Democrats Urge White House Cybersecurity Order
Democratic cybersecurity hawks in the Senate renewed their call for President Barack Obama to issue an executive order to secure the nation’s critical infrastructure from cyberattacks. Sen. Joe Lieberman, I-Conn., told us Wednesday at the Capitol that “the threat of a cyberattack is so real, we are so vulnerable, that I'm encouraged that the administration is doing work on an executive order and I think they should get it out as soon as it is ready.” John Brennan, assistant to the president for homeland security and counterterrorism, confirmed last week the White House is considering an executive order to secure critical infrastructure (CD Sept 18 p13). The White House had no comment Wednesday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Lieberman, an author of the stymied Senate Cybersecurity Act (S-3414), said lawmakers still have a chance to adopt cybersecurity legislation in the lame duck session of Congress. “I would say the odds are at best 50/50,” he told us. In the meantime Lieberman said he didn’t think there’s “anything bad that can happen” from issuing a cybersecurity executive order. “It will give us a level of protection that we would not otherwise have, it will begin to set the premise for a collaborative, public sector, private sector relationship on cybersecurity. Hopefully the private owners of cyberinfrastructure realize that they shouldn’t be as nervous as they are.”
There are things that an executive order can’t do, Lieberman said. It can’t provide immunity to companies from liability stemming from their cooperation with the government to share cyberthreat information, increase the penalties for cybercrimes, or provide more latitude to the federal government to hire cybersecurity professionals, he said: “The president can’t mandate, the president can set up a system of standards, voluntary compliance, but I believe some of the regulatory agencies under their existing statutory authority could take those voluntary standards and make them mandatory on the particular groups that they oversee.”
Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said a cybersecurity executive order would be “a step in the right direction” after the Senate failed to pass S-3414 in August. Rockefeller also asked CEOs from the nation’s top 500 companies to detail their cybersecurity practices, in a letter sent Wednesday (http://xrl.us/bnqgpz). Rockefeller said he wrote to CEOs because he wanted to “hear directly from our nation’s business community to understand their views on cybersecurity ... without the filter of Beltway lobbyists.” Rockefeller, who is also a sponsor of S-3414, said the bill’s failure to pass in August was “largely due to opposition from a handful of business lobbying groups and trade associations,” notably the U.S. Chamber of Commerce. “For reasons I do not understand, the Chamber of Commerce and other business lobbying groups opposed our plan to create a voluntary program that would empower the private sector to collaborate with the federal government to develop dynamic and adaptable voluntary cybersecurity practices for companies to implement as they see fit,” he said. Rockefeller specifically asked the CEOs what cybersecurity best practices they employ, how they were developed, what role the government played in the development of their cybersecurity practices, and what concerns companies have with conducting cybersecurity risk assessments in coordination with the government, among other questions. The Chamber did not comment.
Sen. Sheldon Whitehouse, D-R.I., said he would “completely support" the president’s decision to pursue an executive order, in an interview at the Capitol. “It then gives [Congress] something to build on,” he said. Whitehouse helped broker the failed negotiations between sponsors and opponents of S-3414 last month. The idea of a White House cybersecurity order is a “good and necessary one at this point given the fact that the Chamber of Commerce has refused to accept that there is a national security issue here, and just won’t compromise on anything,” Whitehouse said. He said he had not seen a draft of the executive order, but he believes there would be few negative repercussions from the president taking unilateral action to secure the nation’s networks. “I think it’s all upside ... the worst thing that could happen is that the executive order is unable to accomplish everything that needs to be done, because some of it requires legislation, and takes the pressure off [Congress] to get the legislation done, and so it postpones the final day.”
Sen. John McCain, R-Ariz., told us he too is expecting the White House to issue a cybersecurity executive order but would not comment on the substance of the order. The president can’t do much with a cybersecurity order anyway, said McCain. “Even he, with his authority, doesn’t have the authority to get to some of the issues as far as liability protections are concerned. But they'll probably do it and make a big deal about it,” he said. McCain is a sponsor of an alternative cybersecurity bill called the SECURE IT Act (S-2151).