Executive order would not allow 'meaningful leap' on cybersecurity

President Obama is being urged by members of Congress to bypass the legislative body after its failure to pass cybersecurity legislation over the summer.

Sen. Dianne Feinstein (D-Calif.), who chairs the Senate Intelligence Committee, called on Obama in an open letter last week to issue an executive order for government agencies and critical infrastructure owners to implement better controls to protect their computer networks.

There is plenty of precedent for such action. The President has bypassed Congress with executive orders more than 130 times. Among the most notable were his creation of a version of the Dream Act. Also, he declared that the federal government would no longer enforce the federal Defense of Marriage Act. His mantra, at these times: "We can't wait."

Sen. Feinstein and others, including Sen. Jay Rockefeller (D-W. Va.), who made a similar request in a letter to the White House last month, argue we cannot wait on cybersecurity.

The White House said after Congress failed to pass the Cybersecurity Act of 2012 that the President was considering implementing some of the goals of that bill by executive order.

"Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today's cyber threats and we will do that," White House Press Secretary Jay Carney said at the time.

The President does not have the authority to include everything that had been proposed in the Cybersecurity Act, as Rockefeller acknowledges. A voluntary program in the bill would have offered incentives, such as government assistance to operators of critical infrastructure who meet federal security standards, when they are confronted with a cyberthreat.

[In depth: Organized cybercrime revealed]

A presidential executive order could not include those incentives, but Rockefeller wrote that "many components of the Cybersecurity Act are amenable to implementation via executive order, normal regulatory processes, or other executive action under the authorities of the Homeland Security Act."

Jacob Olcott, a principal at Good Harbor Consulting, said by the time the Cybersecurity Act came to a vote, it had been stripped of most of its more controversial provisions in an effort to gain Republican support.

"The president can't create new regulations for industries that aren't already regulated," he said. "But he could expand existing regulatory systems."

Olcott added that the things the president can do are in the areas where there has been general agreement between the parties. "The idea of the executive order is that it's a way to start moving in a direction -- a way to formalize a lot of the policies [the parties] had informally agreed on."

Joel Harding, a retired military intelligence officer and information operations expert, said it is likely that an executive order would please neither party, for different reasons. "But at least it provides some serious updates to the 2003 Presidential Directive on Cybersecurity," he said. "There will be enough meat to set some standards but not enough to make a meaningful leap in cybersecurity."

The politics of it obviously depend on partisan leanings. Tim Campbell, writing on the website of Republican Elizabeth Emken, who is trying to unseat Feinstein, mocked the senator for what he called "an election-year ploy."

"Come on Dianne," Campbell wrote. "If this were anything more than a charade, why didn't you put it into play the first two years of this administration?"

"...This is Dianne Feinstein's way of encouraging Obama to do what he has done all along, circumvent Congress. Has Feinstein forgotten the gavel is held by the Senate majority leader, the obstreperous Harry Reid? He is the kink in the hose. It's a matter of him calling said legislation to a vote."

Sen. Susan Collins (R-Maine), who cosponsored the CSA with Sen. Joe Lieberman (I-Conn.), was much gentler in her comments about a possible executive order, saying she would prefer that the president not bypass Congress on cybersecurity legislation.

Harding said the President can defend an executive order by arguing that he is "making progress as opposed to the 'do-nothing' Congress, which, of course, is aimed squarely at the Republicans."

"There is even a good chance Obama will bring this up in the presidential debates," he said. "But there is a strong possibility that Mitt Romney [the Republican challenger] will hand him his lunch, stating the lack of information sharing requirements, lack of standards, etc."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts