Last night during the State of the Union President Obama brought the issue of cybersecurity legislation to the forefront the private sector’s mind. The president announced that he had signed an executive order to increase cyber protection and information sharing and called on Congress to create further legislation. This announcement came on the eve of CISPA D-Day, when the controversial bill will be brought to the floor. But what are the main differences between the two?
Let’s start with what the executive order actually says. The order calls for the Department of Homeland Security to increase cybersecurity to America’s critical infrastructure. Over the next 120 days, government agencies will consult with leading members of the private sector on what qualifies as “critical infrastructure,” what needs to be protected and where the weaknesses are. The government will also work to create a notification system where information can be shared with the private sector to prevent the spread of cyber-threats. All this is to be done without compromising the privacy of companies and American citizens.
To oversimplify it: President Obama isn’t coming for your Twitter password. He’s looking to protect the power grid and other parts of the nation that would send America into a state of panic when compromised. He needs to improve security and find ways to alert and prevent cyber-attacks.
The executive order isn’t the end-all be-all on cybersecurity. The President didn’t bypass Congress entirely and CISPA isn’t going to crawl back into the history books to collect dust. An executive order does not replace a bill and cannot change any existing laws. From The Hill:
“An executive order can only direct agencies to do something they already could have done under existing statutes.”
The executive order instructs different departments to take action and gives them a deadline to follow the president’s instructions. In this case, agencies need to work with the private sector to establish cyber-threat response plans.
The inherent weakness of the executive order is the reason President Obama called on Congress to pass a bill on cybersecurity in the near future. The order is merely a Band-Aid on the broken nose of compromised cybersecurity.
The main difference between the executive order and CISPA is that the executive order is a one-way street with sharing private information. CISPA collects private data from companies (your email addresses, your security information) and shares it with any government agency that is related to national security. The executive order only gives information to companies and lets them use it to improve their cybersecurity. With the executive order, your information stays in the private sector.
It’s that key difference that caused the ACLU – one of CISPA’s biggest opponents – to give their seal of approval to the executive order. The order has also garnered favor with democrats and with the American people. Most of the outcry against the order comes from republicans and organizations that see increased government regulation as a bad thing. They view the president’s actions as the executive branch trumping checks and balances to increase government power over the private sector.
CISPA may not be the right bill for increased cybersecurity, but something needs to be enacted. Email marketers are successful only as long as there’s trust between the company and the subscriber. When companies start spamming email lists or hackers take emails and send viruses to their inboxes, the trust is broken. With extra security measures, users can opt-in knowing that their information will be safe. Obama’s executive order took a step towards protecting national infrastructure; Congress will have to find a way to protect the private sector and, ultimately, the user.