Obama Administration in Talks to Draft Cyber-Security Executive Order

The Obama administration has been reaching out to various interest groups for input on an executive order that would implement some of the provisions of cyber-security legislation that failed for a second time in the U.S. Senate.

The White House is reportedly making a major push to get input from various interest groups on the draft of an executive order that would implement some of the provisions written into the Cybersecurity Act of 2012, which fell short of the votes needed to send the legislation to a final vote in the Senate.

According to POLITICO, the Obama administration has been holding meetings with executives from various industries and financial institutions as well as personal privacy advocates in a bid to ensure any new rules are effective and easier to enforce.

"We kicked off a robust sort of outreach, and I would almost frame it as a listening session tour over the past couple months,” said Michael Daniel, cyber-security coordinator at the White House, in an interview with POLITICO.

The Senate voted 51-47 on Nov. 14 to close debate on the Cybersecurity Act. But this was nine votes short of the 60 required to send the legislation to a final vote. It was the second time since August that the act has failed to win sufficient support, which lent urgency to the administration’s efforts to craft an executive order.

A White House spokesperson declined to offer a further update on the progress of the order, which Department of Homeland Security Secretary Janet Napolitano said in September was close to completion. Just what the order would do is a matter of speculation. However, AOL Defense reportedly obtained a draft copy of the executive order that established rules and the levels of authority federal regulatory agencies have for enforcing existing laws and requirements for cyber-security in various sectors.

Talk of an executive order has been slammed by Republicans, who have accused the president of trying to circumvent Congress. Meanwhile, a spokesperson for the U.S. Chamber of Commerce, which condemned the Cybersecurity Act due to concerns its requirements would be a burden for business, told Politico that an executive order was "unnecessary."

“Our focus is on the next steps and the legislation," said Ann Beauchesne, vice president of the Chamber’s National Security and Emergency Preparedness Department. "We’re not focusing our time on the executive order."

"Engaging the business community is ideal but (I'm) not sure it is realistic to reach meaningful consensus in time," said Chris Petersen, CTO and co-founder of security vendor LogRhythm. "We cannot afford to delay critical infrastructure companies' motivation to invest in better cyber-security capabilities. We need to see more investment in 2013 and companies need the motivation to budget appropriately."

An executive order would lack the strength of a law, which supporters have said they will continue to seek regardless of whether an order is issued.

"We still need cyber-legislation," Department of Homeland Security Secretary (DHS) Janet Napolitano told the Senate Committee on Homeland Security and Government Affairs Sept. 19. "This is something Congress should enact in a comprehensive fashion."

According to Napolitano, an executive order cannot address issues related to liability protections associated with information sharing, increasing criminal penalties against attackers or adding staff at DHS in order to deal with cyber-attacks.

Mark Hatton, CEO of CORE Security, said he would like to see any executive order include a clear definition of what services and sectors are critical to our national security interests, such as power, water and air traffic. There also need to be defined limits on what is considered critical and what is not.

"If we focus first on the systems we classify as critical and are at risk today, that will be a strong starting position and are more likely to get agreement," he said, adding that there should also be specific reporting requirements for each of those sectors.

Certainly the voice of the business community must be heard, said Petersen. But the country cannot afford to wait years for all opinions and concerns to be aired, he added.

"We need action now with continued refinement in years to come," he said.