'We Can't Wait' for Cybersecurity
Divisions Surface among Cybersecurity Act BackersSen. Susan Collins is right: a White House edict aimed at safeguarding the nation's critical IT infrastructure is no substitute for legislative action.
See Also: How to Take the Complexity Out of Cybersecurity
The Maine Republican and ranking member of the Senate Homeland Security and Governmental Affairs Commission is a co-sponsor of the Cybersecurity Act of 2012, which failed last month to muster the 60 votes needed to stop a filibuster [see Senate Votes to Block Cybersecurity Act Action].
Given the threat, Collins says, she shares President Obama's frustration with Congress' failure to enact cybersecurity legislation, a major component of his legislative agenda, because the computer systems that run the nation's critical infrastructure - the electric grid, water treatment plants, financial networks and transportation systems - remain vulnerable to a catastrophic cyberattack.
In a statement issued late last week, Collins says:
"I understand the administration's desire to act, but an executive order should not be a substitute for legislative action. ... An executive order could send the unintended signal that congressional action is not urgently needed."
The mostly Republican opponents to the Obama administration-backed Cybersecurity Act recognize the urgency for cybersecurity legislation, but they have fundamental disagreements with the bill's supporters over the need for government-endorsed IT security standards that the legislation calls for. Republicans opposed to the bill feel voluntary standards could lead to government regulation.
Collins' concern about unilateral White House action comes after the administration dropped hints it might take independent, albeit limited steps through an executive order to mitigate cyberthreats [see Cat Out of Bag on Infosec Regulation?], two of her fellow co-sponsors of the Cybersecurity Act called for the executive order and a website reported that a draft of the order was being circulated.
According to the report in the political newspaper The Hill, the executive order draft would establish a voluntary program led by the Department of Homeland Security, working with the National Institute of Standards and Technology, where companies operating critical infrastructure would elect to meet cybersecurity best practices and standards created jointly by the government and business.
The Congressional Bypass
If President Obama issues an executive order, it won't be the first time he has taken unilateral action when perturbed by congressional lawmakers blocking elements of his legislative agenda. To promote his economic agenda blocked by Congress, the White House has implemented its We Can't Wait campaign. In August alone, as part of We Can't Wait, Obama freed up $473 million in unspent earmarks for states to spend on infrastructure projects, launched public-private institute aimed at boosting innovation in Youngstown, Ohio, accelerated seven major renewable energy infrastructure projects and expedited the Atlanta regional multimodal passenger terminal project.
Though not part of We Can't Wait, the administration issued an order to not deport many young adults who came illegally to the United States as children because Congress has failed to enact the DREAM Act, another example of the president going it alone without congressional authorization.
It's been nearly a year since Obama began bypassing Congress, when last October the administration issued new rules to help nearly 6 million borrowers with little or no equity in their homes to exploit low mortgage rates.
Obama Following Bill Clinton's Lead
John Cooney, a Washington lawyer whose practice focuses on economic regulatory and constitutional litigation, says in a blog posting that Obama cites Article II of the U.S. Constitution, as head of the executive branch, to take such actions. Cooney writes that Obama is following a model created in the mid-1990s by President Clinton, when he faced a similar stalemate with Republicans who controlled the House of Representatives. Cooney, though, says there are limits on executive orders:
"In reality, the president possesses little ability to order changes in government programs based on his own, unilateral authority. ... The president's authority is greatest with an explicit congressional authorization, weakest in the face of a congressional prohibition and indeterminate if Congress has not directly addressed an issue.Independent action on cybersecurity would seem to fall into the broad, middle area. Still, an executive order would not furnish enough oomph to provide the needed cyber safeguards. (Of course, many supporters for a strong role by government in defining cybersecurity standards feel the Cybersecurity Act won't provided the needed protection, either.)
In this broad middle area, the president has substantial room to instruct agency heads how to exercise the discretion provided by a statute, as long as they do not take a prohibited act or fail to take a required act."
An important element of any plan to protect the nation's vital IT systems is legal protection for businesses that share cyberthreat information with the government and other businesses. Obama can't provide that type of protection by himself; for that, Congress would need to act.
Something Better than Nothing
But many see an executive order establishing voluntary standards as a move in the right direction, and feel it would be better than no legislation at all, even with its limits.
Former White House Cybersecurity Coordinator Howard Schmidt [see Platform Hints of Obama Cybersec Action] as well as Collins' Cybersecurity Act co-sponsors - Democrats Jay Rockefeller of West Virginia [see A Cybersecurity Dream Act Alternative] and Dianne Feinstein of California [see Obama Urged to Take Solo Action on Cybersecurity], chairs, respectively, of the Senate Select Committee on Intelligence and Committee on Economics, Science and Transportation - have called on Obama to issue an executive order. Says Feinstein:
"The threats to our national and economic security are simply too great to wait for legislation."
For the most part, governmental actions - whether enacted by Congress or issued by presidential decree - are incremental steps to a specific goal. It's questionable how much safer the nation's critical IT infrastructure would be if an executive order is issued, but it would be at least a step in the right direction.
And such an executive order, despite Collins' misgivings, could do more good than harm. Perhaps it could get lawmakers to compromise on cybersecurity legislations. Stranger things have happened in Washington.