Yesterday, US President Obama signed and released an executive order on the issue of cybersecurity. Following, he raised the issue in his State of the Union address, saying:
We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
The order has been met with cautious optimism from the technology and activist communities. Certain members of Congress are infuriated.
However, the order has a very constrained purview. As quoted by Forbes, the Electronic Frontier Foundation’s Lee Tien states its limitations succinctly: “We definitely like the executive order better than CISPA. But they do fairly different things. The executive order can’t change any federal rules. It just changes the way the executive branch chooses to do things.” Thus, in regards to helping the nation frankly take on the issue of cybersecurity, more must be done.
The President noted that directly in his address: “Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attack.” Still the order does much, including analyzing the readiness of critical infrastructure from attack. Following the preparation of reports on a 90 day timeframe:
(b) If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies identified in subsection (a) of this section shall propose prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and Executive Order 13609 of May 1, 2012 (Promoting International Regulatory Cooperation), to mitigate cyber risk.
That’s a bit dry, but it indicates that the administration intends to do as much as it can to better prepare key pieces of American infrastructure for attack.
I can’t boil down the 8 page order for you into a few short paragraphs, given its complexity and breadth. However, the key element to the order is that, as The Hill notes, the National Institute of Standards and Technology has been instructed to “work with companies that operate critical infrastructure to develop a framework of cybersecurity best practices.” That’s not much, in terms of total power.
Interestingly, the sharing of information between the government and private enterprise flows from Washington out. This is likely due in part to the limited authority of the Executive Branch, but isn’t unwelcome. The ACLU gave it its stamp of approval: “The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties.”
The President has acted, moving first on the issue as he can. Still, the issue is not in any way closed or solved. Thus, Congressional action is next. Let’s move on.
CISPA
The controversial Cyber Intelligence Sharing and Protection Act (CISPA) is back, in its very same form as before. Key to its tenets is the ability to grant immunity to corporations, or as TechDirst put it, the Act “free[s] up companies from any possible liability when they hand over your info to government agencies based on vague standards concerning ‘threats’ (and then those government agencies can then use that info for pretty much anything).”
The bill was considered so onerous in terms of privacy protections that the President floated a veto threat. The Senate never took it up, instead working on crafting its own bill, which it failed to pass. The Senate cybersecurity circus was in full swing until the lights went off on the last Congress.
That CISPA is being put back into play sans changes, the day after President Obama launched his executive order. This smacks of response as the bill had previously been under review, in cooperation with the White House, for a privacy overhaul. That, apparently, has been cancelled.
As quoted by Wired, Sen. Grassley, to give an example of the complaint that has followed the executive order, is frothing: “It is a very dangerous road he’s going down contrary to the spirit of the Constitution […] Just because Congress doesn’t act doesn’t mean the president has a right to act.”
CISAP might pass the House again, but there will be vociferous response. It is utterly dead on arrival in the Senate, again. Thus, we are Congressionally where we were before. Let’s start the betting: how much of the executive order will be in effect before the Senate passes a bill to supplement it?
To start in Congress with CISPA again is to start on the wrong foot. Tripping out the gate, let’s see what the chambers of our Legislative Branch can do. Just don’t expect quick progress.
Top Image Credit: TexasGOPVote.com
As always with this sort of post, I link, quote, and excerpt more than usual. This is to encourage you to dig into all the source material and analysis that you can.
Get the TNW newsletter
Get the most important tech news in your inbox each week.