Before recessing in August, the Senate considered, but failed to pass, comprehensive cybersecurity legislation, the Cybersecurity Act of 2012 (S. 3414) (“CSA2012”). Shortly thereafter, during a Council on Foreign Relations event on August 8, Deputy National Security Adviser John Brennan stated that the President is considering using an executive order to implement portions of the cybersecurity legislation.
Recent reports indicate that the White House has circulated a draft cybersecurity executive order to government agencies. The text of the draft executive order is not public, but reports suggest that it would implement portions of the CSA2012, particularly those dealing with voluntary cybersecurity standards for private industry. The executive order would establish an interagency council, chaired by the Department of Homeland Security, to work with the National Institute of Standards and Technology (NIST) and industry to develop cybersecurity guidelines that the private sector could adopt voluntarily. The CSA2012 included provisions for a similar program and also inducements for industry to adopt the resulting standards. The bill’s main inducement was liability protection from lawsuits for companies that certified their compliance with the standards, but an executive order cannot offer such liability protections, absent action by Congress. The executive order apparently does not address other provisions of the CSA2012, including reform of the Federal Information Systems Management Act (FISMA), which addresses management of cybersecurity for federal government systems.
Senator Rockefeller and Senator Feinstein, both co-sponsors of the CSA2012, have called on President Obama to implement parts of the bill by Executive order. Senator Lieberman has also supported executive action, but Senator Collins, a Republican co-sponsor of the bill, has opposed issuance of an executive order.