President Obama Signs Executive Order On Cybersecurity, Seeks Voluntary Standards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

President Obama Feb. 12 signed an executive order directing federal agencies to develop voluntary cybersecurity standards for critical parts of the private sector and to consider proposing new mandates where possible under existing law.

In addition, the order requires federal agencies to produce unclassified reports of threats to U.S. companies and to share them in a timely manner. Agencies are required to incorporate privacy and civil liberties safeguards in their implementation activities.

The Obama administration will be reaching out extensively to the private sector and other stakeholders to implement the new order, senior officials said at a Feb. 13 briefing hosted by the Department of Commerce.

“It's going to take all of us to actually make this work,” Michael Daniel, special assistant to the president and White House cybersecurity coordinator, said at the briefing.

He was joined by several other senior administration officials, including Rebecca Blank, deputy secretary of commerce; Gen. Keith Alexander, director of the National Security Agency; and Jane Holl Lute, deputy secretary of homeland security.

Blank said the administration's cybersecurity effort will involve “unprecedented outreach to communities and industries across the country from departments such as Commerce.”

“The government can't do this alone,” she said. “Businesses need to be both aware of cybersecurity problems and proactive in adopting best practices to protect themselves and our economy.”

“The President's decisive action was essential to address the growing threat to U.S. intellectual property and critical infrastructure,” Edward R. McNicholas, a partner at Sidley Austin LLP in Washington, told BNA Feb. 14. “Unfortunately, the Order lacks many of the protections from potential liability that are vital to ensuring robust private sector participation, but only Congress could have delivered those protections.”

Chamber of Commerce Opposed

The order has prompted objections from the U.S. Chamber of Commerce, which lobbied successfully last year to prevent Senate passage of a comprehensive cybersecurity bill (S. 3414) that would have resulted in similar cybersecurity standards for the private sector. The legislation was ultimately filibustered by Republicans (11 PVLR 1680, 11/19/12).

“The U.S. Chamber believes that executive action is unnecessary and opposes the expansion or creation of new regulatory regimes,” Ann Beauchesne, the Chamber's vice president of national security and emergency preparedness, said in a Feb. 13 statement.

Stewart Baker, a partner in the Washington office of Steptoe & Johnson LLP, told BNA Feb. 13 that much of the impact from the executive order will be felt in the area of cybersecurity standards.

“Here, the order is likely to accomplish about 80 percent of what the Senate bill proposed to do,” he said. “I think voluntary standards will do a lot. In the real world, these 'voluntary' standards will be quasi-mandatory, because companies that don't meet them could face lawsuits after suffering a breach. They will also provide some liability protection for industry, since under tort law, following government standards is a good way to rebut claims of negligence. What's left for legislation is some further regulatory authority for currently unregulated critical infrastructure.”


“Although the Order embraces a multi-stakeholder, voluntary standard model, these standards may well effectively establish the negligence bar for cybersecurity, and independent agencies may make these standards actually or practically mandatory for significant sectors of the economy.”  
Edward R. McNicholas, Partner,
Sidley Austin LLP, Washington

McNicholas expressed similar concerns. “Although the Order embraces a multi-stakeholder, voluntary standard model, these standards may well effectively establish the negligence bar for cybersecurity, and independent agencies may make these standards actually or practically mandatory for significant sectors of the economy,” he said.

“Government contractors should expect to see mandatory new cybersecurity requirements in federal contracts, leading potentially to whistleblower False Claims Act liability if they are not able to live up to their contractual certifications,” McNicholas added.

DHS, Commerce Sign Memorandum

The order directs the National Institute of Standards and Technology, part of the Commerce Department, to lead the development of a “framework” consisting of voluntary cybersecurity standards for the nation's “critical infrastructure.”

As a first step, NIST announced Feb. 13 that it will be issuing a “request for information” from a variety of stakeholders, including critical infrastructure owners and operators, federal agencies, standards-setting organizations, and consumers.

