President Barack Obama’s order to boost U.S. cybersecurity amid reports of widespread Chinese hacking provides cover to lawmakers who oppose government regulation to improve computer defenses.
While the president portrayed his move as countering Congress’s inaction, his cybersecurity standards for companies operating vital national infrastructure are voluntary, not mandatory as called for by an Obama-backed Senate bill that failed last year. Still, the order may let Democrats and Republicans declare standards a moot point.
“The executive order takes pressure off the Senate and will allow us to get agreement on a voluntary information sharing bill that will solve 90 percent of the most sophisticated cyber threats that we face,” House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, said in an interview. “The executive order tones down the political rhetoric that was caught up in election year politics.”
A report this week from computer security firm Mandiant Corp. that pointed to the Chinese army as the source of hacking attacks on U.S. companies hasn’t changed minds in Washington on cybersecurity approaches, said Jacob Olcott, a principal at Good Harbor Consulting, an Arlington, Virginia-based security risk company. Republicans led by Senator John McCain of Arizona blocked the Senate bill last year, saying it would burden companies with regulations.
“The debate about critical infrastructure regulation seems to be on pause for the foreseeable future,” said Olcott, former counsel to Senate Commerce Committee Chairman Jay Rockefeller, a West Virginia Democrat. The fact that such requirements are off the table “when everybody knows there’s a real threat out there should say a lot.”
The Mandiant report didn’t tell lawmakers anything they didn’t already know, Representative Michael McCaul, a Texas Republican and chairman of the House Homeland Security Committee, said in an interview.
“The report reveals a page in a phone book of threats,” McCaul said. “What I’m interested in is a bill that can pass through the Senate and get signed by the White House.”
Rogers and the House Intelligence Committee’s top Democrat, C.A. “Dutch” Ruppersberger of Maryland, reintroduced a proposal Feb. 13 to give legal protection for companies that share cyber threat information with each other and the government. The bill passed the House last April and failed to advance in the Senate after Obama threatened a veto, saying the measure didn’t go far enough to boost computer defenses and failed to protect privacy of consumer data.
No effort has been made to reintroduce the Obama-backed Senate bill that failed. That effort was led by Joe Lieberman, the Connecticut Independent who has since retired.
Obama’s order, issued Feb. 12 as he began his State of the Union speech, directs the government to develop voluntary standards for companies operating infrastructure such as power grids and air-traffic-control systems. It instructs U.S. agencies to consider putting the standards into existing rules.
Senator Tom Carper, the Delaware Democrat who succeeded Lieberman as chairman of the Senate Homeland Security and Governmental Affairs Committee, said Congress should approve legislation to “complement” the executive order without specifying what actions should be taken.
Obama’s order was important because vital U.S. services are under attack and the nation can’t afford to delay, Carper said in an e-mail.
“Developing and passing legislation of this nature does take time, but I am hopeful that we can move forward with a hearing on this important topic in the near future,” he said.
While not commenting on specific bills, administration officials have pressed for legislation to encourage companies to share cyber threat information with the government, something they say only Congress can do.
“The government is often unaware of malicious activity targeting our critical infrastructure,” General Keith Alexander, director of the National Security Agency and U.S. Cyber Command, said at a Feb. 13 event at the Commerce Department. These “blind spots” prevent the government from protecting companies and the nation, he said.
The administration supports “targeted liability protections” to protect companies that share cyber threat information with the government and each other, and take part in voluntary standards, Michael Daniel, the White House cybersecurity coordinator, said Feb. 15 at the Center for Strategic and International Studies in Washington.
Caitlin Hayden, a White House spokeswoman, said yesterday in an e-mail that any cybersecurity measure advanced by Congress must also incorporate privacy and civil-liberties protections that define the types of information that can be shared and ensuring adequate oversight.
The American Civil Liberties Union and other groups oppose the Rogers-Ruppersberger bill, saying it doesn’t have adequate safeguards for consumer privacy and could allow sensitive personal information to be passed to the National Security Agency and other military agencies.
“There’s no need to rush into something like CISPA,” Michelle Richardson, ACLU legislative counsel, said in an interview, referring to the Rogers bill by its title, the Cyber Intelligence Sharing and Protection Act.
The U.S. Chamber of Commerce, the nation’s largest business lobby, believes the executive orders give companies and lawmakers “a chance to see what works and what doesn’t without the need for new mandates,” Ann Beauchesne, the Chamber’s vice president of national security and emergency preparedness, said in an e-mailed statement.
The Chamber lobbied against the Obama-backed Senate bill and supports the Rogers-Ruppersberger legislation.
“Congress must continue to work on bipartisan legislation that would put timely, reliable, and actionable information into the hands of business owners and operators so that they can better protect their systems and assets against cyber attacks,” Beauchesne said.