The White House appears poised to issue an Executive Order (EO) by the end of the year. At the same time, Congressional Republicans and Democrats are telegraphing cyber will be a top legislative priority during 2013. Draft versions of the EO create a strong role for the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS). NIST is tasked with creating a new cyber standard and DHS will coordinate with the domestic agencies to establish a compliance program. The domestic cyber EO is designed to establish cyber safeguards that Congress was unable to enact while at the same time spurring legislative action in Congress. It has been a reported that a separate, but related, classified national security cyber EO has already been issued. By definition, an EO must rely on existing statutory authority and Congressional action is necessary in order to expand on current law to create certain key cyber policy provisions, such as liability protections.
Most acknowledge that the U.S. is under continuous, and in some cases, sophistocated, cyber attack. Supporters of the EO believe that executive action is necessary to prevent a debilitative attack on infrastructure. Some critics remain skeptical about the EO and feel its scope may impact the private sector more than advertised by the White House. Specific concerns raised over the EO include:
- Definitions: Who will be included as critical infrastructure?
- Scope: Will contractors or vendors to critical infrastructure be brought into the fold directly or indirectly?
- Flexibility: Will NIST cyber standard allow flexibility and adopt existing private sector cyber standards or will it be develop a one-size-fits-all government cyber standard?
- Duplication: Will certain industries now be subject to a duplicative layer of regulation (current regulator + DHS)?
- Evolution: Will the federal standard be able keep up with the constantly changing cyber threat evironment?
- Voluntary: How voluntary will the voluntary standard be?
- Privacy: Where will the White House draw the line between privacy protections and national security?
Regardless of the timing of the EO, Congress will need to act to address cybersecurity issues. As Congress takes on cyber next year, the Lieberman-Collins bill will need to be altered in order to garner enough Republican votes for passage in the Senate (it could muster only 51 votes recently - 9 short of the necessary 60) and the Republican-controlled House. Look for key pieces of the Republican cyber alternative bill (SECURE IT) to be incorporated into new legislation or for the process to be broken-up into smaller pieces tailored to specific industry sectors based on the jurisdictions of congressional committees. In addition, the new leadership on the Senate Homeland Security and Government Affairs Committee (Carper (D-DE) Coburn (R-OK)) and Commerce Committee Ranking Member (likely Thune (R-SD)) will want to put their stamp on the next iteration of legislation. Congressional consideration will allow interested parties to work with the various committees of jurisdiction on an approach to cyber that takes into account the specific issues associated with a given industry and protects existing cyber standards. On the House side, incoming Homeland Security Committee Chairman Michael McCaul (R-TX) has indicated cyber legislation will be a top priority of his next year and the new Energy and Commerce Committee Vice Chair Marsha Blackburn (R-TN) indicated that the Committee would be more active on privacy issues.