- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
CSO - Cybersecurity is clearly on the agenda of both Congress and President Obama. But it is just as clearly not at the top of their list.
The prospects this year for federal cybersecurity standards governing private-sector operators of critical infrastructure, either through legislation or presidential executive order, are fading.
Analysts and legislative insiders say it is unlikely that legislation, in the form of the U.S. Senate's 2102 Cyber Security Act (CSA), will make it through a lame-duck Congress.
Randy Sabett, an attorney with ZwillGen and an information security expert, called it "very unlikely."
"[Cybersecurity] is a very complex topic and we still have fundamental differences between the various sides," he said. "Add into that the election, the budget and sequestration, and the host of other issues facing Congress and [cybersecurity action] doesn't have much of a chance."
Stewart Baker, a partner at Steptoe & Johnson and former assistant secretary for policy at the Department of Homeland Security, agrees. He told Jennifer Martinez of The Hill that "the timing is bad [and] the amount of work that has to be done in the lame duck is so substantial."
Leslie Phillips, communications director for the Senate Homeland Security and Government Affairs Committee, confirmed that Sen. Joseph Lieberman (I-Conn.), a cosponsor of the CSA legislation, is also doubtful about its prospects.
"The Senator, by nature an optimistic man, puts the odds of passing comprehensive cybersecurity legislation in the lame duck session at less than 50-50," Phillips told The Hill.
While the Obama administration began in early September to circulate a draft executive order that would implement some of the goals of the CSA, Department of Homeland Security (DHS) Secretary Janet Napolitano said after a speech last week that the president had not even reviewed the latest draft of that order.
Napolitano added that the administration would prefer that Congress pass cybersecurity legislation, rather than issue the executive order.
And then there is the election. If President Obama wins a second term, and Congress fails to act, there is still a chance he could issue the order sometime between mid-November and the end of December.
But if he loses, the order is in trouble. "I don't think an executive order on this topic by a president that's just been defeated is likely," Baker said.
Some in the security community wonder if either legislation or an executive order is necessary. Joel Griffin, writing in SecurityInfoWatch, argues that information sharing between government and private operators of critical infrastructure should already be happening.
"Wasn't that the whole point of the DHS's establishment of fusion centers across the country to create a place where federal, state and local authorities could meet to discuss potential threats, be it physical or cyber?" Griffin wrote. "The intelligence shared amongst these agencies should logically be passed onto security and management personnel at critical infrastructure sites if there is a credible threat."