There are reports circulating that the White House has drafted an executive order to implement cybersecurity regulations. Congress—the representatives of the people— could not come to a sufficient level of agreement needed by the Constitution to pass the Cybersecurity Act of 2012.
Now, a few Senators say they know better and have urged the President to ignore Congress and simply direct a new set of cybersecurity regulations by executive order. Is this legal? Possibly, but that depends on the scope of any future executive order and the President’s discretion under existing legal authorities. Is it wise to proceed on this issue by unilateral executive action?
Absolutely not!
First, why did the Cybersecurity Act of 2012 fail to pass? Was it political spite, or election year partisan wrangling? Some might think that, because they believe that anyone who disagrees with them is clearly motivated by power politics. This is ridiculous. The reason the bill did not pass was because there are reasonable and serious policy differences regarding how the nation should approach the growing challenge of cybersecurity. These differing camps are not at opposite ends of the political spectrum, but are spread throughout the American ideological landscape.
The staffs of Senators Joe Lieberman (I–CT) and Susan Collins (R–ME), who wrote the bill, actually did a very good job of reaching out to a wide array of actors from the public and private sector during its long incubation. As the vote neared, they also tried to soften several areas that opponents found objectionable. They deserve congratulations for the effort. In the end, however, they failed to gain the support needed for their point of view.
The main complaint with the bill was that it was based on a regulatory framework. Even though the staffs made some of the major provisions “voluntary,” individual agencies could have promulgated regulations that would have been binding in specific industry sectors. The bottom line is that a significant number of relevant players think regulation is the wrong way to foster cybersecurity. That is what killed the bill.
Regulation—particularly federal regulation—is slow, cumbersome, and static. Once it is in place, it is nearly impossible to change or remove. This is exactly the wrong approach for dealing with a fast-moving and incredibly dynamic field like cybersecurity. Give hackers—whether working for themselves or for another nation-state—a static standard, and they will waltz around it and have their way with the target entity. Those who opposed the bill recognized this. Those who favored it believe that any bill is better than none. This is simply not the case.
Getting back to the possible executive order: The President obviously falls into the “any bill” camp. He is also greatly in favor of as much federal regulation as he can get, believing that the Feds always have the answer and must always be the benevolent father protecting the people from themselves. It does not seem to matter that the majority of major tech businesses (and many government auditors such as the Government Accountability Office) feel that regulations like this will stifle innovation and foster a culture of “minimal compliance.”
The President should resist the temptation to ladle on a new regulatory bureaucracy (or bureaucracies) simply to satisfy the need to “do something.” If it is not done right, it will do damage. Let the debate continue until it is done right, Mr. President. It’s called the democratic process, and it invariably provides the best answers, even if it takes awhile.