White House Exploring Executive Order On Private Sector Cybersecurity Standards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

The White House is considering an executive order that would direct federal agencies to secure the nation's “critical infrastructure” by working with industry, John Brennan, assistant to the president for homeland security and counterterrorism, says in a letter to Congress. He emphasizes that any best practices resulting from the order would be developed through a government-industry partnership.

The White House confirmed in a recent letter to Congress that it is exploring the possibility of an executive order to beef up cybersecurity efforts in the private sector.

The administration is considering an order that would direct federal agencies to secure the nation's “critical infrastructure” by working with industry partners, according to the letter, which was signed by John Brennan, assistant to the president for homeland security and counterterrorism, and released Sept. 14 by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.).

“Following congressional inaction, the President is determined to use existing executive branch authorities to protect our nation against cyber threats,” Brennan said, adding that the administration is particularly interested in developing best practices.

Despite the White House effort, Brennan said that comprehensive cybersecurity legislation “remains essential” due to outdated and inadequate statutory authorities.

The letter comes on the heels of reports that the administration was drafting an executive order in light of the Senate's failure to pass the Cybersecurity Act (S. 3414) before the August recess (11 PVLR 1227, 8/6/12). Provisions in the bill calling for voluntary standards for critical infrastructure operators, such as power plants and water systems, prompted concerns about the potential for burdensome regulations.

Rockefeller Supportive of Obama Order.

Rockefeller, a co-sponsor of the bill, wrote President Obama Aug. 13 endorsing the idea of an executive order in light of diminished legislative prospects.

“[B]ecause it is very unclear whether the Senate will come to agreement on cybersecurity legislation in the near future, I urge you to explore and employ every lever of executive power that you possess to protect this country from the cyber threat,” Rockefeller said.

Meanwhile, Rockefeller Sept. 19 announced he was seeking feedback from Fortune 500 companies on cybersecurity legislation that was recently blocked in the Senate after a major lobbying effort by the U.S. Chamber of Commerce (see related report in this issue).

Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.), another Cybersecurity Act co-sponsor, sent a similar letter to the president Aug. 28 (11 PVLR 1331, 9/3/12).

Senate Majority Leader Harry Reid (D-Nev.) recently signaled that he was open to the idea of an executive order on cybersecurity (11 PVLR 1402, 9/17/12).

But key Republicans have raised objections.

“Skirting congressional action by issuing an executive order is neither appropriate nor effective,” Republican Sens. John McCain (Ariz.), Kay Bailey Hutchison (Texas), and Saxby Chambliss (Ga.) said in a Sept. 14 opinion piece in The Wall Street Journal. “The democratic process ensures that Congress and the president work together, while listening to all those affected by their actions, to find the solution that's in the best interests of the American people.”

White House Seeks 'Partnership' With Industry.

Brennan's letter emphasized that any best practices resulting from an executive order would be developed through a government-industry partnership.

“For the core critical infrastructure companies that are already meeting these recommended best practices, nothing more would be expected,” Brennan said. “The companies driving cybersecurity innovations in their current practices and planned initiatives should help shape best practices across critical infrastructure. Companies needing to upgrade their security would have the flexibility to decide how best to do so using the innovative products and services available to the marketplace.”

President Obama could have the authority to go a step further than the Senate bill by explicitly directing sector-specific agencies to incorporate cybersecurity standards into existing regulatory regimes to the extent that current law allows them to do so, according to observers (11 PVLR 1402, 9/17/12). It remains unclear whether the administration is considering such a move.

By Alexei Alexis  


Full text of the White House letter is available at http://op.bna.com/der.nsf/r?Open=sbay-8y5va4.

Full text of Rockefeller's Aug. 13 letter is available at http://op.bna.com/pl.nsf/r?Open=kjon-8ychqy.