It’s been a long time coming -- and implementing it will take longer still -- but President Obama has finally signed a long-awaited executive order that promises to protect the nation’s railways, electrical grids, and other infrastructure from catastrophic cyberattack. Now comes the hard part.
The document tells federal agencies such as the Department of Homeland Security to share specific cyberthreat information with those in charge of critical U.S. infrastructure, and the security providers who work with them. It also speeds up the processing of security clearances, which businesses say is vital to getting classified threat information to the people who need it most. Meanwhile, the directive’s crown jewel is a set of cyber best-practices that the Obama administration hopes industries will adopt voluntarily for their own defense.
The executive order comes just as Congress plans to revive its own cybersecurity legislation. Rep. Mike Rogers, the chairman of the House Intelligence Committee, is expected on Wednesday to reintroduce CISPA, the controversial bill that fell apart last year over privacy concerns and hints of a presidential veto.
It’s unclear whether Obama is any closer to supporting CISPA today. A White House official declined to answer questions on the matter. But if there was ever a moment for a comprehensive deal, it’s now.
In the past few months, the United States has reached something of a turning point on the issue. In October, Defense Secretary Leon Panetta warned of a “cyber-Pearl Harbor” in which hackers might “derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Rogers, the congressman leading the charge on CISPA, has been on the warpath too, saying last week that the United States was already embroiled in a cyberwar -- one that it’s losing. The latest National Intelligence Estimate, the document that’s said to capture the sense of the entire U.S. intelligence community, confirms as much.
It all comes on the heels of several high-profile hacks disclosed late last month by The New York Times, The Wall Street Journal, and The Washington Post, among others. The intrusions were hard to attribute and even harder to eradicate; in the case of The Times, investigators found a thermostat and a printer still communicating with the hackers even after the intruders were thought to have been shut out.
With Washington united in fear of a digital attack on the homeland -- and with the specter of an actual act of cyberespionage still lingering -- the conditions may be better than ever now for Congress and the White House to agree on a landmark cybersecurity deal.
Of course, we’ve had near-misses before. CISPA actually managed to pass the House in 2012, but privacy groups objected to provisions in the bill that allow corporations to share user information with the government. On those grounds, the White House threatened to veto the legislation. In the Senate, Majority Leader Harry Reid tried to push a bill through the chamber twice last year -- and each time, Republicans blocked the measure. In November, Reid threw his hands up and declared the Cybersecurity Act of 2012 “dead for this Congress.”
Depending on how it’s implemented, the provision on best practices in Obama’s new executive order could still doom any further progress. At issue is whether the standards would be voluntary, mandatory, or somewhere in between. In principle, the process is entirely opt-in -- the order as it’s written has the Obama administration asking private-sector groups for ideas that will then be distributed as a set of suggested guidelines. But when asked whether federal agencies might someday turn to fines, fees, or other sticks to enforce the standards, senior administration officials wouldn’t rule out that possibility, telling reporters on Tuesday that it would be up to the agencies themselves to decide what they will or won’t do.
Since the White House doesn’t have the legal authority to mandate compliance outright (for that, it would need Congress), the executive order represents just one, tiny, initial step toward comprehensive action on cybersecurity. As we’ve seen in the recurring fights over the budget, the debt limit, and the sequester, however, Congress’ recent record legislating by crisis has been anything but stellar. Just because the conditions are right still doesn’t guarantee results.