Security Experts:

Obama Considering Unilateral Action to Protect Critical IT Infrastructure

With Congress unable to enact comprehensive cyber-security legislation, it appears President Obama is considering taking unilateral action to safeguard the nation's critical IT infrastructure.

Senate Stalls with Amendments to Cybersecurity Bill

The Democratic Party voted on its official party platform on Sept. 4 during the Democratic National Convention in Charlotte, NC, and the party's official stance on cybersecurity sounds pretty straightforward: "Going forward, the president will continue to take executive action to strengthen and update our cyberdefenses." It's pretty obvious the party platform would be in line with the Obama Administration's stance on these issues.

The Obama Administration had pushed hard in recent months on Congress to pass comprehensive cybersecurity legislation, but the CyberSecurity Act of 2012 floundered in the Senate, days before Congress adjourned for its summer recess. While it doesn't look likely that Congress would pick up this issue any time soon, there are signs the Administration is not going to just sit still on this issue.

"If there are things this Congress isn't prepared to do, the president has a few options that he can move on," former White House Cybersecurity Coordinator Howard Schmidt told the National Journal on Aug. 30.

After the bill failed in the Senate, various legislators and policymakers have called on the administration to issue an executive order to strengthen the nation's cyber-defenses. While an executive order would not be as sweeping as a law passed in Congress, it would allow the government to move forward on certain things, such as giving the Department of Homeland Security the power to protect federal networks and establishing an information-sharing program between the private sector and government agencies.

Sen. Jay Rockefeller (D-WV), chair of the Senate Committee on Commerce, Science and Transportation recently suggested an executive order could establish a program protecting critical infrastructure which implemented various components of the failed Cybersecurity Act of 2012. Sen. Dianne Feinstein (D-Calif), chair of the Senate Select Committee on Intelligence, has also urged the president to take action to secure the country's critical infrastructure because it was unlikely Congress would reach consensus on cybersecurity legislation.

"I believe the time has come for you to use your full authority to protect the U.S. economy and the networks we depend on from future cyber attack," Feinstein wrote in an Aug. 28 letter to the president.

The executive order would allow the Department of Homeland Security and various intelligence agencies to share information with the private sector about cyber threats, including classified information, Feinstein said.

However, the executive order won't be able to grant additional powers to DHS, such as enforcing IT security standards, offering incentives, or granting liability exemptions to businesses.

"Many components of the Cybersecurity Act are amenable to implementation via executive order, normal regulatory processes, or other executive action under the authorities of the Homeland Security Act," Rockefeller wrote in his Aug. 13 letter to the president.

The official party stance approved at the Democratic convention also does not say anything about government-backed standards, voluntary or mandatory, that critical infrastructure operators, such as those controlling refineries, electric grids, and water supply systems, would need to follow to properly secure their IT systems. The government standards was one of the components in the failed legislation that came under heavy fire by the Republicans.

"While an Executive Order cannot convey protection from liability that private sector companies may face, your Administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security," Feinstein said.

If the Administration does go ahead with an executive order, it wouldn't be the first time President Obama decided to take action instead of waiting for Congress to act. He has done so 130 times over a variety of topics during his term, and he signed a different security related order back in July.

The "Assignment of National Security and Emergency Preparedness Communications Functions" order, signed July 6, appears to give the federal government control of private communications networks in the case of a national emergency. The order grants the Department of Defense and DHS authority to develop and test programs that will allow the government to seize private communications networks, which include wireline, wireless, satellite, cable and broadcasting, as well as Internet communications, when it relates to national security.

“The Federal Government must have the ability to communicate at all times and under all circumstances to carry out its most critical and time sensitive missions,” reads the order. “Survivable, resilient, enduring and effective communications, both domestic and international, are essential to enable the executive branch to communicate within itself and with: the legislative and judicial branches; State, local, territorial and tribal governments; private sector entities; and the public, allies and other nations.”

Executive order aside, the Democratic Party platform also included plans to continue investing in cutting-edge research and development and strengthening private sector and international partnerships to "deter, prevent, detect and defend against cyber intrusions."

The Democrats weren't the only ones thinking about cyber-security at the national convention. The Republican Party also added cybersecurity to the party's official platform during the Republican National Convention in August. The party said the Obama administration had taken a too regulatory approach to cybersecurity and "overly reliant" on developing defensive capabilities in case of cyber-attack.

"The current administration’s cyber security policies have failed to curb malicious actions by our adversaries, and no wonder, for there is no active deterrence protocol," according to the Republican platform.

The Republicans did encourage information sharing between private sector and government agencies in the platform, but was adamant that the program be strictly voluntary.

"We believe that companies should be free from legal and regulatory barriers that prevent or deter them from voluntarily sharing cyberthreat information with their government partners," the Republican platform stated.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.