We all know that the threat of cyber attack is growing dramatically (don’t we?), and that the most urgent duty of government is to protect the populace (isn’t it?) Assuming that’s the case, how are we to explain the recent collapse of an effort to pass essential cybersecurity legislation? And what, if anything, can be done about it?
Well, that’s a poser, as they say. A rightly heralded accomplishment of the Founding Fathers of the United States was their creation of a tri-partite form of government with carefully balanced powers. Those powers were intended to prevent any one of the branches – executive, legislative or judicial – from becoming too powerful. Unfortunately, checks and balances can only stop things from happening, and our forefathers weren’t quite as successful at creating a system where one branch can goad another into action when it’s falling down on the job.
The result is that the Executive Branch has had an increasingly hard time over the past decade in getting its agenda through Congress, unless the President’s party also holds a commanding lead in both Houses of Congress.
Shouldn’t YOU discover the
The Alexandria Project?
A tale of Treachery and Technology
Buy at Amazon
Buy at iTunes Store
Buy at Barnes & Noble
Still, the President does have a few dramatic powers at his disposal that can result in uncharacteristically swift and dramatic results, notwithstanding those checks and balances. Chief among them is the ability to take actions by “Executive Order” – in effect, to create law within certain vaguely defined boundaries without any involvement of Congress at all. Not long ago, President Obama used this power to put his own, more limited version of the “Dream Act” in place after Congress failed to act on immigration reform.
Now the President appears to be ready to act again, this time in an effort to plug the cybersecurity gap left open by (yet another) successful filibuster in the Senate.
The legislation in question was titled the Cybersecurity Act of 2012, a bill that didn’t seek to impose government-created standards on the private sector, but rather called on the private sector to voluntarily develop and adopt its own cyber security standards. Unfortunately, business interests (acting most visibly through the U.S. Chamber of Congress) lobbied vigorously – and successfully – against the bill.
In response, on September 19, John D. Rockefeller IV, the Chairman of the Senate Committee on Commerce, Science and Transportation, sent a letter to each of the CEOs of each of the Fortune 500 companies, expressing his “profound disappointment” with the failure of the Act and his concern over the nation’s increasing vulnerability to a “catastrophic cyber attack.”
He went on to ask each CEO to respond to eight questions, focusing on what cybersecurity standards and best practices his or her company has already adopted, where those practices were developed, and what their concerns might be relating to entering into the type of public-private initiative to protect critical national infrastructure from cyber attack envisioned by the Cybersecurity Act. Rockefeller also noted that he had “urged President Obama to use his authority to implement cybersecurity protections for our country through an Executive Order.”
Now, it appears, President Obama has decided to respond to that request. On Friday of last week, U.S. Secretary of Homeland Security Janet Napolitano announced that just such an Executive Order is "close to completion," although reportedly some issues remain to be addressed. If the Executive Order does issue, it would be expected to apply to the same types of critical infrastructure as the Cybersecurity Act – power plants, utilities, pipelines, transportation and telecommunications networks, hospitals and other systems essential to every day life.
Although government impositions are rarely, if ever, welcomed by industry, it is still perhaps surprising that industry pushed as hard as it did to kill the Act. First, the Act would have provided incentives to companies to upgrade their defenses, just as it has for the implementation of standards-based electronic health record systems and for the new, standards-based SmartGrid. Each of those processes is well advanced, supported by significant industry participation.
It might also appear surprising that the government should be considering not only a voluntary compliance program, but one based on private sector developed standards rather than regulations created and enforced by Washington. In fact, this approach was not only predictable, but almost inevitable.
That’s because in 1995 Congress enacted the Technology Transfer and Advancement Act, which required government to get out to the standards business for its own procurement purposes, and also to participate in standards development activities carried out in private sector standards setting organizations. This reliance on a “bottom up,” private sector-driven standards development process, rather than a “top down” government maintained process, is so deeply engrained that it would be hard to imagine a comprehensive cybersecurity standards development initiative being carried out in any other way.
But how do you mandate the voluntary development of standards? Or, stated another way, what if you gave a standards development project and nobody came?
Ultimately, President Obama will need to use just as much of a carrot as a stick (and carrots cost money). Unless those companies that have the competence to create the needed standards engage, and unless the vendors that build the products, host the cloud services, and integrate the product offerings implement and recommend those standards, then the owners of the critical infrastructure to be protected will have nothing to buy and install.
The moral, it would seem, is that once a bottom up development infrastructure is in process, even an Executive Order may not be sufficient to push a string. Ultimately, if the President is to be successful, I believe he’ll need to commission an agency (presumably Homeland Security or NIST) to create an initiative similar to the SmartGrid Interoperability Panel in order to gather the cross sectoral range of standards professionals necessary to create comprehensive solutions, as well as the vendors and customers that will have to implement and use them. Absent such a strategy, it’s difficult to see how he’ll be able to pull it off.