Napolitano: Cybersecurity legislation preferred over exec order

Here’s your midweek update on the push from the White House and Congress to establish minimal cybersecurity standards for banks, energy firms, transportation companies and communications businesses — frequently called critical infrastructure providers by the government.

While Senate Majority Leader Harry Reid (D-Nev.) has said he plans to call for a vote on the Cyber Security Act of 2012 next month, the White House is still circulating a draft of its executive order — or "EO" — on cybersecurity to businesses that it would affect in an effort to get their feedback.

"In light of the failure of the Congress to be able to pass legislation this past year, in part, because we recognize given the severity and urgency of the situation we can’t simply wait if Congress cannot act," Homeland Security Secretary Janet Napolitano said after an Oct. 25 speech about cybersecurity at the Center for Strategic and International Studies. "One of the things that’s happening now is outreach into the private sector and other stakeholders to look at it and get some feedback before any EO would be issued if there is, ultimately, that decision."

Still, senior administration officials maintain that they would like to lose this race to lawmakers. During questions after her speech today Napolitano echoed the White House and Defense Department’s argument that legislation is key to protecting the nation’s critical infrastructure from cyber attack.

"If you ask me what concerns me the most, is that in an interconnected world, where infrastructure is concerned you could have entities that are doing a really good job, but it only takes one or two to create a gap in the system and then the gap can have a domino effect," said Napolitano. "That’s why having legislation, I think in the end, is going to be absolutely necessary to make sure we have [a set of uniform] best practices that are incorporated in the core infrastructure of the country."

Napolitano added that while legislation is a better way to deal with securing critical infrastructure than an executive order, the lame-duck Congress will have plenty on its plate when it returns in mid-November, including trying to reach a deficit reduction deal to avoid the massive government spending cuts that are scheduled to take effect in January.

The White House is keeping a tight lid on the details of its executive order, saying only that it will take a "collaborative" approach with businesses and lawmakers in developing cybersecurity "best practices" for critical infrastructure providers. Any such order will have strong privacy and civil liberties protections in place, according to the White House. In addition to establishing best practices, the order may provide a means for rapid information sharing about cyber threats between businesses and the government.