The Administration’s Executive Order on Cybersecurity: An Opportunity to Choose Collaboration over Regulation
Update: President Obama issued an executive order on cybersecurity on February 12, 2013. In anticipation of such action, the U.S. Chamber’s Ann Beauchesne wrote the following post on January 16.
The Obama administration is expected to release an executive order on cybersecurity this month. The new order seeks to implement portions of cybersecurity legislation that failed to earn broad bipartisan support in the last Congress.
Administration leaders deserve credit for previewing the draft executive order with some in the business community. It’s not an everyday occurrence that the White House openly discusses the content of an executive order and actively solicits feedback prior to its issuance. The U.S. Chamber appreciates this.
A draft of the executive order from November emphasizes the need for public-private partnerships, greater information sharing, and the collaborative development of a cybersecurity framework and program. On the surface, this line of thinking is positive—at least conceptually. However, the U.S. Chamber recognizes that there is often a wide gap between concepts on paper and how they unfold in practice.
Any federal cybersecurity program needs to be fast, flexible, and efficient to counter threats to the United States—but can it?
The U.S. Chamber believes that executive action is unnecessary and opposes the expansion or creation of new regulatory regimes. Businesses genuinely want partners in the fight against nation-states and organized criminal groups, not regulators. Existing regulatory models are no match for the fast-paced demands of the cybersecurity environment. Today’s regulations can be outdated tomorrow, likely escalating a company’s risk by compelling it to maintain security requirements that have been rendered obsolete.
For the administration’s cybersecurity program to have a reasonable chance at countering major threats to U.S. national and economic security, it needs to be fast, flexible, and efficient. Any federal cybersecurity regime that business owners and operators believe is not managed well—or that favors compliance and bureaucracy over creativity and speed—would almost certainly create a powerful disincentive for voluntary participation by critical infrastructure entities.
Despite our concerns with executive action, one constructive outcome of the presidential order is that it could give various stakeholders the opportunity to judge what works and what doesn’t work regarding the proposed cybersecurity program. Congress does not need to give agencies and departments additional regulatory authority over industry.
The U.S. Chamber strongly urges the administration to continue its outreach to multiple sectors, industry organizations, and individual companies on cybersecurity. Each entity has a unique history, requirements, and concerns that should inform the development of policy. Government officials need to engage members of the business community frequently and make their recommendations part of a maturing and cooperative process.
Congress should pass information-sharing legislation and other consensus measures.
The U.S. Chamber and its members have invested considerable time and energy to help lawmakers develop smart and effective cybersecurity policies and proposed legislation. The business community and most lawmakers agree that federal legislation is required to create a powerful sea change in the current information-sharing practices between the public and private sectors that reflects the conditions of an increasingly digital world. The November draft of the executive order elevates the importance of information sharing, which is a positive development, and calls on government officials to produce timely, unclassified reports on cyber threats to specific targets, such as U.S. critical infrastructure.
As the 113th Congress gets under way, the U.S. Chamber urges legislators and staff to focus on improving information sharing and liability protections, encouraging international cooperation against cybercrime, enhancing national cybersecurity research and development (R&D), reforming the Federal Information Security Management Act of 2002 (FISMA), and heightening public awareness and education. The U.S. Chamber has written Congress to urge lawmakers to focus on these principles and opportunities.
Of particular importance, we believe that Congress should start with a cybersecurity bill to improve the exchange of cyber threat information between business and government to elevate overall situational awareness in a manner that’s sustainable. The U.S. Chamber has consistently supported legislation that would put timely, reliable, and actionable information into the hands of business owners and operators so that they can better protect their systems and assets against the increasing threat of cyber attacks.
Legislation should support existing information-sharing and analysis organizations and incorporate lessons learned from pilot programs and exercises undertaken by critical infrastructure sectors. These initiatives offer complementary, demonstrated models for enabling the government to share actionable cyber threat information with the private sector—thereby affording security professionals the opportunity to implement measures intended to reduce a business’ cyber risk profile—without creating burdensome regulatory mandates or new bureaucracies.
In addition, businesses need certainty that threat and vulnerability information voluntarily shared with the government would be provided safe harbor and not lead to frivolous lawsuits, would be exempt from public disclosure, and could not be used by officials to regulate other activities. Legislation also needs to include an exemption from antitrust laws, which limit exchanges of information between private entities, in order to help prevent, investigate, and mitigate threats to cybersecurity.
The administration can seize an opportunity to choose collaboration over regulation.
Everyone agrees that America needs robust cybersecurity. The business community is eager to work with the administration and Congress on advancing efforts that would help businesses thwart economic espionage, cybercrime, and other illicit activities. If or when the administration issues the executive order on cybersecurity, the U.S. Chamber strongly believes that it should leverage a collaborative, rather than a regulatory, process.
We also urge administration officials to signal their support for information-sharing legislation, full liability protections, and other narrowly tailored measures to help business owners and operators harden critical infrastructure and adopt cutting-edge cybersecurity practices. Policymakers need to protect private sector investment in innovation and companies’ ability to be nimble and agile in the detection, prevention, mitigation, and response to cyber threats.
Be sure to view the U.S. Chamber’s cybersecurity guide for small and midsize businesses, Internet Security Essentials for Business 2.0.