With reports of a draft executive order on cybersecurity being circulated, it now seems likely that President Obama will go forward with this flawed approach. The peculiar thing is that the order does not seem to add anything new. If that is true, why is the President expending political capital to pursue it?
The Cybersecurity Act of 2012 failed to pass in the Senate, even with the last minute horse trading that occurred just before the vote. The concern of most opponents—including numerous businesses and the Chamber of Commerce—was the regulatory basis of the bill. Regulation is the wrong way to add security, and many of the nation’s legislators agreed. The bill could not clear the Senate, and certainly wouldn’t have passed the House.
The President again wants to tell Congress that his judgment is better than theirs. The Administration still feels that the Department of Homeland Security (DHS) can not only develop the appropriate regulations to provide cybersecurity, but should fully oversee U.S. businesses and infrastructure in that effort. That is wrong. DHS has shown itself to be inadequate for that task on smaller issues such as chemical industry security. Why would anyone think that it could handle a task as monumental as cybersecurity for all U.S. critical infrastructure? This is especially concerning since the government doesn’t even do a good job protecting its own infrastructure from cyber attacks.
That said, the order appears to be crafted to seem as vanilla as possible. It calls for voluntary regulation that infrastructure owners in the private sector would elect to follow. It would set up a council headed by DHS, with the Department of Defense, Commerce, Energy, and Treasury as members; with the Attorney General and the Director of National Intelligence as Advisors. This is the only “new” aspect.
The council would decide what constitutes critical infrastructure, and which companies would therefore be “encouraged” to participate. After that, the National Institute of Standards and Technology (NIST) would develop the standards (they already do that), DHS would use the sector coordinating councils to polish the NIST recommendations (they already do that), and industries would choose what methods they would take to move toward the new standards. This all sounds like a lot of effort to add very little to the mix. Or is it?
There is still a great concern that this will be a backdoor to an expansion of regulation. There is a huge possibility that individual agencies will take the “voluntary” standards, marry them to existing authorities, and turn them into full blown regulations. This is exactly why the Cybersecurity Act of 2012 was rejected.
Federal regulations are too slow, too static, and too focused on a lowest common denominator. They will emphasize compliance, not true security. American entities will be “racing” to meet static regulations, believing that it will make them safe. They will never be able to keep pace with new innovations and the nation’s adversaries will move around, over, and through our now inadequate defenses. Hackers; individual, criminal, and international, are all waiting eagerly.
This Executive Order is not needed. Congress, the Administration, and industry need to roll up their sleeves together and get it right. America deserves a good, functioning cyber bill, not a political stunt that will do more harm than good.