“NIST will use the input gathered to identify existing consensus standards, practices and procedures that have been effective and that can be adopted by industry to protect its digital information and infrastructure from the full range of cybersecurity threats,” the agency said in a statement. “The framework will not dictate 'one-size-fits-all' solutions, but will instead enable innovation by providing guidance that is technology neutral and recognizes the different needs and challenges within and among critical infrastructure sectors.”

The departments of Homeland Security and Commerce have signed a memorandum of agreement calling for the two agencies to work closely together to improve the nation's cybersecurity, while protecting privacy and civil liberties. The president's order directs DHS to work with sector-specific agencies, such as the Department of Energy, to develop a program to assist companies with implementing the cybersecurity framework and to identify incentives for adoption.

The order also directs regulatory agencies to review existing cybersecurity mandates and determine whether they are sufficient, and whether any current rules can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies must propose new regulations based upon the cybersecurity framework and in consultation with their regulated companies.

The White House simultaneously released a related document, the Presidential Policy Directive on Critical Infrastructure Security and Resilience.

Obama: Legislative Action Still Needed

Obama used his Feb. 12 State of the Union address to highlight the executive order, but emphasized that congressional action is still needed.

“[N]ow Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” he said. “This is something we should be able to get done on a bipartisan basis.”

The announcement came after months of White House deliberations in the wake of failed attempts in the previous Congress to enact cybersecurity legislation (11 PVLR 1435, 9/24/12).

Senate Majority Leader Harry Reid (D-Nev.) praised the president for taking “decisive action” to protect the nation from cyber-attacks.

“As the President has rightly noted, the new Executive Order is no substitute for legislation, which is essential to address current gaps in authority,” Reid said Feb. 13. “Until Congress acts, President Obama will be fighting to defend this country with one hand tied behind his back. I am eager to work with my colleagues on a bipartisan basis to develop and advance legislation as soon as possible.”

The order was also strongly endorsed in statements from Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.), Senate Homeland Security Committee Chairman Tom Carper (D-Del.), and Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.).

“The President's executive order is an important step in our effort to better protect our nation's cyber networks,” Carper said in a Feb. 13 statement. “I am encouraged by the White House's inclusive approach to this complex issue and by its outreach to industry and other stakeholders.”

Carper said he is committed to working with congressional colleagues and the administration to craft bipartisan cybersecurity legislation as soon as possible. “The first step in that effort will be holding a hearing on this executive order and the broader cyber threat, something that I hope my colleagues and I are able to do in the coming weeks,” he added.

Feinstein said in a Feb. 12 statement that legislation is still needed to “remove legal barriers to full sharing of information and to provide liability protections to encourage the best cyber measures possible.” Rockefeller said in a Feb. 12 statement he will continue to build on the order by working on cybersecurity legislation in the weeks and months ahead.

Key House Republican Raises Concerns

House Homeland Security Chairman Michael McCaul (R-Texas) said he was concerned that the executive order could open the door to increased regulations that would “stifle innovation, burden businesses, and fail to keep pace with evolving cyber threats.”

“Our first priority must be 'do no harm,'” he said Feb. 12.

In addition, McCaul said the executive branch lacks constitutional authority to provide liability protections that industry needs to freely share cyber threat information with the federal government. “Without protections and incentives to adopt industry-led best practices, such programs will be ineffective and carry consequences for entities that choose to participate,” he added.

McCaul said he plans to introduce legislation to enhance cybersecurity coordination between the government and private sector.

Meanwhile, House Intelligence Committee Chairman Mike Rogers (R-Mich.) and Ranking Member C. A. “Dutch” Ruppersberger (D-Md.) Feb. 13 reintroduced narrow cybersecurity legislation (H.R. 624) focused on information sharing. The bill is supported by a number of industry groups, including the Chamber of Commerce (see related report).

By Alexei Alexis  

Full text of the executive order is available at

The DHS-Commerce memorandum is available at

Full text of the policy directive is available at

Request Bloomberg Law: Privacy & Data Security