After the Cybersecurity Act (the Senate’s version of CISPA) got axed this summer, many realized that if securing the interwebs was going to happen this year, it wouldn’t be by the way of a gridlocked Congress. Both U.S. Defense Secretary Leon Panetta and Senate Homeland Security and Governmental Affairs Chairman Joe Lieberman urged Obama to move forward with an executive order—despite worries from the likes of Cybersecurity Act sponsor Sen. Susan Collins, R-Maine, that without congressional review, such a policy move would likely ignore the private sector’s numerous privacy and liability concerns.
TechDirt’s leak of a “draft” executive order last month only intensified fears of the anti-executive order wing—the memo gave a vague definition of “critical infrastructure” and skimmed over the numerous privacy concerns voiced by both Republicans and free-speech groups such as Electronic Frontier Foundation, which deemed CISPA the “Big Brother” bill.
Now 11 GOP members of Congress—including the iPad-lovin’ Rep. Mary Bono Mack—are urging Obama not to issue an executive order at all, fearing that such a “hasty, unilateral action” would hold numerous consequences.
Their primary objections to the executive order, as explained in a letter sent Thursday, are the following:
1) It will make it easier for China, Russia, and Iran to convince the United Nations to govern the world’s Internet—which could diminish the large degree of influence the U.S. has in saying how the Internet is run globally. U.N. member nations will be negotiating a treaty this December to determine whether policy authority for Internet issues is the “sovereign right of the states” instead of the mostly U.S.-based multi-stakeholder groups that currently control it.. Proponents of free speech such as “Father of the Internet” Vinton Cerf has warned that putting the Internet under the reins of an international regulating body might “take away the Internet as you and I have known it”—by putting barriers on a technology that’s grown because most of the free world has turned a blind eye to restricting it. By creating further governmental oversight of the Internet, say the Republicans, Obama’s order “will almost certainly be exploited by other nations to justify their efforts to regulate the Internet.”
2) The Department of Homeland Security is rumored to be the ones put in charge. The leaked memo named the DHS as the head agency in all matters of cybersecurity, tasking the DHS secretary with the bulk of federal responsibility for governing the critical infrastructure—an unwise move, according to the Republicans. The letter cites a recent report from the Senate Homeland Security Subcommittee on Investigations that detailed the mismanagement snafus that go on at DHS as “doing nothing to increase our confidence.” The investigation revealed that DHS’s fusion centers—the agency’s efforts at counter-terrorism information sharing--were violating more civil liberties than cracking terrorist plots.
3) Creating a “top-down, one-size fits all bureaucracy” could give potential terrorists an easier target in the case of an attack. Requiring banks, water systems, hospitals, and others to disclose to the government exactly how they secure the system would basically give “a roadmap to those that wish to do us harm.”
The letter reads like a laundry list of a company’s worst government-regulation fears. But how valid are these concerns? To get the scoop on the private sector’s relationship with the government, I talked to Richard Bejtlich, chief security officer of Mandiant, an Internet security firm whose clients reportedly include 40 percent of the Fortune 100.
Bejtlich isn’t a fan of a cybersecurity executive order. But he’s skeptical about the letter’s claim that requiring the private sector to report incidents to the government would give adversaries “a roadmap” for attack. “There’s a gulf between what a bad guy would use … and the type of information the government is requesting that companies give,” he said. “When you get down to the details, there aren’t any that might help the adversary.” In fact, most of the private sector seems to be more concerned that sharing information with the government would violate laws surrounding release of consumer data.
Concerns over DHS mismanagement might be valid, but Bejtlich is unsure who else could do the job.
According to Bejtlich, the No. 1 most helpful move by the government dates back to when the FBI began quietly inform companies that their data were being stolen by hacker teams from countries like China. Buthen it comes to preventing such incidents from happening to companies in the first place, the government has proven largely inactive.
Almost a month ago, Napolitano said the drafting of the executive order was “close to completion. But both the agency and the White House is mum on the exact date of when the official order will be released. In response to questions, White House spokesman Caitlin Hayden said that while the White House is considering an executive order as a way to collaborate with the private sector in securing critical infrastructure, the order would be no substitute for a cybersecurity bill—it won’t create new powers or authorities—which might shatter the illusion that an executive order would give the federal government more control over the private sector than CISPA.
“The process of developing an Executive Order will take time, as we believe that it must take into account the views of our partners in the private sector and the Congress,” wrote Hayden in the e-mail. “Given the gravity of the threats we face in cyberspace, we want to get this right in addition to getting it done swiftly.”
Meanwhile, Sen. Harry Reid, D-Nev., recently announced plans to introduce a new cybersecurity bill in November.