Cyber executive order close, Napolitano says

An executive order on cybersecurity is wending its way through the bureaucratic process, and while there’s no exact date for its arrival, it can be expected to target information-sharing. It also will still need to be augmented by legislation, according to the U.S. Homeland Security chief.

“The executive order is being drafted and in the interagency process. I can’t give you a firm timeline. It can’t do a few things only legislation can do, such as liability protection for companies when they are sharing information,” said Homeland Security Secretary Janet Napolitano. “An executive order will help but, we still need comprehensive cyber legislation. It’s something that Congress is going to have to come back and address.”

Napolitano, speaking Sept. 28 at the GovExec Cyber Summit in Washington, added that the president has not yet seen the executive order.

"He’s been busy,” she said.

Despite Congress’ current vacation from Washington, lawmakers have been vocal both in support and in opposition to the expected presidential order. Napolitano expressed disappointment that cybersecurity legislation has become such a partisan issue, and rejected the idea that the order is an executive grab for power over private industry – a concern that has fueled some of the conflict, in Congress and in public opinion.

“This is a security issue and it’s a security issue that should be top priority. What we’re talking about is a very viable and vital partnership between the public and private sectors where there’s real-time information-sharing and where there’s employment of the best practices and best technologies available,” she said. “I don’t view this as the government coming in and telling you what to do – far from it.”

Napolitano said she envisions the executive order as more of a collaboration that better protects everyday citizens from threats to critical infrastructure, including energy facilities for oil, natural gas and other key resources.

“What we’re saying is, ‘Look, you are the owner and operator of core critical infrastructure on which other businesses depend, families depend and communities depend, and we need to make sure that your cyber networks are as secure as possible and that should you be detecting signs of an intrusion or malware or the like, there’s real-time information sharing so we can help mitigate the threat,’” she said.

Napolitano also acknowledged some organizations have already instituted cybersecurity measures, and said neither the executive order nor the Homeland Security Department are looking to override that.

“We are very cognizant that in some industries there exist already regulatory authorities that can be used for cybersecurity. We don’t want to be redundant…what we want to do is make sure the core critical infrastructure protects itself,” she said. “In current landscape we execute cybersecurity missions under an amalgam of existing statutory and executive authorities that need to be updated, streamlined and clarified. The plain fact is that we must address cybersecurity now, not years from now.”