Senate Republicans recently blocked cybersecurity legislation, but the issue might not be dead after all.
The White House hasn’t ruled out issuing an executive order to strengthen the nation’s defenses against cyberattacks if Congress refuses to act.
“In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed,” White House press secretary Jay Carney said in an email.
“Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today’s cyber threats and we will do that,” Carney said.
The White House has emphasized that better protecting vital computer systems is a top priority.
The administration proposed its own legislation package in 2011, sent officials to testify at 17 congressional hearings and presented more than 100 briefings on the issue. In a recent Wall Street Journal op-ed, President Obama warned that a successful cyberattack on a bank, water system, electrical grid or hospital could have devastating consequences.
The president urged Congress to pass the Cybersecurity Act, which was offered by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine). The bill would have encouraged private companies and the government to share information about cyber threats and would have required critical infrastructure operators to meet minimum cybersecurity standards.
But Senate Republicans, led by Sen. John McCain (R-Ariz.), worried the bill would burden businesses with unnecessary and ineffective regulations.
The bill’s sponsors watered down the regulatory provisions, replacing the security mandates with voluntary incentives, but that wasn’t enough to win over Republicans. The bill mustered 52 votes in the Senate, well short of the 60 needed to overcome a filibuster.
If Obama issues an order on cybersecurity, it wouldn’t be the first time that his administration has resorted to executive action to bypass Congress.
Obama uses the slogan “we can’t wait” to argue that some issues are too important to be allowed to stall in Congress.
When lawmakers refused to pass the DREAM Act to give legal status to students brought to the country illegally, the administration announced that it would stop deporting young immigrants who would have been eligible to stay under the bill.
Jim Lewis, a senior fellow at the Center for Strategic and International Studies, explained that Obama could enact many of the core provisions of the Cybersecurity Act through executive order.
Many companies managing vital computer systems are already heavily regulated. Lewis said the president could order agencies to require the industries they regulate to meet cybersecurity standards.
“You don’t need new legislative authority to do that,” Lewis said.
He noted that some regulatory agencies, including the Federal Communications Commission and the Nuclear Regulatory Commission, are independent and not bound to follow executive orders. But Lewis predicted that even the independent agencies would likely enforce an executive order on cybersecurity.
Lewis said the Office of Management and Budget is already working on security standards for federal computer systems and said those guidelines could form the basis of standards for the private sector.
Lewis acknowledged any provisions that would tear down legal barriers to information-sharing would have to be enacted by Congress. Although those provisions in the Cybersecurity Act were the ones most strongly supported by the business community, Lewis expressed skepticism that they would do much to improve cybersecurity anyway.
“You can have them or don’t have them. Who cares?” he said.
But Lewis said that an executive order could even partially address information-sharing. The FCC, for example, has set up a voluntary system for companies to share information about cyber threats with each other, he said.
An executive order may accomplish many of the goals of the Cybersecurity Act, but it could also further raise the ire of Republicans and the business groups, such as the U.S. Chamber of Commerce, who lobbied against the legislation.
Republicans have already accused Obama of making illegal power grabs with his previous executive actions, and a cybersecurity order would likely elicit similar howls of disapproval.
Although Sen. Collins was frustrated by the defeat of her bill, she reacted coolly to the idea of the president bypassing Congress.
“I’m not for doing by executive order what should be done by legislation,” she said.
Sen. Dianne Feinstein (D-Calif.), one of the co-sponsors of the Cybersecurity Act, said she prefers that Congress address the problem, but she is open to presidential action if Congress fails.
“I suppose if we can’t, the answer would be yes,” she said when asked whether she would support an executive order.