Executive order would not allow 'meaningful leap' on cybersecurity

President Obama is being urged by members of Congress to bypass the legislative body after its failure to pass cybersecurity legislation over the summer.

Sen. Dianne Feinstein (D-Calif.), who chairs the Senate Intelligence Committee, called on Obama in an open letter last week to issue an executive order for government agencies and critical infrastructure owners to implement better controls to protect their computer networks.

There is plenty of precedent for such action. The President has bypassed Congress with executive orders more than 130 times. Among the most notable were his creation of a version of the Dream Act. Also, he declared that the federal government would no longer enforce the federal Defense of Marriage Act. His mantra, at these times: "We can't wait."

Sen. Feinstein and others, including Sen. Jay Rockefeller (D-W. Va.), who made a similar request in a letter to the White House last month, argue we cannot wait on cybersecurity.

The White House said after Congress failed to pass the Cybersecurity Act of 2012 that the President was considering implementing some of the goals of that bill by executive order.

"Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today's cyber threats and we will do that," White House Press Secretary Jay Carney said at the time.

The President does not have the authority to include everything that had been proposed in the Cybersecurity Act, as Rockefeller acknowledges. A voluntary program in the bill would have offered incentives, such as government assistance to operators of critical infrastructure who meet federal security standards, when they are confronted with a cyberthreat.

[In depth: Organized cybercrime revealed]

A presidential executive order could not include those incentives, but Rockefeller wrote that "many components of the Cybersecurity Act are amenable to implementation via executive order, normal regulatory processes, or other executive action under the authorities of the Homeland Security Act."

Jacob Olcott, a principal at Good Harbor Consulting, said by the time the Cybersecurity Act came to a vote, it had been stripped of most of its more controversial provisions in an effort to gain Republican support.

"The president can't create new regulations for industries that aren't already regulated," he said. "But he could expand existing regulatory systems."

Olcott added that the things the president can do are in the areas where there has been general agreement between the parties. "The idea of the executive order is that it's a way to start moving in a direction -- a way to formalize a lot of the policies [the parties] had informally agreed on."

Joel Harding, a retired military intelligence officer and information operations expert, said it is likely that an executive order would please neither party, for different reasons. "But at least it provides some serious updates to the 2003 Presidential Directive on Cybersecurity," he said. "There will be enough meat to set some standards but not enough to make a meaningful leap in cybersecurity."

The politics of it obviously depend on partisan leanings. Tim Campbell, writing on the website of Republican Elizabeth Emken, who is trying to unseat Feinstein, mocked the senator for what he called "an election-year ploy."

"Come on Dianne," Campbell wrote. "If this were anything more than a charade, why didn't you put it into play the first two years of this administration?"

"...This is Dianne Feinstein's way of encouraging Obama to do what he has done all along, circumvent Congress. Has Feinstein forgotten the gavel is held by the Senate majority leader, the obstreperous Harry Reid? He is the kink in the hose. It's a matter of him calling said legislation to a vote."

Sen. Susan Collins (R-Maine), who cosponsored the CSA with Sen. Joe Lieberman (I-Conn.), was much gentler in her comments about a possible executive order, saying she would prefer that the president not bypass Congress on cybersecurity legislation.

Harding said the President can defend an executive order by arguing that he is "making progress as opposed to the 'do-nothing' Congress, which, of course, is aimed squarely at the Republicans."

"There is even a good chance Obama will bring this up in the presidential debates," he said. "But there is a strong possibility that Mitt Romney [the Republican challenger] will hand him his lunch, stating the lack of information sharing requirements, lack of standards, etc."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

More videos

Blog Posts