional factions with very different approaches to cyber security, just about everyone agrees that some kind of legislation is needed. The frustration is understandable, but is an EO at this moment a good idea?
Writing on CSO Online, Taylor Amerding offers a good overview of the arguments that various observers are making for and against the EO. Most of them are just restatements of positions on the content of the dueling bills that foundered in Congress two months ago. There is not much point in rehashing shopworn arguments. Moreover, we do not know exactly what will be in the EO.
Reports based on leaks say that the draft document will order executive departments to develop within 90 days a voluntary set of cyber security standards for private companies that operate critical infrastructure. Reports also suggest that the EO will establish a Cyber Security Council to be chaired by DHS. Both measures were featured in the revised Lieberman-Collins Cyber Security Act, a compromise attempt that failed to garner sufficient support in the Senate last August. However, an internal Administration debate on the EO’s content may still be underway.
Department of Homeland Security Secretary Janet Napolitano told a September 19 Senate Homeland Security and Governmental Affairs Committee hearing, that the EO “is close to completion, depending on a few issues that need to be resolved at the highest levels.” Another indication that the content of the EO may still be up for grabs is a September 24 letter from Senator Joseph Lieberman (I-CT) to President Barack Obama. Therein, Lieberman urges Obama “to explore any means at your disposal that would encourage regulators to make mandatory the standards developed by the Department of Homeland Security pursuant to your Executive Order.”
We just do not know enough to discuss the EO’s content. However, one discussion category that Amerding mentions demands our attention now: “The President should not circumvent Congress on a matter of this importance.”
Lieberman encourages the President to proceed with an EO, stressing the danger of inaction. “The danger is real and imminent,” the Senator’s letter says, “yet we have not acted to defend against it.” That is true; however, an EO will not change much in the imminent future—the executive departments may even be given 90 days to make recommendations. That would take us just about to Presidential Inauguration Day. Moreover, Administration officials admit that an EO cannot do all that needs to be done. For example, they point out that the President lacks the legal authority to grant legal protection to companies that choose to share cyber threat information with one another and with the government.
That alone means that the matter must again be faced early in the next Congress. Despite repeated Administration assertions that legislation will still be needed, issuing an EO in October could create the appearance—or the excuse—that cyber security is not so urgent early in 2013.
Moreover, attempts to add tougher provisions to an EO now may only heighten suspicions for the Congressional debate later.
Most importantly, AlienVault CTO Roger Thornton told CSO Online, “A mandate backed by Congress and the President would probably be more effective at convincing the private sector.” Particularly when our nation faces a new and patchily understood matter like cyber security, the legislative process serves a purpose. It may be a long process, frustrating and even painful, but in the end it is more likely to forge needed consensus than any other approach.
Although the attribution is probably apocryphal, Otto von Bismarck is said to have remarked, “If you like laws and sausages, you should never watch either one being made.”
The Potomac Institute Cyber Center 