Obama expected to issue cybersecurity executive order

Byron Acohido, USA TODAY | USATODAY

SEATTLE -- Reaction to an impending cybersecurity executive order could be as polarized as the debate that hog-tied Congress from enacting new laws to assure basic Internet safety.

President Obama is expected to release a cybersecurity executive order on Wednesday, the day after his annual State of the Union address, according to a report in The Hill. The online publication cited two people familiar with the matter. White House spokesperson Caitlin Hayden refused to comment.

Asked at a press briefing Monday whether Obama will speak about cybersecurity in the State of the Union, White House spokesman Jay Carney declined to get into specifics. "You know that the President believes that cybersecurity is a very important issue," Carney told reporters. "It represents a huge challenge for our country. He has called on Congress to take action. Unfortunately, Congress has thus far refused legislatively."

Harriet Pearson, a privacy and information management attorney at law firm Hogan Lovells observes that "last year there was a wide-open door for cybersecurity legislation, but Congress tried to fit a truck through."

Pearson credits the Obama Administration for seeking "considerable input to develop the Executive Order.The deliberative process is a good sign for a complex topic like this one."

The order is expected to establish a critical infrastructure cybersecurity council manned by the U.S. Department of Homeland Security, staffed by members of the departments of defense, justice and commerce, and national intelligence office, according a preliminary draft leaked in September.

The council will draw up rules for federal agencies to propose new regulations, or broaden existing ones, including criteria for the sharing of data between private corporations and the federal government.

The Department of Homeland Sercurity and the National Institute of Standards and Technology are likely to play key roles promoting collaboration between key industry sectors and the government.

"Information sharing between the government and private companies needs to increase, to improve the cybersecurity ecosystem overall" says Mary Ellen Callahan, chair of privacy and information governance at law firm Jenner Block. "The information sharing element will be voluntary, but hopefully encourage more private sector-government communications on these very real threats."

Callahan points out that Obama's order will use existing law to address policy priorities for an administration.

Gant Redmon, general counsel at Co3 Systems, says he expects Obama to "highlight the benefits for industry in terms of threat intelligence to be made available to domestic targets."

Even so, many in private industry are concerned about the devil in the details. Jody Westby, CEO of consultancy Global Cyber Risk, says wider sharing of intelligence about what criminals and spies are doing is a good thing. But Westby worries that NIST, in particular, could develop an unwieldy framework of mandatory standards for critical infrastructure companies.

"This sort of overreaching by the President could result in numerous legal challenges over his ability to usurp the powers of the legislative branch," Westby says. "Just because he is frustrated with Congress does not mean that he can step on the separation of powers. His job is to enforce laws, not enact them."

Westby points out that there were some 40 cybersecurity bills in the last Congress and about 60 in the one before. None of those proposals passed.

"Congress was hog-tied because it had an insufficient understanding of the problem and tried to force mandates, disguised as voluntary measures, on the private sector and got blocked by the U.S. Chamber," Westby says. "That indicates to me that there are fundamental problems with the legislation, the need for it, and in understanding the problems."

Shellye Archambeau, CEO of MetricStream, says the "ambiguity in defining how companies could share private user information with the government" shot down all of the proposed bills. "While it is critical for the government and private sector enterprises to share threat information, it is just as important that they know where to draw the line," Archambeau says.

Chris Bronk, fellow of information technology at Rice University, says DHS and NIST may be organically restrained, even given new presidential-assigned authority, by a lack of new resources.

"I don't see any funding in the executive order," Bronk says. "Without funding, you can't build any capacity to do any additional programs or facilitate a new edifice in the executive branch. All you're doing is leaving it to the agencies to reallocate existing resources. It (the order) basically just asks for a lot of planning and reporting about what to do next."

In a related development, the European Commission last week proposed a sweeping Cybersecurity Directive underscoring that "the push for regulation in this area extends well beyond Washington," Pearson notes.

"Almost everyone agrees that the federal government has a big role to play in cybersecurity," Pearson says. "Companies will be wary of information sharing without liability protection – which is something only Congress can provide."

F. Ward Holloway, vice president of business development at FireMon, says he will be supportive of Obama's order if it amounts to a "concrete action plan to help reduce and eliminate breach events" that are occurring daily and receiving more public attention.

"Specifically, there needs to be a commitment to moving to a proactive versus reactive network security posture," Holloway says. "The technology already exists to do this."