Executive order could institute controversial cybersecurity measures

According to published reports, a purported draft executive order circulating in Washington could revive measures from the Cybersecurity Act of 2012, a bipartisan bill that failed in Congress amid partisan discord.

The draft order is said to still be undergoing revisions, but likely will involve the institution of a voluntary program for private companies operating critical infrastructure to cooperate with government-instituted standards and best practices, The Hill reported. The program would be led by the Homeland Security Department and include the Commerce and Defense departments, as well as others still being determined. While DHS would manage the program, the National Institute of Standards and Technology would work with industry in crafting the framework.

If the idea sounds familiar, it’s because it was part of the failed cybersecurity bill spearheaded by Sen. Joe Lieberman (I-Conn.). It was also a chief concern of opponents to the bill who felt the measure would lead to the government effectively controlling private networks.

White House officials have declined to comment on any specific executive cybersecurity order that is being considered, but a spokesperson did say an order is one of several options being considered. Language in the Democratic Party platform released earlier this week also suggested the possibility.

“President Obama has supported comprehensive cybersecurity legislation that would help business and government protect against risks of cyber attacks while also safeguarding the privacy rights of our citizens,” the platform stated. “And, going forward, the president will continue to take executive action to strengthen and update our cyber defenses.”

Reports say that the draft order could be circulated to federal agencies as soon as next week, but at least one source familiar with the issue isn’t so certain.

Trey Hodgkins, TechAmerica senior vice president of global public sector government affairs, said the draft order being reported on is actually a “stale version of an update to [Homeland Security Presidential Directive 7]…that didn’t encompass all the challenges they would likely want to cover in an executive order.”

Some champions of failed cybersecurity legislation, including Sens. Jay Rockefeller (D-W.V.) and Dianne Feinstein (D-Calif.), have been vocal in their support for an executive order, writing letters to the Obama administration encouraging cybersecurity action. Richard Clarke, former presidential adviser on cybersecurity, last month wrote a blog on the Huffington Post website urging President Obama to take executive action.

“The president could let the Congressional farce continue on the issue of cyber security, with resulting inaction,” Clarke wrote. But such a lack of action “would be inconsistent with his Constitutional duty to protect the nation from significant threats. He should issue an executive order to improve our cyber defenses now.”

But others who are opposed to the bill are already sounding the alarm.

“Businesses need to speak up and let the White House and Congress know that they do not support unilateral cybersecurity requirements (even if they are couched as “voluntary”) via an Executive Order, because the issue goes to the very core of their business operations and has the potential to be extremely burdensome and costly,” Jody Westby, CEO of Global Cyber Risk, wrote in a Sept. 7 Forbes op-ed. “This kind of heavy-handed tactic satisfies a few but hurts the constituents…because it circumvents one of the most important functions of our government — the legislative process.”