Administration Seen Moving Away From Proposed Cybersecurity Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis  


The Obama administration's legislative agenda in the area of cybersecurity appears to be moving away from a push for proposed Department of Homeland Security regulations that Republicans rejected in 2012, observers told BNA.

The administration is expected to focus instead on getting help from Congress to promote industry adoption of voluntary cybersecurity standards that are being developed by the National Institute of Standards and Technology under an executive order signed by President Obama earlier this year.

“I think you will see an attempt to leverage the NIST framework through the use of incentives and possibly through current regulatory authorities,” Larry Clinton, president of the Internet Security Alliance, an industry group in Washington, said in a recent BNA interview. “I tend to doubt there will be a true push to expand DHS regulatory authority, as it would be dead on arrival in the House and probably also couldn't get out of the Senate.”

House Package Silent on Standards

In April, the House passed a package of cybersecurity bills that excluded provisions to promote industry adoption of the coming NIST framework. Under a key House-passed bill (H.R. 624), the Cyber Intelligence Sharing and Protection Act (CISPA), companies would be granted liability protection for the sharing of cyberthreat information with other firms and the federal government (12 PVLR 671, 4/22/13).

Sen. Tom Carper (D-Del.), chairman of the Senate Homeland Security and Governmental Affairs Committee, has said that he will work with Senate colleagues on both sides of the aisle to develop broader cybersecurity legislation that complements initiatives already moving forward under Obama's executive order.

“While information sharing is an important piece in our effort to modernize our outdated cybersecurity laws, it is only one of many elements needed to properly bolster our cyber defenses,” Carper said in an April 19 statement, following the House's action on CISPA. “Those of us in Congress need to pay close attention to other vital elements of cybersecurity, especially safeguarding our critical infrastructure.”

Alan Charles Raul, a partner at Sidley Austin LLP, in Washington, told BNA that the House and Senate could ultimately have significant differences to resolve in conference, if the legislative process gets that far.

“Regulatory mandates to be imposed by DHS are non-starters for the House, so they will not likely be included in the product coming out of conference,” he said.

Previous Congress Did Not Enact Bill

During the previous Congress, the White House unveiled a comprehensive cybersecurity proposal with provisions to give DHS new authority to regulate cybersecurity practices across the private sector (10 PVLR 730, 5/16/11). However, the proposal was never taken up in the House, and a compromise bill (S. 3414) developed in the Senate was ultimately blocked by Republicans (11 PVLR 1680, 11/19/12).

The Senate bill would have established voluntary cybersecurity standards for the private sector. The U.S. Chamber of Commerce, a chief opponent, argued that the proposed standards had the potential to become burdensome regulations.

As a result of the congressional impasse, Obama issued an executive order in February that achieves some of goals of the failed Senate bill (12 PVLR 257, 2/18/13). The order directed NIST, a component of the Department of Commerce, to lead the development of a framework consisting of voluntary cybersecurity standards for the nation's “critical infrastructure” owners and operators. NIST must publish a draft cybersecurity framework by the fall and produce a final version by February 2014.


“I think that the executive order accomplished about 80 percent of what the [Senate] bill would have accomplished.”




Stewart Baker, Partner,
Steptoe & Johnson LLP

The order also directed DHS to coordinate the development of a program to promote the framework. In addition, regulatory agencies were charged with reviewing existing cybersecurity mandates to determine whether they are sufficient.

“I think that the executive order accomplished about 80 percent of what the [Senate] bill would have accomplished, especially in the watered down compromise version floated toward the end of the process,” Stewart Baker, a partner in the Washington office of Steptoe & Johnson LLP and a former assistant secretary for policy at DHS under the George W. Bush administration, told BNA.

“What's arguably still needed and can't be done with current authority are information sharing provisions, incentives for companies to adopt the standards coming out of NIST, and perhaps some provisions that would allow regulatory agencies to add cybersecurity to their existing regulatory jurisdiction,” Baker said. “I get a sense that the administration still wants information sharing but hasn't decided what if anything it wants on the other two topics.”

Obama Order Seen as Game-Changer

Norma Krayem, a senior policy adviser at Patton Boggs LLP, in Washington, told BNA that the president's executive order “dramatically changes the landscape” and takes the place of much of what was in the administration's previous legislative proposal as it relates to critical infrastructure. The order provides a starting point for the administration to work collaboratively with the private sector, while simultaneously pressing for legislative action, she said.

Krayem agreed with Clinton and Raul that there is unlikely to be a renewed push for DHS to have additional rulemaking authorities.

“The executive order sets out a process for all agencies to review their existing authorities and report back to the White House, which will tell the administration what tools they have and what they don't,” she said. “At the same time, they will want to see how the private sector engages in the creation of the framework and, ultimately, if the private sector actually agrees to participate in the voluntary program.”

Administration: Legislation Still Needed

Despite the president's order, the administration has repeatedly emphasized that cybersecurity legislation is still needed.

“We continue to believe that a suite of legislation is necessary to implement the full range of steps needed to build a strong public-private partnership, and we will continue to work with Congress to achieve this,” Homeland Security Secretary Janet Napolitano said in testimony prepared for a March 7 hearing held jointly by the Senate Homeland Security and Governmental Affairs Committee and the Senate Commerce, Science, and Transportation Committee (12 PVLR 427, 3/11/13).

Specifically, Napolitano called for legislation to strengthen the cybersecurity of the nation's critical infrastructure by further increasing cyberthreat information sharing between the government and the private sector and promoting the establishment and adoption of industry standards; giving law enforcement additional tools to fight crime in the digital age; creating a national data breach reporting requirement; and incorporating privacy, confidentiality, and civil liberties safeguards into all aspects of U.S. cybersecurity efforts. The administration's current legislative priorities in the area of cybersecurity build on the proposal that it submitted to the previous Congress, she said.