Security Experts:

Cybersecurity Executive Order Leaked to Web

In August, word spread that after the Senate rejected the Cybersecurity Act of 2012 the Obama administration was considering an executive order that would deal with some of the provisions in the failed bill. Last week, a draft of such an order was leaked to the Web. In addition, John Brennan, assistant to the President for Homeland Security and Counterterrorism, sent a letter to Senator Rockefeller confirming the administration’s intention to use executive powers.

Senate Stalls with Amendments to Cybersecurity Bill

Last Friday, Techdirt published a 19 page draft document from the Obama Administration, which would act as the basis for an executive order covering some of the items that were rejected by Senate Republicans last month.

RelatedGun, Abortion Amendments Stall Senate Cybersecurity Bill

The draft posted by Techdirt is one of two working drafts. It’s vague, and calls for several things that were expected by the public, including protections for Nuclear plants, and Energy. A problematic wording within the draft however, calls for “Communications” to be considered critical, but there is nothing that defines what should considered communications, which leaves the proposed plan for information sharing between the public and private sectors, open to abuse and privacy violations. 

“...we noted numerous problems in the draft we did see, including the broad definition of ‘critical infrastructure,’ which basically leaves it pretty open for the feds to declare almost anything "critical infrastructure," thereby putting tremendous pressure on private companies to comply with a set of rules that may not make much sense,” Techdirt’s Mike Masnick wrote on Tuesday.

The leaked draft’s wording led Senator Ron Wyden to write a letter to White House Cybersecurity Coordinator J. Michael Daniel, reminding him that there is a huge difference between protecting nuclear facilities and social networking (which could fall under the provisions outlined for communications in the draft itself).

“In the case of interactive computer services, such as networks that facilitate commerce, provide search services, or are platforms for social networking and speech, vulnerabilities are unlikely to constitute threats to our national security. It should be clear in any executive order related to cybersecurity that there is a fundamental difference between networks that manage infrastructure critical to public safety, like energy, water, and transportation systems, and those that provide digital goods and services to the public,” Wyden’s letter said.

“It would be a profound mistake to subject our growing digital economy to onerous new cyber rules and regulations that stifle innovation, creativity, and job growth. Such rules will not serve to combat the real threat to the nation's critical infrastructure and national security.”

As mentioned, John Brennan, who is the assistant to the President for Homeland Security and Counterterrorism, sent a letter to Senator Rockefeller (Chairman of the Committee on Commerce, Science, and Transportation) confirming the administration’s intention to use executive powers. In the letter, Brennan said that the administration is exploring the executive order option because the President is determined to protect the “nation from cyber threats.”  

Again, the leaked draft is only one version of the proposed executive action. Yet, there is no solid proof that an executive order is coming, as it’s been nothing but talk at this point. In addition, the vague wording and lack of clarity in the draft that has been made public should give lawmakers and privacy guardians something to focus on. If the draft was made into law today, it would allow the government the authority to declare any service critical to national security. If that happened, then private organizations would be forced into following government mandates and data sharing regulations, which may ruin privacy for the organization’s customers and/or users.

However, perhaps Masnick has it right. In his post to Techdirt, he said that the draft as it was worded seems to be a scare tactic.

“Honestly, looking this over, you get the sense that it's really designed to do one thing: scare those who fought against the various bills back to the table to compromise and get a bill out," he wrote. "It's no secret that the administration's overall preference is to get a law in place, rather than this executive order. That's been a failed effort so far, but you have to wonder if this is a ploy to scare those who opposed the Cybersecurity Act into thinking that if they don't approve some legislation, the exec order might be a bigger problem.”

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.