Over the past few days, numerous news sources reported that President Obama is strongly considering an executive order on cybersecurity. Here’s a sampling of the news reports:
BloombergBusinessweek: Obama Weighs Executive Order to Defend Against Cyber Attacks
“The program, to be managed by the Department of Homeland Security, would establish cybersecurity standards that companies could voluntarily adopt to better protect banks, telecommunication networks and the U.S. power grid from electronic attacks, the officials, who have seen the draft, said on condition of anonymity because the document hasn’t been made public….”
Federalnewsradio.com: White House draft cyber order promotes voluntary critical infrastructure protections
“The White House so far has failed to get a bill passed by both houses of Congress to improve the cybersecurity of the nation's critical infrastructure, so they want to take an alternative approach.
The administration has created a draft executive order detailing how, within its authority, it would improve the information assurance of the nation's critical infrastructure, such as the power grid and financial industries.
The draft EO includes eight sections, including the requirement to develop a way for industry to submit threat and vulnerability data to the government….”
“With Congress unable to pass legislation strengthening cybersecurity in the US, President Obama is taking matters into his own hands. The Hill reports that the White House has drafted an executive order establishing an opt-in program that lays out best practices for companies operating critical infrastructure, such as railways and the water supply….”
Should We Wait?
Meanwhile, there are other groups, members of Congress and industry experts that urge more patience while a bipartisan deal can be struck. They point out that there are strong differences of opinion on what steps to take to help resolve major deficiencies. Here are some of those voices:
The Foundry (Heritage Foundation blog by Steven Bucci): A Cybersecurity Executive Fiat Is a Very Bad Idea
“… Is it wise to proceed on this issue by unilateral executive action? Absolutely not!
First, why did the Cybersecurity Act of 2012 fail to pass? Was it political spite, or election year partisan wrangling? Some might think that, because they believe that anyone who disagrees with them is clearly motivated by power politics. This is ridiculous. The reason the bill did not pass was because there are reasonable and serious policy differences regarding how the nation should approach the growing challenge of cybersecurity. These differing camps are not at opposite ends of the political spectrum, but are spread throughout the American ideological landscape….”
A Sense of Urgency
However, it appears that unless a very quick deal is struck with Congress, an executive order will be issued soon. Back in July, the President issued a rare op-ed piece in the Wall Street Journal, regarding the serious cybersecurity situation we face as a country. Here’s how President Obama begins:
“In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.
Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.
Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.”
While I am torn on this issue of an executive order, I certainly think cybersecurity action is needed soon. In a Governing Magazine article, Cyber Security Act’s Failure Leaves Infrastructure Vulnerable, by Steve Towns, I described my views in detail. Here’s one summary quote from the Governing Magazine Editor:
“Lohrmann, who now oversees all cyber and physical security for Michigan state government, won’t take political sides on the latest measure. But he’s adamant -- as are most other security professionals -- that more must be done to protect the nation’s critical infrastructure from attack.”
Trend: Cybersecurity Is Becoming Political
Which leads to the sad trend that I see developing now: cybersecurity is becoming more political. Thehill.com wrote: “Democratic platform diverges with GOP on cybersecurity.” Here’s an excerpt:
“… The Democratic Party said it would continue this push to boost the security of the nation's critical computer systems and networks from hackers, terrorist networks and hostile countries looking to wreak damage against infrastructure that's key to public safety and the economy.
"We will continue to take steps to deter, prevent, detect, and defend against cyber intrusions by investing in cutting-edge research and development, promoting cybersecurity awareness and digital literacy, and strengthening private sector and international partnerships," the platform reads.
It's a far cry from the GOP platform approved at the party's convention last week. In their cybersecurity plank, Republicans argued that Obama's approach to cybersecurity has been too regulatory and reliant on defensive capabilities….”
In summary, it appears that an executive order on cybersecurity is coming before our upcoming election day. We all want to know: What’s in that exec order? Will the actions taken last very long, and what’s next for cybersecurity in our nation? However, these questions may depend on how America votes on November 6.
What are your thoughts on an executive order on cybersecurity?