White House: No Rush on Executive Order
Administration Seeks Cooperation on Infrastructure SafeguardsThe White House says it's not rushing to issue an executive order that would create a process to identify best IT security practices the mostly private owners of the nation's critical infrastructure could voluntarily adopt.
See Also: Using the Netskope HIPAA Mapping Guide
"The process of developing an executive order will take time, as we believe that it must take into account the views of our partners in the private sector and the Congress," White House spokeswoman Caitlin Hayden said in an Oct. 5 statement. "We have started reaching out to both the private sector and Congress and we look forward to gaining their input. Given the gravity of the threats we face in cyberspace, we want to get this right in addition to getting it done swiftly."
Anticipation that the executive order would be issued sooner than later has been building. In mid-September, President Obama's homeland security adviser, John Brennan, said the administration was considering issuing an executive order to secure the mostly privately-owned systems critical to the functioning of the United States' economy and society [see WH Moves Closer to Issuing Infosec Executive Order].
A few days later, at a Senate Homeland Security and Governmental Affairs Committee hearing, Homeland Security Secretary Janet Napolitano said the executive order is "still being drafted in the inter-agency process" and "is close to completion depending on a few issues that need to be resolved at the highest levels," according to a report.
GOP Warning
The White House statement comes days after several Republican senators wrote a letter to Obama, saying taking unilateral action would aggravate the existing divide among lawmakers [see GOP Senators Warn Obama on Executive Order].
Also on Oct. 5, one of the leading Republicans on cybersecurity, Rep. Michael McCaul of Texas, wrote to Obama, saying he shares the president's disappointment that the Senate failed to enact cybersecurity legislation but asked him not to issue an executive order. "Only through legislation passed by Congress can we effectively address the complex legal challenges surrounding this important issue," said McCaul, chairman of the Homeland Security Oversight and Investigations Subcommittee and co-founder of the House Cybersecurity Caucus.
The Obama administration began to consider issuing an executive order two months ago after the Senate blocked a vote on the Cybersecurity Act of 2012, a comprehensive IT security bill that would have established a process for the federal government and industry to develop jointly voluntary IT security standards. Nearly every Republican opposed that provision, saying it could lead to regulations that they oppose.
With the Cybersecurity Act deemed all but dead - there remained some hope Congress could address the measure when it returns for a lame-duck session after the November election - several sponsors of the bill: Sens. Jay Rockefeller, D-W.Va. [see A Cybersecurity Dream Act Alternative]; Dianne Feinstein, D-Calif. [see Obama Urged to Take Solo Action on Cybersecurity]; and Joseph Lieberman, ID-Conn. [see Lieberman's Last Harrah on Cybersecurity] - called on President Obama to issue the executive order.
However, another sponsor of the bill, Republican Susan Collins of Maine, asked the president not to issue an executive order [see 'We Can't Wait' for Cybersecurity].
Executive Order No Substitute for Legislation
The White House statement was issued at about 5 p.m. Eastern Time on Friday, the beginning of a three-day Columbus Day holiday weekend, a favorite time for announcements by Democratic and Republican administrations that don't want to attract much attention to the news or distract from the message of the day.
In the statement, Hayden reiterated the administration's support for passage of comprehensive legislation to safeguard the nation's critical IT infrastructure, conceding getting the bill enacted this year remains tough: "The current prospects for a comprehensive bill are limited, and the risk is too great for the administration not to act. The president is determined to protect our nation against cyberthreats."
She said the executive order is one way to improve collaborative efforts to develop needed cyber protections. "However, an EO is not a substitute for new legislation," she said. "While an EO doesn't create new powers or authorities, it does set policy under existing law."
Most Republican lawmakers contend regulations or even voluntary standards would stifle innovation among critical infrastructure companies to create proper safeguards, adding that these corporations know best how to protect their IT systems and networks. Some Democrats, but far from all of them, favor some form of regulation, contending critical infrastructure systems are too vital to the nation's well-being to be left alone to private companies that might be more focused on the corporate bottom line than on the needs of American society. The language in the Cybersecurity Act and the possible executive order is seen by supporters as a compromise between government mandates and corporate freedom.
The administration doesn't reject the idea that the best ideas could come from those who operate the critical infrastructure IT. "We believe that companies driving cybersecurity innovations in their current practices and planned initiatives can help shape best practices across critical infrastructure," Hayden said. "Companies needing to upgrade their security would have the flexibility to decide how best to do so using a wide range of innovative products and services available in the marketplace. We remain committed to incorporating strong privacy and civil liberties protections into any initiative to secure our critical infrastructure."