Executive order would not allow 'meaningful leap' on cybersecurity

Sidestepping Congress would not allow comprehensive change, but would give 'enough meat to set some standards,' says one expert

President Obama is being urged by members of Congress to bypass the legislative body after its failure to pass cybersecurity legislation over the summer.

Sen. Dianne Feinstein (D-Calif.), who chairs the Senate Intelligence Committee, called on Obama in an open letter last week to issue an executive order for government agencies and critical infrastructure owners to implement better controls to protect their computer networks.

There is plenty of precedent for such action. The President has bypassed Congress with executive orders more than 130 times. Among the most notable were his creation of a version of the Dream Act. Also, he declared that the federal government would no longer enforce the federal Defense of Marriage Act. His mantra, at these times: "We can't wait."

Sen. Feinstein and others, including Sen. Jay Rockefeller (D-W. Va.), who made a similar request in a letter to the White House last month, argue we cannot wait on cybersecurity.

The White House said after Congress failed to pass the Cybersecurity Act of 2012 that the President was considering implementing some of the goals of that bill by executive order 

"Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today's cyber threats and we will do that," White House Press Secretary Jay Carney said at the time.

The President does not have the authority to include everything that had been proposed in the Cybersecurity Act, as Rockefeller acknowledges. A voluntary program in the bill would have offered incentives, such as government assistance to operators of critical infrastructure who meet federal security standards, when they are confronted with a cyberthreat.

[In depth: Organized cybercrime revealed]

A presidential executive order could not include those incentives, but Rockefeller wrote that "many components of the Cybersecurity Act are amenable to implementation via executive order, normal regulatory processes, or other executive action under the authorities of the Homeland Security Act."

Jacob Olcott, a principal at Good Harbor Consulting and former Senate staffer, said that by the time the bill came to a vote it had been stripped of most of its more controversial provisions in an effort to gain Republican support.

And that has implications for an executive order. "The president can't create new requirements for unregulated industries," he said. "But he could  exercise existing authority to expand certain regulatory systems."

Olcott added that the things the President can do are in the areas where there has been general agreement between the parties. "The executive order could formalize a lot of the policies the parties and the Administration had informally agreed on," he said.

Joel Harding, a retired military intelligence officer and information operations expert, said it is likely that an executive order would please neither party, for different reasons. "But at least it provides some serious updates to the 2003 Presidential Directive on Cybersecurity," he said. "There will be enough meat to set some standards but not enough to make a meaningful leap in cybersecurity."

The politics of it obviously depend on partisan leanings. Tim Campbell, writing on the website of Republican Elizabeth Emken, who is trying to unseat Feinstein, mocked the senator for what he called "an election-year ploy."

"Come on Dianne," Campbell wrote. "If this were anything more than a charade, why didn't you put it into play the first two years of this administration?"

"...This is Dianne Feinstein's way of encouraging Obama to do what he has done all along, circumvent Congress. Has Feinstein forgotten the gavel is held by the Senate majority leader, the obstreperous Harry Reid? He is the kink in the hose. It's a matter of him calling said legislation to a vote."

Sen. Susan Collins (R-Maine), who cosponsored the CSA with Sen. Joe Lieberman (I-Conn.), was much gentler in her comments about a possible executive order, saying she would prefer that the president not bypass Congress on cybersecurity legislation.

Harding said the President can defend an executive order by arguing that he is "making progress as opposed to the 'do-nothing' Congress, which, of course, is aimed squarely at the Republicans."

"There is even a good chance Obama will bring this up in the presidential debates," he said. "But there is a strong possibility that Mitt Romney [the Republican challenger] will hand him his lunch, stating the lack of information sharing requirements, lack of standards, etc."

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline