Can The President Use An Executive Order To Push Through Cybersecurity Rules?
from the sorta-maybe-possibly dept
With the Cybersecurity Act failing in the Senate, there’s been some buzz that President Obama might push through a bunch of provisions via executive order. From a political standpoint, there are tons of reasons to do so. If nothing gets done, and some sort of attack does happen, opponents can claim that he failed to strengthen our cybersecurity. But this way, he can claim he’s doing what he can, and pin the blame on Congress for not doing their part.
But what would it mean if he goes down this route? The Daily Caller has a hysterical and totally misleading piece claiming that this would allow for an “internet takeover.” As skeptical as I am for the need for such cybersecurity legislation (and I’m pretty skeptical), that article is just pure hyperbole. This has nothing to do with “taking over the internet,” and that’s just someone who’s lying or clueless.
The original link above, from The Hill, points out that, when it comes to industries that are already regulated, the administration could easily order them to include certain cybersecurity standards among their existing regulations:
Many companies managing vital computer systems are already heavily regulated. Lewis said the president could order agencies to require the industries they regulate to meet cybersecurity standards.
“You don’t need new legislative authority to do that,” Lewis said.
He noted that some regulatory agencies, including the Federal Communications Commission and the Nuclear Regulatory Commission, are independent and not bound to follow executive orders. But Lewis predicted that even the independent agencies would likely enforce an executive order on cybersecurity.
That likely would lead to some pushback concerning the limits of regulatory control, but if it actually solves the few problems we hear about (such as critical systems being connected to the internet) then perhaps it’s a more reasonable way to deal with things.
The other part of the bill, which was the part that concerned us the most, concerning information sharing, would be much more difficult to go after via an executive order. Stewart Baker has an interesting analysis of the possibility there, and he comes at it from someone who is… well, more hostile towards those of us who believe that privacy rights are important. He’s been railing against privacy rights activists and their attacks on the cybersecurity proposals for a while, and doing so in misleading and incomplete ways, unfortunately. He does the same here, suggesting that privacy lobbyists are a part of the problem, while completely misrepresenting their concerns, even to the point of suggesting that privacy activists don’t want to allow info sharing because sharing attack info reveals “personal info of the attacker.” That’s silly. No one has ever argued for that, and Baker is setting up a strawman.
However, he does note ways in which the administration can at least clarify intent via executive order to get around these claimed limitations (which I’m not convinced are actual limitations, as he describes them):
It is hard to fix bad laws with an executive order, but in this case I’m not sure it can’t be done. States with two-party laws are a minority already (about a dozen states, depending on how you count), and their laws are under pressure in the courts (thanks to police officers claiming that it’s a felony for members of the public to record them without their consent). What’s more, despite claims about their chilling effect on signature filtering, two-party-consent laws don’t seem to have stopped the emergence of robust spam filtering by private companies. A clear presidential statement that allowing such laws to bar signature filtering threatens national security would almost certainly resolve any lingering doubts, especially if it’s backed by an order that the Justice Department intervene as necessary in private state suits that challenge signature filtering.
All that’s left then is the federal ban on unsubpoenaed information sharing, and even it might yield to a little creativity. Not everyone is subject to the ban. So can the parties who are covered by the restriction (ISPs, webmail providers) simply share their data with parties who aren’t covered (security firms)? And can the security firms in turn sell their data to government? Maybe so. Again, a clear presidential statement that such a measure is essential for national security would make the courts think twice before declaring that Tinker-to-Evers-to-Chance is simply an evasion of the ban on Tinker sharing with Chance.
However, he also notes that Obama might not want to “tussle” with privacy groups and so this section may get ignored. While I agree that there are some privacy extremists who set forth proposals that go way too far, I think many of the people who were concerned about the cybersecurity bill over privacy issues wouldn’t necessarily be against very narrowly defined rules on information sharing, though it still seems unclear how much any existing law is really holding back info sharing for the purpose of cybersecurity. Passing data through third parties, of course, is a lot more controversial, depending on the controls and oversight involved. But, again, it’s still unclear how big of a problem this really is.
Either way, it wouldn’t surprise me to see some sort of use of Executive Orders here, but the limits on those would hopefully limit most of the really bad stuff found in the bill proposals.