It’s not healthcare reform. There aren’t millions of illegal immigrants anxiously awaiting word from Congress. No arbitrary deadline exists for legislative action, threatening to push America’s economy into another recession if none is taken. But while cybersecurity isn’t afforded the same pomp and circumstance as other bullet points on Congress’s agenda, the issues are just as serious, the need for reform just as pressing. Which is why last week, after recent attacks on the Wall Street Journal, the New York Times, U.S. banks, and the Federal Reserve, the President acted, issuing the first step in protecting our nation’s “critical infrastructure” against cyber attacks.
Although the need to beef up our cyber defenses from domestic and foreign attacks is well-documented, our government and businesses remain woefully underprepared for any well-coordinated or sophisticated cyber attack. Even in the face of a “global cyber war,” with threats from China and Iran becoming more pressing every day, Congress has failed to pass even simplest legislation to address this growing concern.
Lawyers on the LexBlog Network have watched Congress draft bills again, and again, and again only to see it die in committees or fail in the House or Senate. At times, serious concerns about privacy have played a part in stopping legislation, but in other instances, politics has gotten in the way of substantive progress. Even seemingly innocuous acts, aimed only to increase information sharing, education, and training have joined the ranks of failed bills.
The most recent and highly-publicized failure was the Cybersecurity Act (CSA) of 2012. The CSA short in a Senate vote, 52-46, after a prolonged debate about numerous concerns, including the government’s scope in requiring compliance from companies tagged with the “critical infrastructure” designation. The Act’s failure led to a letter from Senator John Rockefeller (D-WV) — one of the bill’s co-sponsors — to the CEOs of all Fortune 500 companies.
The letter sought to ascertain what steps corporations were taking to protect information, and what concerns they had with legislation like the CSA. Sent in September, the responses to the letter were made public in January. William Weber of Baker Hostetler reviewed the Senator’s report on the firm’s blog, Data Privacy Monitor:
“All responses stated that they have developed cybersecurity practices to protect their infrastructure from cyber attacks, often based on legal compliance requirements. Many companies rely on audit firms and sector-focused trade groups to benchmark and develop their practices.
…..
Concerns raised about the legislation were about the specifics of the government’s role and what impact it would have on companies, such as whether voluntary requirements could become mandatory and would impact the ability to address cybersecurity issues in a flexible manner, or duplicate efforts already underway. “
As Weber went on to write, Senator Rockefeller and his colleagues were almost certainly using the information gathered to craft another cybersecurity bill.
This hunch proved correct when Senator Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act of 2013. However, even as the bill began to make its rounds, Robert White was reporting on The Securities Edge about an executive order in the works:
“Despite the positive reaction to Senator Rockefeller’s letter from many of the responding companies, the feasibility of passing any comprehensive cybersecurity legislation during 2013 is unclear. Some observers expect President Obama to issue an Executive Order on cybersecurity matters due to the failure of the legislature to enact meaningful legislation. Senator Rockefeller has supported such an Executive Order in the past, and in fact he referred to it in his September 19, 2012 letter.”
With cybersecurity playing a role in the Presidential election, and rumors of an anticipated executive order circulating after a series of attacks on financial institutions, it was just a matter of time before President Obama addressed the issue directly. So when the President signed an order on February 12th, it came as no surprise.
But as Stewart Baker — former General Counsel for the National Security Agency and first Assistant Secretary for Policy at the Department of Homeland Security — said in an interview with LXBN TV, while the executive order creates a much-needed framework for cybersecurity standards, there are a few predictable problems, including legislative barriers that require Congressional action:
As Baker noted in his interview and in a post written on his Steptoe Cyberblog, we’re in the midst of a cyber “arms race”, with everyone building better networks and better tools for counterattacks. The implications of this arms race are far-reaching, but it’s clear some sort of response to this growing threat was necessary.
A key component of the attempted legislative responses to the problem was listening to the needs of commercial interests. Senator Rockefeller’s letter was more than just a gesture or political move, it was a fact-finding mission of sorts. Businesses large and small have a vested interest in protecting consumer data, and regulations governing how they keep that data secure is clearly of interest. In Misty Blair‘s post on Seyfarth Shaw’s Trading Secrets, she noted that companies need to consider how President Obama’s order will effect them:
“American companies should carefully consider whether they are likely to fall under the designation of “critical infrastructure,” or whether they otherwise provide goods or services to companies likely to fall under that designation, and are thus likely to be impacted by the Executive Order. Even if they do not, they may want to consider the incentives provided for participation in the voluntary information sharing programs established by the Executive Order.”
As the litany of failed legislation would suggest, one of the driving forces behind the order was Congressional inaction. However, as Leland Beck wrote on the Federal Regulations Advisor, the order was a “good example of what an executive order can and cannot do.” Like Baker alluded to in his interview, Beck made it clear that executive orders cannot replace or replicate legislative action:
“The cybersecurity executive order recognizes POTUS’ limited authority, averring that it be implemented consistent with applicable law and subject to the availability of appropriations, and eschewing that it grants, alters, or limits agency authority granted under existing law, and contains the ubiquitous (or boilerplate) “creates no rights” clause. This executive order, like most, is a management tool, no more. Unfortunately, too many read more into such executive orders than is actually there, and the White House would like everyone to believe there is more.”
While Beck is clearly correct, the wealth of analysis and responses to the executive order show a high level of interest in cybersecurity standards. That Congress has failed thus far in crafting any worthwhile legislation even in the face of attacks on journalists, banks, and government institutions speaks to the strength of outside interests involved.
To read more coverage from LXBN’s authors on cybersecurity, and the Obama administration’s executive order, please visit the respective links. The shear volume of analysis can’t be done justice here, with almost 100 posts on cybersecurity, and over 30 posts on the executive order just in the past week.
Photo credit: marsmet481