By Byron Acohido, USA TODAY
SEATTLE -- Reaction to an impending cybersecurity executive order could be as polarized as the debate that hog-tied Congress from enacting new laws to assure basic Internet safety.
President Obama is expected to release a cybersecurity executive order on Wednesday, the day after his annual State of the Union address, according to a report in The Hill. The online publication cited two people familiar with the matter. White House spokesperson Caitlin Hayden refused to comment.
Asked at a press briefing Monday whether Obama will speak about cybersecurity in the State of the Union, White House spokesman Jay Carney declined to get into specifics. "You know that the President believes that cybersecurity is a very important issue," Carney told reporters. "It represents a huge challenge for our country. He has called on Congress to take action. Unfortunately, Congress has thus far refused legislatively."
Harriet Pearson, a privacy and information management attorney at law firm Hogan Lovells observes that "last year there was a wide-open door for cybersecurity legislation, but Congress tried to fit a truck through."
Pearson credits the Obama Administration for seeking "considerable input to develop the Executive Order.The deliberative process is a good sign for a complex topic like this one."
The order is expected to establish a critical infrastructure cybersecurity council manned by the U.S. Department of Homeland Security, staffed by members of the departments of defense, justice and commerce, and national intelligence office, according a preliminary draft leaked in September.
The council will draw up rules for federal agencies to propose new regulations, or broaden existing ones, including criteria for the sharing of data between private corporations and the federal government.
The Department of Homeland Sercurity and the National Institute of Standards and Technology are likely to play key roles promoting collaboration between key industry sectors and the government.
"Information sharing between the government and private companies needs to increase, to improve the cybersecurity ecosystem overall" says Mary Ellen Callahan, chair of privacy and information governance at law firm Jenner Block. "The information sharing element will be voluntary, but hopefully encourage more private sector-government communications on these very real threats."
Callahan points out that Obama's order will use existing law to address policy priorities for an administration.
Gant Redmon, general counsel at Co3 Systems, says he expects Obama to "highlight the benefits for industry in terms of threat intelligence to be made available to domestic targets."
Even so, many in private industry are concerned about the devil in the details. Jody Westby, CEO of consultancy Global Cyber Risk, says wider sharing of intelligence about what criminals and spies are doing is a good thing. But Westby worries that NIST, in particular, could develop an unwieldy framework of mandatory standards for critical infrastructure companies.
"This sort of overreaching by the President could result in numerous
legal challenges over his ability to usurp the powers of the legislative
branch," Westby says. "Just because he is frustrated with Congress does
not mean that he can step on the separation of powers. His job is to
enforce laws, not enact them."
Westby points out that there were
some 40 cybersecurity bills in the last Congress and about 60 in the one
before. None of those proposal were passed.
hog-tied because it had an insufficient understanding of the problem and
tried to force mandates, disguised as voluntary measures, on the
private sector and got blocked by the U.S. Chamber," Westby says. "That
indicates to me that there are fundamental problems with the
legislation, the need for it, and in understanding the problems."
Archambeau, CEO of MetricStream, says the "ambiguity in defining how
companies could share private user information with the government" shot
down all of the proposed bills. "While it is critical for the
government and private sector enterprises to share threat information,
it is just as important that they know where to draw the line,"
Chris Bronk, fellow of information technology at
Rice University, says DHS and NIST may be organically restrained, even
given new presidential-assigned authority, by a lack of new resources.
don't see any funding in the executive order," Bronk says. "Without
funding, you can't build any capacity to do any additional programs or
facilitate a new edifice in the executive branch. All you're doing is
leaving it to the agencies to reallocate existing resources. It (the
order) basically just asks for a lot of planning and reporting about
what to do next."
In a related development, the European Commission last week proposed a sweeping Cybersecurity Directive underscoring that "the push for regulation in this area extends well beyond Washington," Pearson notes.
everyone agrees that the federal government has a big role to play in
cybersecurity," Pearson says. "Companies will be wary of information
sharing without liability protection - which is something only Congress
F. Ward Holloway, vice president of business
development at FireMon, says he will be supportive of Obama's order if
it amounts to a "concrete action plan to help reduce and eliminate
breach events" that are occurring daily and receiving more public
"Specifically, there needs to be a commitment to
moving to a proactive versus reactive network security posture,"
Holloway says. "The technology already exists to do this."