Businesses Beware: Heavy-Handed Tactics Planned for Cybersecurity

Editor’s Note: For other perspectives, see here, here and here.

From: Forbes

Jody Westby

Businesses need to be on the alert.  After the Senate’s Cybersecurity Act of 2012 failed to garner enough votes for passage, the Obama Administration and key members of Congress are now thinking about using executive action to impose cybersecurity mandates on critical infrastructure companies.  Most telling is the 2012 Democratic National Platform that was released on September 4.  A section devoted to  cybersecurity on page 60 notes President Obama’s support for comprehensive cybersecurity legislation, but it also states that, “going forward, the President will continue to take executive action to strengthen and update our cyber defenses.” (emphasis added)

This echoes Richard Clarke’s comments in a recent Huffington Post blog, urging the President to use his executive powers to bypass Congress and push out an Executive Order that requires government information sharing about threats, creates voluntary standards for critical infrastructure industries, beefs-up oversight of cybersecurity by regulatory agencies, and uses federal procurement as a means of forcing companies to have better security.  The Hill reported yesterday that the White House is already circulating a draft Executive Order on cybersecurity among relevant federal agencies.

Senator Dianne Feinstein, one of the co-sponsors of the Cybersecurity Act of 2012, sent a letter to the White House on August 28, and directly urged the president to “issue an Executive Order, or take other appropriate action, to advance the cybersecurity of our Nation’s critical infrastructure” because she feared Congress would not be able to pass a cyber bill this year.  She also stated: “The threats to national and economic security are simply too great to wait for legislation.”  Her colleague, Sen. Jay Rockefeller, sent his own, similar letter.  Wow.  If Democratic Senators cannot get a bill passed in the legislative chamber that they control, they will see if the executive branch can do their work for them.  Gee, that even saves them having to wrangle through a conference with the House.

Businesses need to speak up and let the White House and Congress know that they do not support unilateral cybersecurity requirements (even if they are couched as “voluntary”) via an Executive Order, because the issue goes to the very core of their business operations and has the potential to be extremely burdensome and costly.  This is a legislative issue that should proceed through the normal process of both chambers, a conference, and a White House signature or veto, not quietly addressed in the White House without full and open debate.

This kind of heavy-handed tactic satisfies a few but hurts the constituents that vote for these legislators and everyone else because it circumvents one of the most important functions of our government — the legislative process.  The votes were against the Cybersecurity Act of 2012.  That is why it was not brought up for a vote before recess.  It was a badly flawed bill (see my previous blog on August 13 detailing its problems) that surely would have cost the taxpayers and businesses a fortune to implement, without any real security gains.  (Also see my blog on Feb. 27 about the economic impact of such legislation and DHS’s failed efforts to provide Congress with cost analysis information).

It would be unwise for President Obama to issue such an order before the November elections, and it would be even more unwise for him to do so during the lame duck period between the election and a new Congress convening in January, 2013.  The new Congress needs to step back, open a new conversation with business to better understand the cybersecurity problem from their perspective, and examine measures that it could take to help deter, prevent, and respond to cybercrime.  Cybersecurity will never get better until we put the brakes on cybercrime.

The 2012 Republican Party Platform seems to understand this.  Under its National Security Strategy for the Future, it says the party “will pursue an effective cybersecurity strategy” and goes on to state:

Whether it is a nation-state actively probing our national security networks, a terror organization seeking to obtain destructive cyber capabilities, or a criminal network’s theft of intellectual property, more must be done to deter, defeat, and respond to cyberthreats.  The costly and heavy-handed regulatory approach by the current Administration will increase the size and cost of the federal bureaucracy and harm innovation in cybersecurity.

Hopefully, the Republican Representatives and Senators that take office in January will read that page and remember it when cybersecurity discussions begin again.


Leave a Reply

Your email address will not be published.

Please Answer: *