Obama Cyber-Security Executive Order Lacks Legislative Backbone

Cyber-security experts say President Obama’s executive order for federal agencies to take action to improve cyber-security is a good first step. However, they note that the order lacks legal teeth.

“The executive order is at least a step in the right direction, but I don’t think anyone would say it’s the end-all in cyber security,” said Retired Admiral and former chief of the Public Safety and Homeland Security Bureau at the Federal Communications Commission, Jamie Barnett in an interview with eWEEK. Barnett heads the cyber security practice at Venable, a Washington law firm with a significant cyber security practice. “What they’ve set forth in the executive order is a process that may stretch across industries. Some will be specific to industries,” he said.

Barnett said that even though the executive order is aimed at voluntary standards, some agencies such as the General Services Administration may require companies to meet the standards and practices that NIST develops as a part of the requirement to be eligible for federal contracts. But he noted that because the President’s action is an executive order, there’s no means of enforcement. There needs to be legislation for that, he noted.

Andy Roth, formerly the Chief Privacy Officer at American Express and now a partner with SNR Denton, also a law firm with a cyber-security practice, said that he thinks the strong statement by the President on cyber security will encourage companies to take security seriously. But he agreed that there’s nothing in the executive order to require companies that are part of the nation’s critical infrastructure to comply. “I think it’s a pretty strong statement by the president about what he’d like to see happen,” Roth said.

Roth said that he thinks some agencies will determine that it’s within their authority to require companies to comply with the standards developed at the direction of the executive order. He noted that there needs to be more than just the executive order. “This is part of a bigger process,” he said.

But the bottom line on the executive order is that it doesn’t have the force of law. There’s nothing the order can do, for example, to prevent a piece of the national critical infrastructure such as a power plant from ignoring the best practices, blowing off the advice and leaving computers without protection of any kind. As you’ll remember, this has happened once and it’s certain to happen again.

The reason it’s sure to happen again is that there’s no good means of legislating against stupidity. Even with strong reporting requirements in place, companies can escape any embarrassing public disclosures if they tell the government. And because there remains no accountability, all of the executive orders in the world won’t do a thing to protect the critical infrastructure in the U.S.