An Executive Order on Cybersecurity?

I’ve long suspected that President Obama would respond to the failure of cybersecurity legislation with an executive order.  Many of the legislative proposals that failed in the Senate can be implemented by the President acting alone.  An executive order would also advance a story line that has the President robustly protecting national security while a do-nothing Congress dithers. After a little thought, in fact, I now think that an executive order could actually do more for cybersecurity than any legislation that this Congress could plausibly have adopted.

At a minimum, the Administration is keeping its options open on an executive order.  Here’s what Presidential spokesman Jay Carney said when The Hill asked point-blank whether a cybersecurity order was in the works:

“In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed….Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today’s cyber threats and we will do that.”

What can the President do by executive order?  The Senate bill’s measures fell into three categories, and most of them can be implemented in some form without legislation.

First, lots of them were filler, authorizing new research programs, reforms of the Federal Information Systems Management Act, and so on.  None of these were likely to change the world, in part because they can mostly be implemented under existing law. Like the proposed bills, an executive order would simply dramatize changes that are already under way.

Second, the Senate (but not the House) proposed private sector security standards. Broadly speaking, the Senate majority wanted to legislate a central role for DHS, which would take the lead in identifying industries where cybersecurity is essential. The Senate bill then called on those industries to adopt security standards, which would be backed by some kind of government enforcement or incentives.  Some of the biggest fights in the Senate were over DHS’s role, over how much new enforcement power the government would have, and over whether to jam cybersecurity standards into existing federal regulations for industries like power, pipelines, transportation, and communications.

Ironically, by the time Senate supporters of the bill were done trying unsuccessfully to woo the Chamber of Commerce, their bill did only a little that could not be done by executive order.  DHS has lots of legislative authority over cybersecurity already.  It could almost certainly identify critical infrastructure and encourage voluntary standards without more legislation. It may not be able to enforce the standards with fines and orders, but those tools were mostly stripped from the bill in a futile attempt to win business acquiescence. As for incentives, the SAFETY Act, with a little effort (it’s designed for terrorism not cyberattacks), could be repurposed to provide liability protection for companies that meet cybersecurity standards. And, again with controversy, DHS could be assigned the role of driving coordinated security standards into the regulatory processes of all federal agencies.  Even the independent agencies, such as the FCC, have acknowledged that they must follow the executive branch on national security matters, so such a result is at least plausible, and lawsuits challenging such a measure would simply keep the issue in the news longer, reemphasizing the administration’s preferred narrative.  In short, on this score, the Obama administration probably gets more out of the cybersecurity act’s failure than it would have gotten out of success. (That might explain its otherwise inexplicable CISPA veto message, which helped doom bipartisan cybersecurity efforts on the Hill.)

The third topic, information sharing, is more problematic.  The key legislative changes, proposed by everyone, would have undone a couple of overbroad privacy laws from the 60s and the 80s. One such law allowed states to require that all parties consent to private interception of their communications. In today’s world, that’s foolish; it means giving malware authors a veto over measures to screen their attacks. The other aging privacy provision prevented certain companies from sharing with the government attack signatures that they already share among themselves; that’s because the signatures pretty much have to contain the personal data (gasp!) of the attackers. Thanks to past privacy lobbying, federal law says that personal data may be shared by electronic service providers only in response to a subpoena, thus reducing what needs to be a speed-of-light transmission to a speed-of-lawyers snail’s pace. Privacy campaigners managed to make the repeal of these outmoded provisions controversial.  So by the time the Senate was done trying without success to woo privacy groups with amendments (yes, you do see a pattern here), its bill was arguably worse than the status quo.

It is hard to fix bad laws with an executive order, but in this case I’m not sure it can’t be done.  States with two-party laws are a minority already (about a dozen states, depending on how you count), and their laws are under pressure in the courts (thanks to police officers claiming that it’s a felony for members of the public to record them without their consent). What’s more, despite claims about their chilling effect on signature filtering, two-party-consent laws don’t seem to have stopped the emergence of robust spam filtering by private companies.  A clear presidential statement that allowing such laws to bar signature filtering threatens national security would almost certainly resolve any lingering doubts, especially if it’s backed by an order that the Justice Department intervene as necessary in private state suits that challenge signature filtering.

All that’s left then is the federal ban on unsubpoenaed information sharing, and even it might yield to a little creativity.  Not everyone is subject to the ban.  So can the parties who are covered by the restriction (ISPs, webmail providers) simply share their data with parties who aren’t covered (security firms)?  And can the security firms in turn sell their data to government?  Maybe so.  Again, a clear presidential statement that such a measure is essential for national security would make the courts think twice before declaring that Tinker-to-Evaners-to-Chance is simply an evasion of the ban on Tinker sharing with Chance.

In short, an aggressive executive order could do as much or more than the bills that were emerging from the lobbyist-ridden cybersecurity negotiations on the Hill.  An order would be controversial, but the controversy itself may be welcomed by the administration.  I have no doubt that right now it would relish a fight over national security with the Chamber of Commerce. (Whether it would welcome a tussle with privacy groups is less clear, so the information sharing problem may be left to fester. )

With substance and politics in alignment, it’s easy to see why rumors are flying about a pending order.

UPDATE: Changed Evans to Evers, with thanks to elderlycurmudgeon