- Last year, the House passed CISPA (the Cyber Intelligence Sharing and Protection Act), but privacy advocates criticized it — and the White House threatened to veto it — over concerns about measures that would allow the National Security Agency and military to collect private information.
- On the flip side the Senate too failed to pass the Cybersecurity Act of 2012, which was said to be an improvement when it came to privacy concerns of CISPA, but Republicans said it could hamper industry by increasing costs.
- Now, President Obama is expected to sign a cybersecurity executive order that would create voluntary standards for the reporting and sharing of information about cyberattacks between private industry and the government. Some of the concerns held among both bills still stand with this e.o.
In November 2012, when Republicans killed a cybersecurity bill in the Senate, it was speculated that such a move only served to increase the likelihood that President Barack Obama would sign an executive order regarding cybersecurity. Since last week, sources have been claiming that this said executive order would be signed by Obama Wednesday, the day after his State of the Union address.
There appear to be several reasons why conservatives are against the executive order, one of which is that just by its very nature it is “burning bridges with Congress,” David Inserra wrote for The Heritage Institute.
Congress failed to pass the Cybersecurity Act of 2012 (CSA) and the Cyber Intelligence Sharing and Protection Act (CISPA) for various reasons, which included the potential for violations of anti-trust laws by the government and that reporting threats would burden the industry.
The reported upcoming executive order, according to sources speaking with Bloomberg, would be a set of voluntary cybersecurity standards to address the need for greater protection for America’s infrastructure that is connected to the Web and to facilitate better communication and reporting between private industry and the government. Just last fall Obama also signed a secret directive that gave the military more offensive and defensive power when it came to cybersecurity.
Here’s more about the executive order, the draft for which was obtained by the Associated Press last fall:
A new White House executive order would direct U.S. spy agencies to share the latest intelligence about cyberthreats with companies operating electric grids, water plants, railroads and other vital industries to help protect them from electronic attacks, according to a copy obtained by The Associated Press.
The draft order directs the department to work with the Pentagon, the National Security Agency, the director of national intelligence and the Justice Department to quickly establish the information-sharing mechanism. Selected employees at critical infrastructure companies would receive security clearances allowing them to receive the information, according to the document. Federal agencies would be required to assess whether the order raises any privacy or civil liberties risks.
To foster a two-way exchange of information, the government would ask businesses to tell the government about cyberthreats or cyberattacks. There would be no requirement to do so.
This is where conservatives become concerned — some believe that the voluntary standards won’t truly be voluntary.
Here’s more of the perspective from The Heritage Institute:
The draft executive order instructed regulators to search for their pre-existing authority on cybersecurity and then tells them that they “are encouraged to propose [cybersecurity] regulations.” Encouraging regulators to regulate is like encouraging high school boys to play more video games—they don’t need much encouragement to do what they already love doing.
The President will likely claim that the cost of inaction is too high and so he had to cut through the political deadlock to get something done. While the cost of inaction is high, the cost of taking the wrong action is even higher. Instead of making our cybersecurity woes better, Obama’s executive order promises to make them worse and may even dissuade some in Congress from acting at all.
At the same time that Obama is expected to sign this new executive order, it also appears that CISPA will be rearing its head again. The Hill reported CISPA co-sponsors, Rep. Dutch Ruppersberger (D-Md.) and Mike Rogers (R-Mich.), saying they planned to reintroduce the bill.
“We’re working on some things…working with the White House to make sure that hopefully they can be more supportive of our bill than they were the last time,” Ruppersberger said according to The Hill.
To the news of all this cybersecurity legislation, the American Civil Liberties Union wrote that it believes the executive order would address the information-sharing issue, but it believes people will need to “fight for their online privacy once again” with CISPA.
The White House acknowledged to the Associated Press last year that an executive order for cybersecurity can only do so much. It cannot offer a company protection from the liability that might come with a cyberattack, for example. Legislation would still be needed to make more extensive changes to cybersecurity protocol in the U.S., the AP stated.