Skip Links

Hopes for federal cybersecurity standards fading

Prospects for legislation or presidential executive order before the end of the year look dubious

By Taylor Armerding, CSO
October 30, 2012 01:15 PM ET

CSO - Cybersecurity is clearly on the agenda of both Congress and President Obama. But it is just as clearly not at the top of their list.

Obama to compromise on cybersecurity executive order

The prospects this year for federal cybersecurity standards governing private-sector operators of critical infrastructure, either through legislation or presidential executive order, are fading.

Analysts and legislative insiders say it is unlikely that legislation, in the form of the U.S. Senate's 2102 Cyber Security Act (CSA), will make it through a lame-duck Congress.

Randy Sabett, an attorney with ZwillGen and an information security expert, called it "very unlikely."

"[Cybersecurity] is a very complex topic and we still have fundamental differences between the various sides," he said. "Add into that the election, the budget and sequestration, and the host of other issues facing Congress and [cybersecurity action] doesn't have much of a chance."

Stewart Baker, a partner at Steptoe & Johnson and former assistant secretary for policy at the Department of Homeland Security, agrees. He told Jennifer Martinez of The Hill that "the timing is bad [and] the amount of work that has to be done in the lame duck is so substantial."

[See also: Insecure industrial control systems, hacker trends prompt federal warnings]

 Leslie Phillips, communications director for the Senate Homeland Security and Government Affairs Committee, confirmed that Sen. Joseph Lieberman (I-Conn.), a cosponsor of the CSA legislation, is also doubtful about its prospects.

"The Senator, by nature an optimistic man, puts the odds of passing comprehensive cybersecurity legislation in the lame duck session at less than 50-50," Phillips told The Hill.

While the Obama administration began in early September to circulate a draft executive order that would implement some of the goals of the CSA, Department of Homeland Security (DHS) Secretary Janet Napolitano said after a speech last week that the president had not even reviewed the latest draft of that order.

Napolitano added that the administration would prefer that Congress pass cybersecurity legislation, rather than issue the executive order.

And then there is the election. If President Obama wins a second term, and Congress fails to act, there is still a chance he could issue the order sometime between mid-November and the end of December.

But if he loses, the order is in trouble. "I don't think an executive order on this topic by a president that's just been defeated is likely," Baker said.

Some in the security community wonder if either legislation or an executive order is necessary. Joel Griffin, writing in SecurityInfoWatch, argues that information sharing between government and private operators of critical infrastructure should already be happening.

"Wasn't that the whole point of the DHS's establishment of fusion centers across the country to create a place where federal, state and local authorities could meet to discuss potential threats, be it physical or cyber?" Griffin wrote. "The intelligence shared amongst these agencies should logically be passed onto security and management personnel at critical infrastructure sites if there is a credible threat." 

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News