During his State of the Union Address on Feb. 12, President Obama announced he had signed an executive order that would allow federal agencies to share information with private industry about cyber-threats, attacks and the activities of known criminals and cyber-terrorists. The order would also allow federal agencies to receive information from private companies about their knowledge of such activities.
During his speech, the president recalled a number of times that the U.S. critical infrastructure has been attacked and said that his executive order would give the government the tools to do something about it. One feature of the order that should give some comfort to Internet privacy advocates is that the order has specific protections for privacy and protection of civil rights.
In addition, the order calls for federal agencies to take action under a framework that is “prioritized, flexible, repeatable, performance-based and cost-effective” in its approach. The order also directs National Institute of Standards and Technology (NIST) to hold public hearings and come up with a preliminary framework within a year.
Security experts everywhere rejoiced. This was a good thing, they said. Then a sudden realization began to dawn. The president signed an executive order. It does not have the effect of law and there’s no means by which to enforce anything in it. All it actually does is tell the world that the president is serious enough about the problem to actually say he wants the government to do something.
The Business Roundtable, an organization of corporate CEOs, was somewhat more cautious in its approach. “We’re very supportive of the information-sharing aspects,” said Liz Gasster, vice president of information and technology. Gasster said that the group would like to see legislation and standards that would help companies protect the information they receive from the government and the information they provide to the government. “The framework for information sharing is an area where we’re going to focus and prioritize,” she said.
And legislation could indeed happen. On the day after President Obama signed his executive order, a bipartisan bill known as H.R. 624 – The Cyber Intelligence Sharing and Protection Act of 2013 was introduced in the House of Representatives. If the name of this bill seems familiar, it should. It’s better known by its acronym CISPA and the bill is identical yo the amended bill that failed previously in the Senate.
Obama Cyber-Security Executive Order Lacks Legislative Backbone
“The executive order is at least a step in the right direction, but I don’t think anyone would say it’s the end-all in cyber security,” said Retired Admiral and former chief of the Public Safety and Homeland Security Bureau at the Federal Communications Commission, Jamie Barnett in an interview with eWEEK. Barnett heads the cyber security practice at Venable, a Washington law firm with a significant cyber security practice. “What they’ve set forth in the executive order is a process that may stretch across industries. Some will be specific to industries,” he said.
Barnett said that even though the executive order is aimed at voluntary standards, some agencies such as the General Services Administration may require companies to meet the standards and practices that NIST develops as a part of the requirement to be eligible for federal contracts. But he noted that because the President’s action is an executive order, there’s no means of enforcement. There needs to be legislation for that, he noted.
Andy Roth, formerly the Chief Privacy Officer at American Express and now a partner with SNR Denton, also a law firm with a cyber-security practice, said that he thinks the strong statement by the President on cyber security will encourage companies to take security seriously. But he agreed that there’s nothing in the executive order to require companies that are part of the nation’s critical infrastructure to comply. “I think it’s a pretty strong statement by the president about what he’d like to see happen,” Roth said.
Roth said that he thinks some agencies will determine that it’s within their authority to require companies to comply with the standards developed at the direction of the executive order. He noted that there needs to be more than just the executive order. “This is part of a bigger process,” he said.
But the bottom line on the executive order is that it doesn’t have the force of law. There’s nothing the order can do, for example, to prevent a piece of the national critical infrastructure such as a power plant from ignoring the best practices, blowing off the advice and leaving computers without protection of any kind. As you’ll remember, this has happened once and it’s certain to happen again.
The reason it’s sure to happen again is that there’s no good means of legislating against stupidity. Even with strong reporting requirements in place, companies can escape any embarrassing public disclosures if they tell the government. And because there remains no accountability, all of the executive orders in the world won’t do a thing to protect the critical infrastructure in the U.S.