Obama Cyber-Security Executive Order Lacks Legislative Backbone

Cyber-security experts say President Obama’s executive order for federal agencies to take action to improve cyber-security is a good first step. However, they note that the order lacks legal teeth.

During his State of the Union Address on Feb. 12, President Obama announced he had signed an executive order that would allow federal agencies to share information with private industry about cyber-threats, attacks and the activities of known criminals and cyber-terrorists. The order would also allow federal agencies to receive information from private companies about their knowledge of such activities.

During his speech, the president recalled a number of times that the U.S. critical infrastructure has been attacked and said that his executive order would give the government the tools to do something about it. One feature of the order that should give some comfort to Internet privacy advocates is that the order has specific protections for privacy and protection of civil rights.

In addition, the order calls for federal agencies to take action under a framework that is “prioritized, flexible, repeatable, performance-based and cost-effective” in its approach. The order also directs National Institute of Standards and Technology (NIST) to hold public hearings and come up with a preliminary framework within a year.

Security experts everywhere rejoiced. This was a good thing, they said. Then a sudden realization began to dawn. The president signed an executive order. It does not have the effect of law and there’s no means by which to enforce anything in it. All it actually does is tell the world that the president is serious enough about the problem to actually say he wants the government to do something.

The Business Roundtable, an organization of corporate CEOs, was somewhat more cautious in its approach. “We’re very supportive of the information-sharing aspects,” said Liz Gasster, vice president of information and technology. Gasster said that the group would like to see legislation and standards that would help companies protect the information they receive from the government and the information they provide to the government. “The framework for information sharing is an area where we’re going to focus and prioritize,” she said.

And legislation could indeed happen. On the day after President Obama signed his executive order, a bipartisan bill known as H.R. 624 - The Cyber Intelligence Sharing and Protection Act of 2013 was introduced in the House of Representatives. If the name of this bill seems familiar, it should. It’s better known by its acronym CISPA and the bill is identical yo the amended bill that failed previously in the Senate.