White House still working on cyber exec order despite renewed push for legislation

The White House is continuing to work with lawmakers and other "key players" to craft an executive order aimed at securing the country’s privately-owned critical infrastructure from cyber attacks despite the Senate Majority Leaders’ plan to hold a vote on cybersecurity legislation next month.

"We have held sessions with both House and Senate staffers to talk about actions that executive departments and agencies can take, including a possible executive order," a National Security Council spokeswoman told Killer Apps on Oct. 17. "We’re essentially, still in deliberating and consulting phase wanting to make sure that anything we put together for the president’s considerations takes into account of these key stakeholders" on Capitol Hill and in the private sector.

These comments come several days after Sen. Majority Leader Harry Reid (D-Nev.) announced that he plans to bring last summer’s cybersecurity bill sponsored by Sens. Joe Lieberman (I-Ct.) and Susan Collins (R-Maine.) to the Senate floor for a vote next month.  The bill, known as the Cyber Security Act of 2012, stalled in early August amidst objections by Republicans opposed to the minimal cyber security standards it would establish for critical infrastructure providers. Republicans claimed the security standards would be burdensome to businesses and would not be able to keep up with the ever-changing nature of cyber threats.

"Secretary Panetta has made clear that inaction is not an option," said Reid on Oct. 13. "I will bring cybersecurity legislation back to the Senate floor when Congress returns in November. My colleagues who profess to understand the urgency of the threat will have one more chance to back their words with action, and work with us to pass this bill."

While Reid acknowledged concerns of his legislative colleagues who have criticized the White House for crafting an executive order, (read more on that here) he encouraged a two-pronged approach (perhaps race is a better way to describe it) between the White House and Congress meant to quickly establish cybersecurity standards for critical infrastructure providers.

"Some of my colleagues have suggested that the President should delay further action to protect America from this threat until Congress can pass legislation," said Reid. While "cybersecurity is an issue that should be handled by Congress, but with Republicans engaging in Tea Party-motivated obstruction, I believe that President Obama is right to examine all means at his disposal for confronting this urgent national security threat."

In addition to establishing minimal security standards for banks, utilities, transportation and communications firms, Lieberman and Collins’ bill allows rapid information sharing between businesses and the government, protects businesses from lawsuits for inappropriately sharing private citizens information and it restricts the type of information that could be collected about U.S. citizens and how it could be used. 

Just yesterday, Maryland Democrat Sen. Barbara Mikulski said that a newfound sense of urgency amongst lawmakers about cyber security has increased the chances that the Lieberman-Collins bill will pass in November.

Here’s what the White House said about its executive order on Oct. 5:

We are exploring ways for Executive Branch Departments and Agencies to more effectively secure the nation’s critical infrastructure by working collaboratively with the private sector. We are considering an Executive Order (EO) as one way to improve such collaborative efforts. However, an EO is not a substitute for new legislation. While an EO doesn’t create new powers or authorities, it does set policy under existing law.

We believe that cybersecurity best practices should be developed in partnership between government and industry. For decades, industry and government have worked together to protect the physical security of critical assets that reside in private hands, from airports and seaports to national broadcast systems and nuclear power plants. There is no reason we cannot work together in the same way to protect critical infrastructure cyber systems upon which so much of our economic well-being, national security, and daily lives depend.

Our intent is to focus on and address the nation’s critical infrastructure, whose incapacitation from a cyber incident would have grave national security and economic consequences. Since most companies aren’t critical infrastructure, we are only looking at a small subset of the companies in the U.S.  We believe that companies driving cybersecurity innovations in their current practices and planned initiatives can help shape best practices across critical infrastructure. Companies needing to upgrade their security would have the flexibility to decide how best to do so using a wide range of innovative products and services available in the marketplace. We remain committed to incorporating strong privacy and civil liberties protections into any initiative to secure our critical infrastructure.

The process of developing an Executive Order will take time, as we believe that it must take into account the views of our partners in the private sector and the Congress. We have started reaching out to both the private sector and Congress and we look forward to gaining their input. Given the gravity of the threats we face in cyberspace, we want to get this right in addition to getting it done swiftly.