A top aide to cybersecurity legislation proponent Senator Joseph Lieberman (I-CT) said today that the administration will move forward on a cybersecurity executive order no matter what happens in the presidential election next Tuesday. Speaking at a cybersecurity summit hosted by the Washington Post, Jeff Ratner, Counsel and Senior Advisor for Cybersecurity, Senate Homeland Security & Government Affairs Committee said "regardless of what happens on Tuesday, the executive order will move forward" because the Obama administration does not view cybersecurity as a political issue as much as it does a vital issue of national security.
What then will the Congress do given that Senator Majority Leader Harry Reid (D-NV) has announced his intention to bring up a cybersecurity bill during the upcoming lame duck Congressional session? Ratner indicated that any cybersecurity bill that follows the executive order will likely fill in the gaps that the executive order cannot legally address, such as offering liability protection to critical infrastructure industries covered by the bill. This protection offers affected companies some insulation from civil or criminal prosecution for activities carried out under the bill (such as information sharing) if conducted in good faith. (A lot of debate has cropped up regarding what constitutes good faith under earlier legislative language and how effective the liability protection provisions are).
"Much of what we did in our new bill in Title I can be done via executive order," Ratner said. "What can’t be done is the incentives. You can’t offer [via executive order] incentives like liability protections, which the Congress can."
Kicking off the event, Department of Homeland Security Secretary (DHS) Janet Napolitano likened the effect of a cyberattack to Frankenstorm Sandy, and likened DHS to FEMA, the Federal Emergency Management Agency. "We look and act like a cyber-FEMA," she said.
Whether DHS should have that kind of power, as is likely under the Executive Order and as was specified in cybersecurity legislation, has been subject to heated debate. "People don't think DHS should be given more authority," Jim Lewis, Senior Fellow and Program Director at CSIS said. But then the problem becomes: which arm of the federal government should be given authority?
One other logical government agency that could be assigned cybersecurity responsibility is the National Security Agency (NSA). "When you say to people that you want to put NSA in charge of public information, it doesn’t bring screams of joy," Lewis joked. How about the FBI, the other government arm arguably qualified to do the job? Affected industries are bound to ask "am I going to want the FBI crawling over our networks?" Lewis said. By default, for now, the DHS seems the best, if not optimal, government agency to take on the task.