Cybersecurity Order Would Help, but Congress Must Pass Legislation, Says Napolitano.
A cybersecurity executive order that’s being drafted wouldn’t supplant the need for new law should the White House decide to release any final document, Department of Homeland Security Secretary Janet Napolitano said Friday. She urged Congress to continue its work to pass a comprehensive cybersecurity bill, after one failed in the Senate this summer due to the threat of a filibuster. As chances of such legislation decrease, collaboration will be necessary to combat cybersecurity threats, ex-White House Cybersecurity Coordinator Howard Schmidt said at another event. “An executive order will help but we still need comprehensive cybersecurity legislation,” Napolitano said at a conference hosted by National Journal and Government Executive. “It is something that Congress will have to come back and address."
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Lawmakers should continue their work to pass a bill that bolsters cyberthreat information sharing and encourages companies to protect their networks from attack, Napolitano said. This summer lawmakers failed to compromise on the provisions of the Cybersecurity Act (S-3414) primarily due to opposition from the U.S. Chamber of Commerce, which said the legislation would create new and costly mandates for businesses (CD Aug 3 p4). “Congress has had a full opportunity to act. That was and is the preference,” Napolitano said. “Any executive order cannot do what legislation can do, so we are still going to need Congress to come back and to act. But in the meantime, there are things the president can do … that are under consideration.” She said Barack Obama has not yet reviewed the draft order.
Napolitano said she disagrees with stakeholders who see federal cybersecurity efforts as burdensome and intrusive to businesses. “I regret that the debate has devolved into typical ‘well, is this regulation or not regulation?'” she said. “This is a security issue. … What we are talking about is a very viable and vital partnership between the public and private sectors where there is real time information sharing. … So I don’t view this as the government coming in and telling you what to do, far from it. What we are saying is ‘look, if you are the owner and operator of core critical infrastructure which other businesses depend and families depend and communities depend, we need to make sure that your cybernetworks are as secure as possible.'” Napolitano said the government already has cybersecurity requirements for certain critical infrastructure sectors and said DHS will work to ensure that any new obligations aren’t redundant.
Legislation can give the private sector liability protections and other incentives to share more cyberthreat information with the government, Napolitano said. The information that DHS receives from private companies is “episodic” and inadequate, she said. “Sometimes we get it, sometimes we don’t. There are industry concerns about opening themselves up to liability if they share certain types of information. There’s a fear that if you acknowledge that you have been the subject of an attack, your competitors will use that against you. So the information sharing we have now is not as robust as it really needs to be."
Cybersecurity legislation passing is “looking less and less likely every day,” Schmidt told a conference hosted by Billington CyberSecurity on Thursday. While governmental agencies, law enforcement agencies and members of the private industry are all working to improve cybersecurity efforts, he said, “none of us can do this alone.” An executive order is a “worst-case scenario” and a “backup plan” that needs to be considered, Schmidt said. Cooperation needs to increase at the government level, he said. Working in the executive branch, he said, showed him how often government agencies find themselves at odds over policy goals, which “doesn’t do any of us any good.” Agencies, law enforcement and the intelligence community need to share information more freely, he said.
Members of the private sector need to find better ways to work together and with the government, according to Schmidt. Companies need “to do a better job” keeping themselves organized, he said, citing competitive concerns that have prevented cooperation in the past. While it’s important to keep in mind privacy concerns, companies should play a role in identifying cybersecurity threats and finding solutions, he said. “We can’t work today at government speed. We need to work at Internet speed."
Schmidt pointed to stalled progress on improving digital signatures as a specific threat. Why do individuals with varying degrees of tech savvy have to distinguish between legitimate and illegitimate emails? he asked. Schmidt also pointed to Internet Corp. for Assigned Names and Numbers’ issuing of new generic top-level domains, where “we see out there all kinds of potential for fraud,” he said.
Napolitano meanwhile said Friday that she avoids using email while on the job. “Don’t laugh, but I just don’t use email at all,” Napolitano said. She would not clarify exactly what tools she uses to communicate, but said she eschews many online services in general. “For a whole host of reasons. So, I don’t have any of my own accounts and that, you know, I'm very secure,” she said. “Some would call me a Luddite. But that is my own personal choice, and I am very unique in that regard.”