State of the Union: Cybersecurity Word CountSize Counts - Obama More Verbose in His Defense of Cyber
If verbiage represents commitment, then President Obama is definitely more dedicated to cybersecurity now than he was a year ago.
In 2012, the president allotted only 26 words to his 7,200-word State of the Union speech to cybersecurity [see The State of the Union's Cybersecurity]. This year, he devoted 149 words in a 6,833-word address to the cyberthreat, a five-fold increase. Cybersecurity represented 0.36 percent of the 2012 speech; this year, it represented 0.72 percent of the speech.
An executive order has limits because it can only use existing legal authorities, unlike a law that can create new powers.
What's different this year is that the president had something concrete to promote: a cybersecurity executive order that he signed shortly before he addressed Congress on Feb. 12 [see Obama Issues Cybersecurity Executive Order]. That order directs the U.S. federal government to share cyberthreat information with critical infrastructure owners and to collaborate with industry to develop IT security best practices that critical infrastructure owners could voluntarily adopt.
Nearly on the Mark
In the run-up to the State of the Union, we asked IT security experts to play speechwriter, and compose the cybersecurity passage they felt the president should deliver [see State of the Union: What Should Obama Say?]. We didn't ask them to predict what Obama would articulate, only what they believed the president should say.
It wasn't a contest, but two of the contributors - Minnesota Chief Information Security Officer Chris Buse and Internet Security Alliance Chief Executive Larry Clinton - came closest to identifying the themes the president made in his State of the Union address.
Buse wrote that cyber risk is real, impacting everyone, and that the administration needs to work with Congress "to put in place a framework to address cyberthreats holistically." Obama called for new cybersecurity legislation and his executive order has the government working with the private sector to create a cybersecurity framework.
Clinton noted that "cybersystems are under constant attack from organized criminals and nation states." Obama said, "We know foreign countries and companies swipe our corporate secrets." Clinton also called for the government and business to develop economic incentives to promote cyberdefense. Although Obama didn't mention incentives in his speech, his executive order directs the Department of Homeland Security to work with sector-specific agencies to identify incentives that can be adopted.
Dentures vs. Teeth
An executive order has limits because it can only use existing legal authorities, unlike a law that can create new powers. For example, some regulatory agencies have authority to regulate cybersecurity, and the executive order could allow those agencies to modify their regulations to conform to the cybersecurity framework the order tasks the government to develop with the private sector. But the executive order cannot mandate other businesses to follow the cybersecurity framework.
The limits of the executive order have some people suggesting it doesn't have teeth. It's a point recognized by the president and his top cybersecurity advisers, who note the need to enact a comprehensive cybersecurity law. The executive order, for instance, allows the government to share cyberthreat information with critical infrastructure owners under existing authorities, but it doesn't promote infrastructure owners sharing threat information with the government or with other infrastructure owners. That's because infrastructure owners might face liability lawsuits if certain information is revealed, and existing legal authorities don't give the president the right to protect businesses against such suits. Legislation could.
Still, top presidential aides rebut arguments that the executive order lacks teeth.
"In terms of teeth," a senior administration official said in a background briefing, "an executive order has to live within the existing statutory framework that exists. We're maximizing use of those existing statutory frameworks. We're giving multiple avenues, for incentives to be created, and [for] the voluntary program and market forces to work. But we're also putting in place the ability and a direction for the regulators to use their existing authority, if needed, as a backstop. ... So, I think from our perspective, this actually does have some teeth to it."
But another senior administration official quickly chimed in: "To the extent that more needs to be done, that's the point made at the beginning [of the briefing] about [the need for] legislation. So, there's also an effort to make sure we can get legislation so we can go further to protect cybersecurity."
The executive order, in other words, is more like dentures, which are functional, but not as real.