Demise of cybersecurity bill means executive order on the way
While the expressed purpose of the order is to safeguard the nation's critical infrastructure, there are fears power will be abused
November 21, 2012 — CSO — The demise of the Cyber Security Act of 2012 (CSA) clears the way for President Obama to issue an executive order (EO) implementing at least some of the major elements of the bill. And some political observers say that has been Senate Majority Leader Harry Reid's endgame since the bill failed the first time in August.
By the time it came to a vote last Wednesday on whether the U.S. Senate would end debate and bring the CSA to a vote, its failure was a mere formality.
The bill, largely unchanged from when it was rejected on Aug. 2, got 51 votes -- one less than in August. The opposition was largely unchanged -- the business community opposed what it said were unnecessary and onerous regulations, and organizations like the Electronic Frontier Foundation (EFF) opposed what they said were provisions that would allow companies to "monitor our private communications and pass that data to the government."
The bare majority was mostly Democrats, joined by a few Republicans. The opposition was mainly Republican, joined by a few Democrats.
A Wall Street Journal editorial said it was basically a political gamesmanship charade. Reid, the paper said, "[aborted] a bipartisan Congressional push to strengthen the nation's digital defenses. By rushing a floor vote on a cybersecurity bill in order to kill it, the Senate Majority Leader is giving political cover to White House plans to regulate the Web by bureaucratic fiat."
Rebecca Herold, CEO of The Privacy Professor, agreed that the move probably had a strategic purpose, but didn't think it was quite as malevolent as The Journal's editorial did.
"Given the expressed urgency of [Secretary of Defense Leon] Panetta and the president to address the very real cybersecurity risks, it would seem that Reid may have wanted to provide what would be perceived as ample opportunity for Congress to address the risks with some type of bill prior to doing what could then be considered as a last-resort type of move with an executive order," she said.
Whatever the motivation, the question now is when President Obama will issue an executive order to implement at least some of the major provisions of the Cyber Security Act.
Eric Chabrow reported at GovInfoSecurity that there is still some debate over it within the administration. "James Lewis, a senior fellow at the Center for Strategic and International Studies, said divisions exist within the White House on defining in the executive order exactly how the government would identify those practices and the role the Department of Homeland Security should play in implementing IT security practices," Chabrow wrote. "Once those differences are ironed out, Lewis said the president will likely issue the executive order."
Reports say the order is expected to establish a cybersecurity council chaired by the Department of Homeland Security (DHS), which will develop a report to determine which agencies should regulate which parts of the nation's critical infrastructure.
It is also expected to require government information sharing about threats, create voluntary standards for critical infrastructure industries, strengthen oversight of cybersecurity by regulatory agencies, and use federal procurement as a means of pressuring companies to improve security.
While the expressed purpose of the order is to safeguard the nation's critical infrastructure systems from a crippling cyberattack, there are fears that the powers granted either by legislation or an executive order will be abused.
"Government invariably exploits what appears to be well-meaning legislation to attack political enemies," wrote Kurt Nimmo at InfoWar. "If enacted by imperial fiat, the ability of the federal government to attack that enemy and disrupt and censor the free flow of information on the Internet under the guise of protecting public infrastructure will be greatly enhanced."
Herold said whether the order will protect both critical infrastructure and privacy rights is "the million-dollar question."
"Something needs to be done to address the cybersecurity threats, but it is important that those actions do more to secure our infrastructure than they do to ultimately bring harm and privacy infringements as a result," she said.
There is also concern among privacy advocates about an order the president issued last month -- this one in secret, at least for a few weeks. The Washington Post's Ellen Nakishima reported that the president had signed a classified directive "that effectively enables the military to act more aggressively to thwart cyberattacks on the nation's web of government and private computer networks."
"Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace," she wrote.
Gary McGraw, CTO of Cigital, said he believes a speech Panetta made last month warning that the U.S. would consider a preemptive cyberattack if it believed an attack was coming from an enemy, was based on that secret directive.
"To some extent, I think he let the cat out of the bag," he said. "But I haven't seen it [the directive.] It's classified."
As he has in the past, McGraw said he believes launching a preemptive attack could be catastrophic, because the U.S. still has not solved the problem of attribution -- knowing for certain the source of an attack -- and is living in a glass house when it comes to cyber-vulnerabilities.
"We need better security engineering, which would make us less vulnerable and would be a real deterrent. And we're the only ones in the world who could afford it," McGraw said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding