Obama Urged to Take Solo Action on CybersecurityPresidential Action Couldn't Fully Protect Businesses from Liability
Dianne Feinstein, who chairs the Senate Select Committee on Intelligence, urges President Obama to take unilateral action to secure critical national IT systems because she doesn't believe Congress will reach consensus on cybersecurity legislation this year.
The California Democrat participated in a number of negotiations with other senators, the White House and privacy and civil liberties groups before the congressional recess as a cosponsor of the Cybersecurity Act of 2012.
"Despite good faith efforts to reach a compromise and major concessions on our part, those opposed to the legislation were able to defeat progress on the bill," Feinstein wrote in a letter to Obama dated Aug. 28. "While efforts to reach consensus continue, I fear that the Congress will be unable to pass meaningful cybersecurity legislation this year.
In calling on Obama to issue an executive order or take other action, Feinstein said she recognizes that such action would not provide the same protection from liability for businesses that share threat information with the government and one another; only Congress could furnish those safeguards.
"Your administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security," Feinstein wrote. "You can also direct the intelligence community and the Department of Homeland Security to provide as much information as possible to the private sector about cyberthreats, including classified information."
Limited, but Meaningful Action
Feinstein characterized the steps the administration could take as limited, but meaningful. "The threats to our national and economic security are simply too great to wait for legislation," Feinstein said.
The Obama administration hasn't ruled out using its executive authority to implement initiatives to safeguard critical systems. In an interview with PBS NewsHour earlier this month [see Cat Out of Bag on Infosec Regulation?], Obama's counterterrorism adviser John Brennan said the administration needs to see what it can do to develop guidelines or policies under executive branch authorities to protect critical IT infrastructure. "If the Congress is not going to act on something like this, then the president wants to make sure that we're doing everything possible," Brennan said.
Later in August, Senate Commerce, Science and Transportation Committee Chairman Jay Rockefeller encouraged Obama to issue an executive order to establish a program to protect critical cyber infrastructure along the lines of components of the Cybersecurity Act of 2012, which he also cosponsored [A Cybersecurity Dream Act Alternative].
Specifically, Rockefeller advocated creation of a collaborative partnership between the federal government and business to conduct cyber-risk assessments of the nation's most critical infrastructure and create voluntary best practices for companies to implement. "I believe companies that own critical infrastructure will choose to participate in this program because it will be in their best option to protect themselves against the cyberthreat facing our nation," Rockefeller said.
A House Divided
On Aug. 2, Senate supporters of the Cybersecurity Act of 2012 failed Aug. 2 to muster the 60 votes necessary to bring the measure up for a vote, a significant setback for those seeking enactment of a comprehensive cybersecurity law this year. The vote was 52 to 46 [see Senate Votes to Block Cybersecurity Act Action].
Though failure to invoke cloture wasn't quite the death knell of cybersecurity legislation this year, senators on both sides of the issue suggested that they would continue behind-the-scene talks. Still, with Congress on a month-long summer recess and the presidential and Congressional election campaign intensifying, time to reach a compromise may not exist.
Opponents of the Cybersecurity Act, mostly Republicans, contend the bill would lead to undue government regulation of the private sector, a point made by the U.S. Chamber of Commerce, despite provisions in the measure that any IT security standards created in a government-industry collaboration would not be imposed on the mostly privately owned operators of the nation's critical IT infrastructure, such as the electric grid and financial networks. Businesses would have had the option to voluntarily adopt or reject any standards.