CybersecurityObama administration shifting cybersecurity legislative strategy

Published 16 May 2013

The Obama administration’s has shifted its cybersecurity legislative strategy. Rather than emphasize DHS-monitored regulations – an approach which stalled in Congress last summer because of Republican opposition — the administration is focusing on getting Congress to help promote the voluntary adoption by industry of standards being developed by the National Institute of Standards and Technology (NIST) following a February 2013 executive order signed by President Obama.

White House shifts to urging industry to conform to NIST-developed standards // Source: umd.edu

The Obama administration’s has shifted its cybersecurity legislative strategy. Rather than emphasize DHS-monitored regulations – an approach which stalled in Congress last summer because of Republican opposition — the administration is focusing on getting Congress to help promote the voluntary adoption by industry of standards being developed by the National Institute of Standards and Technology (NIST) following a February 2013 executive order signed by President Obama.

“I think you will see an attempt to leverage the NIST framework through the use of incentives and possibly through current regulatory authorities,” Larry Clinton, president of the Internet Security Alliance, told Bloomberg BNA. “I tend to doubt there will be a true push to expand DHS regulatory authority, as it would be dead on arrival in the House and probably also couldn’t get out of the Senate.”

Obama’s executive order instructed NIST to draft a framework consisting of voluntary cybersecurity standards for U.S. critical infrastructure owners and operators. NIST has until later this year to publish a draft, and a final version is due in early 2014.

The order also directed DHS to promote the model, and other agencies to review current cybersecurity provisions to determine whether they are adequate.

“I think that the executive order accomplished about 80 percent of what the [Senate] bill would have accomplished, especially in the watered down compromise version floated toward the end of the process,” Stewart Baker, a partner with Steptoe & Johnson LLP and a former assistant secretary for policy at DHS under the George W. Bush administration, told BNA.

Last month the House passed a package of cybersecurity bills which included the Cyber Intelligence Sharing and Protection Act (CISPA), which gives companies liability protection for sharing cyber threat information with other firms and the federal government.

Senator Tom Carper (D-Delaware) chairman of the Senate Homeland Security and Governmental Affairs Committee, said that he will work with senators from both parties to come up with wide-ranging cybersecurity legislation which will promote initiatives  already developed under Obama’s order

“While information sharing is an important piece in our effort to modernize our outdated cybersecurity laws, it is only one of many elements needed to properly bolster our cyber defenses,” Carper said in a statement, following the House’s action on CISPA. “Those of us in Congress need to pay close attention to other vital elements of cybersecurity, especially safeguarding our critical infrastructure.”

The president’s executive order has helped address some of the threats of a cyber attack and has also allowed critical infrastructure companies better to coordinate their responses, but many in the industry and in Obama’s administration say a cybersecurity bill is still needed.

“What’s arguably still needed and can’t be done with current authority are information sharing provisions, incentives for companies to adopt the standards coming out of NIST, and perhaps some provisions that would allow regulatory agencies to add cybersecurity to their existing regulatory jurisdiction,” Baker told BNA. “I get a sense that the administration still wants information sharing but hasn’t decided what if anything it wants on the other two topics.”