CybersecurityTech companies, telecoms clash over cybersecurity executive order

Last August a cybersecurity bill died in Congress amid partisan bickering. On 12 February this year, President Obama packed many of that bill’s elements into a cybersecurity executive order.

In announcing the executive order in his State of the Union speech, President Obama said the United States needs to boost cyber defenses for vital U.S. facilities. “We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air-traffic-control systems.”

To make the order more acceptable to some of its congressional and industry critics, the president introduced an exemption, saying that the government cannot designate “commercial information technology products or consumer information technology services” as critical U.S. infrastructure targeted for voluntary computer security standards. This exemption would take Google’s Gmail, Apple’s iPhone software, and Microsoft’s Windows off the list of critical infrastructure-related products.

This exemption placated some of the original cybersecurity bill’s critics, but angered others, chief among them telecommunication companies. “If e-mail went away this afternoon, we would all come to a stop,” Marcus Sachs, vice president of national security policy at Verizon Communications Inc., the second-largest U.S. phone company, told the Washington Post. “Hell yeah, e-mail is critical.”

Technologies used in personal computers, software, and the Internet “are the lifeblood of cyberspace,” Sachs said. “If you exclude that right up front, you take off the table the very people who are creating the products and services that are vulnerable.”

The Post reports that the executive order aims to bolster cybersecurity standards in areas such as power grids, telecommunications, and pipelines. The order’s goal is to protect “systems and assets whose incapacitation from a cyber incident would have catastrophic national security and economic consequences,” White House spokeswoman Caitlin Hayden told the Post in an e-mail. “It is not about Netflix, Twitter, Facebook, and Snapchat.”

The executive order calls on DHS to identify critical infrastructure and then formulate cybersecurity guidelines for the industries involved. The implementation of the security standards is voluntary – the question of whether to make the security standards voluntary or mandatory was a major bone of contention on the Hill back in the summer — but federal agencies were told to consider binding rules if the voluntary compliance does not achieve the desired results.

The February executive order raises three major issues:

• Telecommunications and cable companies say they should be made to bear regulatory burdens which are not also shared by technology companies
• Different countries have different cybersecurity guidelines for technology products and services. Imposing U.S.-specific cybersecurity standards may be construed as a type of trade barrier, especially if the exemptions relived many large U.S. technology companies from regulatory impositions.
• Telecom companies argue that he entire Internet ecosystem should share the responsibility for making the U.S. critical infrastructure more secure. The February exemptions leave out technologies which play a central role in the total security picture.

Stewart Baker, a former DHS official, told the Post that “If you’re attacking people, you go for the weakest link and the weakest link is often some commercial product.”

At least part of the reason for the exemptions given to technology companies is the need to align the administration’s position on securing critical infrastructure with its position on revising the international telecommunications treaty. Last year, when the UN convened a conference in Dubai to discuss revisions to the treaty, the United States was in opposition to any revisions, arguing that new language related to cybersecurity and other topics could possibly allow Internet regulation and censorship by other countries.