In a move engineered by Majority Leader Harry Reid (D-NV), the Senate shot down two days ago the prospect of comprehensive cybersecurity legislation during the lame duck Congress, ratcheting up the prospects that President Obama will make good on his threats to sign an executive order that achieves what Congress has so far failed to accomplish. Proponents for a cybersecurity bill lost 51 to 47 and some of the smarter (and perhaps more cynical) thinkers on the cybersecurity tussle believe that the fast post-election effort to give Congress another run at the goal line was nothing more than a hail Mary maneuver to give Obama political cover to issue the order.
Whatever the case may be, all signs point to Obama issuing that order any day now. Amid all the political wrangling, little attention has been paid to the actual substance of the order itself. Although little more than a dozen pages long, the order is a vast, gnarly beast that will put into motion massive activity throughout the federal government, involving virtually every agency, administrative office, military branch and, of course, hundreds of thousands of businesses, non-profit organizations, public agencies and state and local governments.
Not only is the scope of the order vast, but also the deadlines specified in the latest version of the "public" draft order are insanely ambitious for such a complex undertaking. I've mapped out the key deadlines in the table below.
Assuming that Obama signs the order before Thanksgiving (as is widely believed), and assuming the final order resembles the current draft, the complex apparatus needed to fulfill the order's directives must swing into gear to accomplish a host of intricate things in extremely short time frames. For example,
- via a consultative process throughout the federal government (and relying on an existing and controversial database involving hundreds of thousands of entities), the Department of Homeland Security has to identify all critical infrastructure assets covered under the order by mid-April.
- The National Institute of Standards and Technology has to develop a framework for identifying and managing cyber risks across a host of diverse critical infrastructure sectors by mid-May.
- Also by mid-May DHS has to implement guidance on how critical infrastructure owners can voluntarily share cybersecurity information,
- and on and on.
Quite a few people, it seems, will be toiling away during the holiday season..and for years afterward.