Limits Seen in White House Cybersecurity Executive Order
The White House may have difficulty bolstering U.S. cyber defenses through an executive order unless there’s enough public support, according to former National Security Agency director Michael Hayden.
If President Barack Obama issues an executive order rather than waiting for Congress to agree on comprehensive legislation, it would be an admission that there isn’t broad support for cybersecurity efforts, Hayden said in an interview with Bloomberg Television’s Peter Cook on the new program “Capitol Gains,” which airs Sept. 30.
“We as citizens have not yet determined, in broad terms, what it is that we want the government to do in the cyber domain to defend us or what we will allow the government to do in the cyber domain,” said Hayden, who led the NSA from 1999 to 2005 and was Central Intelligence Agency director for the final years of George W. Bush’s administration.
The Senate failed last month to advance comprehensive cybersecurity legislation, prompting the White House to consider using its executive power to create a program to shield vital computer networks from potentially crippling cyber attacks and electronic espionage.
A series of denial-of-service attacks this week and last week against the biggest U.S. banks, including JPMorgan Chase & Co. (JPM) and Wells Fargo & Co. (WFC), demonstrates that even some of the nation’s most advanced computer defenses can be breached, according to cybersecurity specialists tracking the assaults.
Hayden said it’s “a really close call” on whether the Obama administration should issue an executive order.
The administration must consider whether such an order would build momentum and spur private companies that own most of the nation’s critical infrastructure to better protect their networks, according to Hayden. On the other hand, there’s a risk of alienating companies, he said.
Hayden has firsthand experience in acting under a broad interpretation of executive power. While at the NSA, he oversaw the so-called terrorist surveillance program that conducted electronic surveillance on Internet activity and phone calls of U.S. citizens without warrants.
The program was authorized in secret by the Bush administration after the Sept. 11 terrorist attacks. Congress passed a law in 2008 to provide a legal framework for the program.
“As director of both NSA and the CIA, I operated on the outer reaches of executive prerogative doing some things to defend the nation,” said Hayden, now a principal at the Chertoff Group, a consulting firm in Washington. “You can’t do that over the long term in a democracy without broad political support.”
Hayden said he believes that government and private companies should develop standards to protect computer networks from potentially devastating attacks.
“We’ve got to agree on certain levels of security,” he said. “There are some industries that, when they are penetrated and punished with a cyber attack, the cost is not confined to those industries.”
There’s been debate over whether cybersecurity standards should be mandatory or voluntary for companies. Hayden said mandatory standards could result in companies doing the minimum amount to protect their networks.
“I fear if we rely only on mandatory standards and not voluntary standards, we set in motion a compliance mindset,” he said.
To contact the editor responsible for this story: Katherine Rizzo at firstname.lastname@example.org