President Obama Feb. 12 signed an executive order
directing federal agencies to develop voluntary cybersecurity standards for
critical parts of the private sector and to consider proposing new mandates
where possible under existing law.
In addition, the order requires federal agencies to produce unclassified
reports of threats to U.S. companies and to share them in a timely manner.
Agencies are required to incorporate privacy and civil liberties safeguards in
their implementation activities.
The Obama administration will be reaching out extensively to the private
sector and other stakeholders to implement the new order, senior officials said
at a Feb. 13 briefing hosted by the Department of Commerce.
“It's going to take all of us to actually make this work,” Michael Daniel,
special assistant to the president and White House cybersecurity coordinator,
said at the briefing.
He was joined by several other senior administration officials, including
Rebecca Blank, deputy secretary of commerce; Gen. Keith Alexander, director of
the National Security Agency; and Jane Holl Lute, deputy secretary of homeland
Blank said the administration's cybersecurity effort will involve
“unprecedented outreach to communities and industries across the country from
departments such as Commerce.”
“The government can't do this alone,” she said. “Businesses need to be both
aware of cybersecurity problems and proactive in adopting best practices to
protect themselves and our economy.”
“The President's decisive action was essential to address the growing threat
to U.S. intellectual property and critical infrastructure,” Edward R.
McNicholas, a partner at Sidley Austin LLP in Washington, told BNA Feb. 14.
“Unfortunately, the Order lacks many of the protections from potential liability
that are vital to ensuring robust private sector participation, but only
Congress could have delivered those protections.”
The order has prompted objections from the U.S. Chamber of Commerce, which
lobbied successfully last year to prevent Senate passage of a comprehensive
cybersecurity bill (S.
3414) that would have resulted in similar cybersecurity standards for the
private sector. The legislation was ultimately filibustered by Republicans (11
PVLR 1680, 11/19/12).
“The U.S. Chamber believes that executive action is unnecessary and opposes
the expansion or creation of new regulatory regimes,” Ann Beauchesne, the
Chamber's vice president of national security and emergency preparedness, said
in a Feb. 13 statement.
Stewart Baker, a partner in the Washington office of Steptoe & Johnson
LLP, told BNA Feb. 13 that much of the impact from the executive order will be
felt in the area of cybersecurity standards.
“Here, the order is likely to accomplish about 80 percent of what the Senate
bill proposed to do,” he said. “I think voluntary standards will do a lot. In
the real world, these 'voluntary' standards will be quasi-mandatory, because
companies that don't meet them could face lawsuits after suffering a breach.
They will also provide some liability protection for industry, since under tort
law, following government standards is a good way to rebut claims of negligence.
What's left for legislation is some further regulatory authority for currently
unregulated critical infrastructure.”
McNicholas expressed similar concerns. “Although the Order embraces a
multi-stakeholder, voluntary standard model, these standards may well
effectively establish the negligence bar for cybersecurity, and independent
agencies may make these standards actually or practically mandatory for
significant sectors of the economy,” he said.
“Government contractors should expect to see mandatory new cybersecurity
requirements in federal contracts, leading potentially to whistleblower False
Claims Act liability if they are not able to live up to their contractual
certifications,” McNicholas added.
The order directs the National Institute of Standards and Technology, part of
the Commerce Department, to lead the development of a “framework” consisting of
voluntary cybersecurity standards for the nation's “critical
As a first step, NIST announced Feb. 13 that it will be issuing a “request
for information” from a variety of stakeholders, including critical
infrastructure owners and operators, federal agencies, standards-setting
organizations, and consumers.
“NIST will use the input gathered to identify existing consensus standards,
practices and procedures that have been effective and that can be adopted by
industry to protect its digital information and infrastructure from the full
range of cybersecurity threats,” the agency said in a statement. “The framework
will not dictate 'one-size-fits-all' solutions, but will instead enable
innovation by providing guidance that is technology neutral and recognizes the
different needs and challenges within and among critical infrastructure
The departments of Homeland Security and Commerce have signed a memorandum of agreement
calling for the two agencies to work closely together to improve the nation's
cybersecurity, while protecting privacy and civil liberties. The president's
order directs DHS to work with sector-specific agencies, such as the Department
of Energy, to develop a program to assist companies with implementing the
cybersecurity framework and to identify incentives for adoption.
