Insiders say that the expected cybersecurity executive order, itself motivated by Congress's failure to pass cybersecurity legislation, could serve as a template for future lawmaking.
The expected cybersecurity executive order should serve as a template for action when Congress once again takes up cybersecurity legislation, according to Capitol Hill insiders speaking at 1105 Government Events’ Oct. 22 cybersecurity conference.
The order will be useful for guidance regardless of any potential post-election power shifts, they said.
(1105 Government Events is part of 1105 Media, the parent company of FCW.)
“There are a lot of moving pieces, but the ground has now been plowed. No matter who’s in leadership position, the awareness has been raised, people are on the record and we have leaders on both sides of the aisle [agreeing] something needs to be done. The rest is just details,” said Clete Johnson, counsel in the office of Sen. Jay Rockefeller (D-W.Va.) and lead staffer on the Senate Select Committee on Intelligence. “Whatever happens in November, I don’t think too much more time is going to pass before we do what we need to do, no matter who the leadership is."
There are limitations on what the executive order can encompass, though, which means that legislation still is critical to national security in cyberspace. An executive order cannot codify, meaning it relies on existing statutes that it cannot alter – a significant issue for information-sharing, which is crucial to cybersecurity action.
“The EO could [address] government-private sector information-sharing; the problem is the limits on what it can do for private-to-private and private-to-government,” particularly with regard to liability concerns, Johnson said. “It would require amending electronic privacy statutes, and an EO can’t do that. It’s a major problem since information-sharing is one of the two cornerstones.”
The other cornerstone is critical infrastructure, which has challenges of its own in an executive order.
“Critical infrastructure is mostly life-or-death-type systems…the difficulty with them is defining which are critical and then [addressing] the ‘ad hocracy’ or ad-hoc approach to them that our government and society bring to securing those systems,” Johnson noted.
“How do you promote best practices, leadership and accountability?” Johnson asked. “The most important thing is how do you allow private-sector market incentives and dynamics to drive a race to the top on cybersecurity, as opposed to [a government-led] top-down approach.”
Another problem is the range of policies and governance employed across the critical infrastructure sector. The patchwork nature of the regulations are presenting a hurdle for the White House, according to Trey Hodgkins, TechAmerica’s senior vice president, global public sector.
“One challenge the White House indicated they’re undertaking is going through the existing authorities for each sector,” said Hodgkins, who has met with stakeholders from the government and private sector regarding the executive order. “Since there aren’t uniformities across the sector, they are attempting to understand existing authorities and what they may or may not be able to do.”
Even after the executive order – if it does indeed become a reality – there will still be an uphill battle on the Hill, where partisan stalemates could threaten action once again.
“It’s very difficult to predict procedurally how [legislation will] go through. We hope something can happen swiftly but at same time…we have to first do no harm. We have to make sure we’re still doing what we think is the right way to move forward. We have to work quickly but smartly,” said Michael Seeds, legislative director for Rep. Mac Thornberry (R-Texas). “This lays the groundwork for the next Congress…we’re hopeful.”
NEXT STORY: NIST seeks partners for cybersecurity challenges