President Barack Obama is considering executive-branch action on U.S. cybersecurity after Congress failed to pass legislation to protect national security assets, a White House aide said.
“If the Congress is not going to act on something like this, then the president wants to make sure that we’re doing everything possible,” John Brennan, Obama’s counterterrorism adviser, said today at an event at the Council on Foreign Relations in Washington.
Senate Republicans last week blocked a bill backed by Obama that would have set up voluntary cybersecurity standards for operators of infrastructure such as power grids and water-treatment plants that are considered essential to national security.
Republicans, the U.S. Chamber of Commerce and other business groups said the voluntary standards would be a back door to government regulation of companies. The bill was sponsored by Senators Joe Lieberman, a Connecticut independent, and Susan Collins, a Maine Republican.
Brennan said opponents misrepresented the bill, which he said called for minimum performance standards. He didn’t specify what the White House is planning, or if it would take the form of an executive order.
“Believe me, the critical infrastructure of this country is under threat,” Brennan said, adding that foreign states and hackers “are developing advanced technologies, and we have to improve our defenses on this issue.”
Obama could accomplish many objectives of the Lieberman-Collins bill with an executive order or other directive, Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, said in an interview.
The president could encourage operators of key facilities to adopt voluntary standards, have the Homeland Security Department coordinate that process and require existing regulators that oversee infrastructure to make cybersecurity a focus, said Baker, now a partner at the Steptoe & Johnson law firm in Washington.
“An executive order would be counterproductive and would cut short the proper legislative process, which needs to continue,” Matthew Eggers, senior director of national security at the Chamber of Commerce, said in an e-mailed statement.
“An executive order makes clear the administration’s intent to put a mandatory program into place to regulate businesses,” Eggers said.
The Republican-controlled House of Representatives passed a bill in April that encourages businesses and government to share cyberthreat information, without setting standards for companies.
White House spokesman Jay Carney last week called the House bill “deeply flawed,” saying it threatens the privacy of consumer data and does nothing to protect the nation’s infrastructure.
Lieberman said today he still hoped that lawmakers would pass cybersecurity legislation. “But if Congress cannot get its act together to protect our nation from the real, urgent, and growing threat of cyber attack, then the President must do everything he can by executive order,” he said in an e-mailed statement.
“The problem is there are some things we should do to defend ourselves from cyber attack that can only be done by statute,” Lieberman said.
Lieberman’s bill is S. 3414. The House bill is H.R. 3523.