The order also directs regulatory agencies to review existing cybersecurity
mandates and determine whether they are sufficient, and whether any current
rules can be eliminated as no longer effective. If the existing regulations are
ineffective or insufficient, agencies must propose new regulations based upon
the cybersecurity framework and in consultation with their regulated
The White House simultaneously released a related document, the
Presidential Policy Directive on Critical Infrastructure Security and
Obama used his Feb. 12 State of the Union address to highlight the executive
order, but emphasized that congressional action is still needed.
“[N]ow Congress must act as well, by passing legislation to give our
government a greater capacity to secure our networks and deter attacks,” he
said. “This is something we should be able to get done on a bipartisan
The announcement came after months of White House deliberations in the wake
of failed attempts in the previous Congress to enact cybersecurity legislation
(11 PVLR 1435, 9/24/12).
Senate Majority Leader Harry Reid (D-Nev.) praised the president for taking
“decisive action” to protect the nation from cyber-attacks.
“As the President has rightly noted, the new Executive Order is no substitute
for legislation, which is essential to address current gaps in authority,” Reid
said Feb. 13. “Until Congress acts, President Obama will be fighting to defend
this country with one hand tied behind his back. I am eager to work with my
colleagues on a bipartisan basis to develop and advance legislation as soon as
The order was also strongly endorsed in statements from Senate Commerce
Committee Chairman John D. Rockefeller IV (D-W.Va.), Senate Homeland Security
Committee Chairman Tom Carper (D-Del.), and Senate Intelligence Committee
Chairman Dianne Feinstein (D-Calif.).
“The President's executive order is an important step in our effort to better
protect our nation's cyber networks,” Carper said in a Feb. 13 statement. “I am
encouraged by the White House's inclusive approach to this complex issue and by
its outreach to industry and other stakeholders.”
Carper said he is committed to working with congressional colleagues and the
administration to craft bipartisan cybersecurity legislation as soon as
possible. “The first step in that effort will be holding a hearing on this
executive order and the broader cyber threat, something that I hope my
colleagues and I are able to do in the coming weeks,” he added.
Feinstein said in a Feb. 12 statement that legislation is still needed to
“remove legal barriers to full sharing of information and to provide liability
protections to encourage the best cyber measures possible.” Rockefeller said in
a Feb. 12 statement he will continue to build on the order by working on
cybersecurity legislation in the weeks and months ahead.
House Homeland Security Chairman Michael McCaul (R-Texas) said he was
concerned that the executive order could open the door to increased regulations
that would “stifle innovation, burden businesses, and fail to keep pace with
evolving cyber threats.”
“Our first priority must be 'do no harm,'” he said Feb. 12.
In addition, McCaul said the executive branch lacks constitutional authority
to provide liability protections that industry needs to freely share cyber
threat information with the federal government. “Without protections and
incentives to adopt industry-led best practices, such programs will be
ineffective and carry consequences for entities that choose to participate,” he
McCaul said he plans to introduce legislation to enhance cybersecurity
coordination between the government and private sector.
Meanwhile, House Intelligence Committee Chairman Mike Rogers (R-Mich.) and
Ranking Member C. A. “Dutch” Ruppersberger (D-Md.) Feb. 13 reintroduced narrow
cybersecurity legislation (H.R. 624) focused on
information sharing. The bill is supported by a number of industry groups,
including the Chamber of Commerce (see related report).
By Alexei Alexis
Full text of the executive order is available at http://op.bna.com/der.nsf/r?Open=sbay-94uv4x.
The DHS-Commerce memorandum is available at http://op.bna.com/der.nsf/r?Open=sbay-94w2ny.
Full text of the policy directive is available at http://op.bna.com/der.nsf/r?Open=sbay-94uv6u.