Cyber Security Executive Order: Move Aside, Congress
Last month, after the Senate blocked the Cybersecurity Act of 2012, President Obama threatened to bypass Congress with another executive order (because, you know, he can’t wait). The Hill reports that with the inter-agency drafting process nearly finished, this threat is now close to completion.
Unfortunately, President Obama operates under the assumption that any time Congress doesn’t do as he pleases, he can simply pass an executive order to get his way. The whole topic of executive orders won’t be broached here, but this instance is an excellent example of why it is not the job of the executive branch, or of the President for that matter, to make the laws. Heritage’s Steven Bucci has explained that there are certain critical protections that can only be provided by an actual law, something an executive order cannot accomplish.
He also explains that while improvement is needed in cyber security, any law regarding cyber security must be carefully crafted in a manner that respects the decisions of American businesses and their management. This forthcoming cyber security executive order would likely create a more oppressive and restrictive regulatory superstructure, but it would add little additional security.
According to The Hill:
“The White House is crafting a draft executive order aimed at protecting the nation from cyberattacks targeting critical infrastructure, such as the electric grid, water systems and transportation networks. The order would create a voluntary program in which companies operating key infrastructure would elect to meet a set of security standards developed, in part, by the government.”
This voluntary program is modeled after the Cybersecurity Act of 2012, but don’t let the word “voluntary” fool you. This would not benefit businesses. Heritage’s Paul Rosenzweig explains four ways that this would be harmful to the private sector:
“First, the government should not be in the position of denying its threat information to critical infrastructure owners who choose not to adopt the voluntary standards, likely for justifiable business reasons. If the infrastructure in question is truly “critical,” it is in America’s collective interest to protect it as much as possible…
Second, the liability protections provided as an incentive are far too weak. If a company adopts the voluntary standards, it could still be sued for consequential damage…
Third, voluntary standards would stifle innovation and likely be obsolete by the time they are written. Over the multi-year process when standards are being written and adopted, innovation and investment in cybersecurity products will cease…
Finally, a voluntary standard system is a short step from a mandatory one. Senator Lieberman has already said that if industries do not adopt the voluntary standards, Congress will make them do so. Indeed, it appears that the “voluntary standards” may not even be voluntary after all.”
The Cybersecurity Act of 2012 would have impacted American businesses and the private sector very negatively. Similarly, an executive order that is modeled after this flawed legislation is bound to do the same harm.
Rosenzweig explains that rather than creating a regulatory regime, a good cyber security bill would “strengthen protections for private-sector actors in order to authorize and incentivize the sharing of cyber threat and vulnerability information.” Sadly, with President Obama at the wheel, Congress may have to do more damage control to fix this serious mistake.