WH Moves Closer to Issuing Infosec Executive Order

Obama Aide Says Legislation Still Needed Even if Order is Issued
WH Moves Closer to Issuing Infosec Executive Order

President Obama's homeland security adviser confirms that the administration is considering issuing an executive order to secure the mostly privately-owned systems critical to the functioning of the United States' economy and society.

See Also: Webinar | Navigating the SEC Rules for Enhanced Cybersecurity in IT and OT Environments

"Following congressional inaction, the president is determined to use existing executive branch authorities to protect our nation against cyberthreats," John Brennan said in a letter to Jay Rockefeller, the chairman of the Senate Commerce, Science and Transportation Committee. The letter, dated Sept. 12, was released by Rockefeller's office on Sept. 14.

Brennan, assistant to the president for homeland security and counterterrorism, said the administration is exploring issuing an executive order to direct federal agencies to secure the nation's critical infrastructure by working with the private sector to develop security standards.

The letter from Brennan suggests that Obama could issue such an order shortly.

Congressional Action Still Needed

Even if Obama issues an executive order, Brennan said the need exists for a new, comprehensive cybersecurity law. "Executive branch actions under existing authorities cannot alter the reality that the United States government will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have addressed," he said. "Comprehensive legislation remains essential to improve the cybersecurity of the nation's core critical infrastructure."

Among the authorities the president lacks through an executive order is the ability to provide liability protection for businesses sharing IT security information with the government and other businesses, as well as to provide safeguards for privacy and civil liberties.

In the letter, Brennan emphasized that an executive order would focus on the federal government working with private-sector infrastructure owners to develop best practices that can be adopted voluntarily.

The executive order, if issued, would likely incorporate elements of the Cybersecurity Act of 2012, which stalled in the Senate after failing to win enough votes to stop a filibuster. Those elements would direct the Department of Homeland Security to oversee a government initiative to work with the private sector to develop IT security standards infrastructure owners could adopt voluntarily.

President Being Urged to Act

Brennan wrote to Rockefeller because the West Virginia Democrat last month urged Obama to issue an executive order to establish a program to protect critical cyber infrastructure along the lines of components of the Cybersecurity Act of 2012, of which he is a main sponsor [see A Cybersecurity Dream Act Alternative].

Other lawmakers, including the chair of the Senate Select Committee on Intelligence, Dianne Feinstein, have called for Obama to issue a cybersecurity executive order [see Obama Urged to Take Solo Action on Cybersecurity]. Feinstein, D-Calif., also is a Cybersecurity Act sponsor.

Another of the bill's sponsors - Susan Collins, the Maine Republican who serves as the ranking member of the Committee on Homeland Security and Governmental Affairs - cautioned Obama against issuing an executive order, saying she's concerned that such action could send the unintended signal that congressional action is not urgently needed [see 'We Can't Wait' for Cybersecurity].

A major concern expressed by the mostly Republican opponents of voluntary standards - whether issued through an executive order or legislation - is that it could lead to regulations.

Brennan first raised the possibility of the administration going alone on cybersecurity standards in a television interview early last month [see Cat Out of Bag on Infosec Regulation?], when he said: "One of the things that we need to do in the executive branch is to see what we can do to maybe put additional sort of guidelines or policies in place under executive branch authorities. I mean, if the Congress is not going to act on something like this, then the president wants to make sure that we're doing everything possible."


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.