A Cybersecurity Dream Act AlternativeBypassing Congress in Developing IT Security Standards
When Congress failed to enact the Dream Act that would have provided conditional permanent residency to young adults, who as children came to the United States with their parents illegally, President Obama issued an executive order to grant them temporary legal residency so they could get jobs, attend college and obtain driver licenses.
Will Obama use the Dream Act model of bypassing Congress to advance his cybersecurity agenda? Obama's counterterrorism adviser John Brennan hints that such an order could come [see Cat Out of Bag on Infosec Regulation?]. And, a leading U.S. senator thinks the president should issue one.
Companies that own critical infrastructure will choose to participate in this program because it will be in their best option to protect themselves against the cyberthreat facing our nation.
Jay Rockefeller, the West Virginia Democrat who chairs the Senate Committee on Commerce, Science and Transportation, is encouraging Obama to issue an executive order to establish a program to protect critical cyber infrastructure along the lines of components of the Cybersecurity Act of 2012, which he co-sponsored and in which the Senate is filibustering [see Senate Votes to Block Cybersecurity Act Action].
Rockefeller says the president should create a collaborative partnership between the federal government and business to conduct cyber-risk assessments of the nation's most critical infrastructure and create voluntary best practices for companies to implement. What an executive order can't do - and a key element of the Cybersecurity Act - is to offer incentives to companies adopting the practices, including protection against liability for punitive damages. Still, Rockefeller believes it's in the nation's best interest to formalize a collaborative process to establish best practices to protect the mostly privately owned and operated critical infrastructure.
"I believe companies that own critical infrastructure will choose to participate in this program because it will be in their best option to protect themselves against the cyberthreat facing our nation," Rockefeller says in a statement. "This cyberthreat is unprecedented and we need an innovative and cooperative approach between the private sector and the federal government to protect the country from it."
Specifically, Rockefeller says the program should:
- Begin with a comprehensive and collaborative government and private-sector risk assessment to inventory the threats and vulnerabilities that pose particular risks to specific categories of critical infrastructure.
- Draw on government and business expertise to develop dynamic and adaptable cybersecurity practices that are best suited for each critical infrastructure sector.
- Implement these practices through private-sector collaboration with and assistance from government agencies including the departments of Defense, Commerce and Justice as well as other sector-specific agencies and regulators and led by the Department of Homeland Security.
There should be no illusion that such an executive order would replace the need for legislation that provides businesses with the legal safeguards that come with information sharing so crucial for cybersecurity. And, such a program would fall far short of what many feel should be more aggressive government oversight to assure operators of vital IT systems adopt the right practices to safeguard them. Still, any program to get government and business to collaborate to identify best security practices must be pursued, and politicians must avoid making cybersecurity part of the ugly partisanship that seems to weigh heavily on government today.
That will be a difficult hurdle to clear, however. Even provisions calling for voluntary compliance with best practices detailed in the Cybersecurity Act have strong opposition - mostly from Republicans - because they see it as a first step toward government regulating private-sector IT security. One would hope lawmakers would put partisanship aside and work toward a solution to help protect critical IT systems, even with government involvement. But in an election year, which is turning out to be among the ugliest, that hope won't likely occur, at least not until after the November vote, if even then.