President Obama plans to issue his cybersecurity executive order on Wednesday, following his State of the Union address, according to The Hill.
Based on drafts circulating several months ago, the executive order is likely to be highly flawed in its efforts to impose regulations on the dynamic cyber realm. In addition to simply being a poor policy choice, Obama seems set on burning bridges with Congress by circumventing them on this issue.
The last Congress was unable to pass a cybersecurity bill for good reasons. The House easily passed the Cyber Intelligence Sharing and Protection Act (CISPA), a bill designed to improve the sharing of information on cyber threats and vulnerabilities, with bipartisan support. Totaling only 27 pages, CISPA was a good-faith effort to improve our information sharing, something that virtually every cybersecurity proposal has included. Though last-minute changes made the bill much less worthwhile, CISPA nonetheless focused on policy that is cost-effective, able to keep up with the constantly changing cyber realm, and supported by the very businesses being hacked.
Regrettably, some in the Senate and the Administration insisted that cybersecurity regulations be the main feature of any proposal. Many Senators, however, thought regulations might actually hurt our cybersecurity by imposing large costs, harming innovation, encouraging a compliance attitude, and dooming security to a stuck-in-the-past mindset. As a result, the Senate twice failed to pass a regulatory bill known as the Cybersecurity Act of 2012 (CSA).
Both the Senate and the House decided that regulations were not the way to go, and yet that is exactly what Obama plans to impose. Not to be stopped by Congress, Obama is now poised to release his executive order on cybersecurity. While the President is busy spinning it as a “voluntary” public-private partnership that sets up best practices, the draft executive order is not truly voluntary.
The draft executive order instructed regulators to search for their pre-existing authority on cybersecurity and then tells them that they “are encouraged to propose [cybersecurity] regulations.” Encouraging regulators to regulate is like encouraging high school boys to play more video games—they don’t need much encouragement to do what they already love doing.
The President will likely claim that the cost of inaction is too high and so he had to cut through the political deadlock to get something done. While the cost of inaction is high, the cost of taking the wrong action is even higher. Instead of making our cybersecurity woes better, Obama’s executive order promises to make them worse and may even dissuade some in Congress from acting at all.
To top it all off, Obama will conveniently release this executive order the day after his State of the Union address. In an act of political gamesmanship, the President will go before Congress and tell them how it will be for the next four years: “Do what I want, or I will find a way to do it without you.”
Instead of political games and conveniently timed executive orders, Obama should work with Congress to craft dynamic cybersecurity solutions like information sharing. Sadly, focusing on policy might be the last thing on Obama’s mind tonight.