Over the weekend, a draft of a cybersecurity executive order was shown to members of the press. Leaked reports of secretive decision making are what the U.S. gets when the President decides to ignore the democratic process and implement rules by executive fiat. The U.S. also gets policies that are often incomplete and poorly thought out.
Reports indicate that the executive order will create a cybersecurity council, with the Department of Homeland Security (DHS) in charge. The council will create a voluntary information-sharing system and a voluntary regulatory framework.
The Heritage Foundation has been very supportive of information sharing as a way to improve cybersecurity. However, we have also been clear that for information sharing to work, certain important features are necessary. Clear liability protection—protection for companies that share information in good faith and without malicious intent—is absolutely critical. Without liability protection, companies will be afraid to share their cybersecurity information, because it might be used against them in court later.
The executive order has its limits, and one of them is that it cannot provide liability protection. Effective information sharing can be realized with actual legislation, but it would help if the President would slow down and allow Congress to do its job of crafting a complete approach.
Another problem with the executive order is that it follows the same approach as the failed Cybersecurity Act of 2012 (CSA) with regard to regulation. The CSA fell short in the Senate because there are many who believe that standards and regulations are the wrong way to proceed in the dynamic realm of cybersecurity. The executive order will create a voluntary, standards-based program for protecting critical infrastructure, with standards written by the National Institute of Standards and Technology and most likely carried out by sector-based regulatory agencies that are already in place, such as the Federal Energy Regulatory Commission.
These standards, however, are almost worthless because even Jim Lewis, a supporter of a regulatory approach from the Center for Strategic and International Studies, concluded: “Find me a company that says ‘I’m going to voluntarily agree to be regulated by DHS.’ Nobody is going to volunteer to have DHS regulate them.” If anything, this will give a false sense of security, slowing Congress from acting and delaying real cybersecurity improvements.
The President should reject a cybersecurity executive order that will do little to solve our cybersecurity woes and will likely only hinder Congress from moving forward on real solutions in the future.