An executive order from President Obama aimed at protecting the nation from cyberattacks is likely to be issued in early 2013, and perhaps as soon as January, observers say.

The long-awaited executive action is unlikely to be taken before the end of the year, given the delicate negotiations over the “fiscal cliff.” Republican lawmakers have made it known that they strongly oppose an executive order on cybersecurity.

ADVERTISEMENT

“It’d be reasonable to say that releasing the executive order now would irritate Congress and might create an unnecessary burden for reaching a deal on the fiscal issues,” said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.

“Every day they get closer to Christmas it makes less sense to put it out, unless you want to hide it,” Lewis said.

A source close to the administration said the White House will likely issue the order in January.

GOP members in both chambers of Congress fear the cyber order will pile new regulations onto companies that operate critical infrastructure, such as water plants, financial systems and the electric grid. They argue that boosting the country’s cyber defenses requires a permanent legislative solution, not an executive order that might not carry over into the next administration.

White House spokeswoman Caitlin Hayden declined to comment on when the executive order will be issued, but she said the administration is still discussing the policy document internally.

“We have been reaching out extensively to both the private sector and Congress to seek their input, and are continuing our internal deliberations,” Hayden said in a statement. “Given the gravity of the threats we face in cyberspace, we want to get this right, in addition to getting it done swiftly.”

Obama officials started crafting the executive order after a sweeping cybersecurity bill failed to pass the Senate in August. The administration has argued that the threat of a crippling cyberattack against U.S. was simply too great for the executive branch to ignore.

ADVERTISEMENT

After the Senate bill was voted down a second time this fall, White House cybersecurity coordinator Michael Daniel said that the administration is considering issuing the executive order “as a precursor to the updated laws we need.” He stressed that it would not be a substitute for legislation.

Obama was expected to issue the cybersecurity order in December, and it’s not clear why that action has been delayed. Lewis noted that the White House had to consider feedback from other agencies on the order and consider the possible economic effects on industry.

This fall, the White House held a series of meetings with representatives from tech trade associations, the U.S. Chamber of Commerce, privacy groups and think tanks to hear their recommendations for the executive order.

Some of that industry feedback was incorporated into a draft of the cyber order that leaked last month. Among the changes, the White House included language stating that its cybersecurity guidance does not prescribe one type of security technology over another — a change that was viewed as a carve-out for the tech industry.

“It may not necessarily be a lengthy document, but it’s an important one,” said Michael McNerney, a former Defense Department Official who is a fellow at the Truman National Security Project. “It’s important that all these stakeholders have time to debate it and have all their concerns addressed.”

“If it was done this soon, I’d be surprised,” he added.

The administration’s efforts to come up with incentives for industry in the executive order also “ate up a lot of time,” Lewis said.

The executive order limits the administration because it cannot be used to grant new powers or authorities. Any incentives for participation in the cybersecurity programs would have to fall within the parameters of existing legislation.

To address that constraint, the leaked version of the cyber order directs the Treasury and Commerce departments to recommend a set of possible incentives that would entice operators of critical infrastructure to join a voluntary program in which they would follow a set of cybersecurity standards.

The other challenge the administration faces is a logistical one. An executive order goes through a thorough vetting process before it reaches the national security adviser and the president. With officials’ busy schedules in the final weeks of the year, it might have been difficult to get all the necessary sign-offs.

“With attention on [the] fiscal cliff and the holiday season, it is hard to imagine getting all the agency approvals in place in the next week,” said Jessica Herrera-Flanigan, a partner at Monument Policy Group and former general counsel on the House Homeland Security Committee.







