President Obama, in light of an unresolved congressional debate about cyber security policy, unveiled an executive order pertaining that directs federal agencies to revisit their statutory authority in search of legal justifications to implement new regulations, rather than laws..
“[E]arlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy,” Obama said in his prepared speech. “Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”
The gesture towards information-sharing is well-intentioned, but Obama can’t waive the liability laws that make it difficult for businesses to alert each other to cyber threats. The real force of the executive order will be demonstrated by a series of still-unknown regulations that are scheduled to be promulgated over the next 240 days, as the National Institute of Standards and Technology (NIST) develops a Cyber Security Framework that the Department of Homeland Security will implement.
“To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services,”the White House explained.
The Cyber Security Framework will begin as a set of voluntary standards, but the order initiates a process that gives bureaucrats the opportunity to expand their power, because the Department of Homeland Security will “encourage” regulatory agencies to create legal arguments that would allow them to mandate compliance with the “voluntary” standards.
The executive order contains a provision “that allows the regulators to look for the authority and then try see if they can regulate something,” The Heritage Foundation’s David Inserra told The Washington Examiner. “At the very least it’s going to be a fishing expedition for nearly every lawyer in these regulatory agencies . . . They’re going to go back and search through these very vague terms and they’re going to come up with an argument that they want to come up with.”
A draft of the order released by the administration before the new year explained that regulatory agencies “are encouraged to propose regulations . . . to mitigate risk based on such a set of prioritized actions.”
Inserra pointed out that agencies such as the Federal Communications Commission could invoke “the general interest,” a phrase ambiguous enough to support an argument for any number of policies.
“If NIST develops a really aggressive framework that has all sorts of things, that could give these regulators even more things to go after,” Inserra added. “There’s sort of multiple stages where this could go bad.”