Latest cybersecurity bill failure returns focus to executive order

Officials say legislation is still necessary to fully address cyber threats, but the failure of Congress to pass a bill in its lame-duck session makes White House action more likely.

inner dome of capital

Photo of inner Capitol dome by the Architect of the Capitol

Now that the Senate has failed to move forward on a vote on the Cybersecurity Act of 2012, dashing briefly revived hopes that cybersecurity policy would be addressed in the lame duck session, the path looks clearer than ever for a presidential executive order.

The cyber executive order has been in the works for months, but officials at the highest levels, including Homeland Security Department Secretary Janet Napolitano, have called on Congress to act to adequately secure U.S. interests in cyberspace. An executive order, they say, would be helpful but not enough to address the cyber threats facing the nation.

But for now, the executive measure will have to do as cybersecurity legislation is punted to the next Congress for consideration, according to insiders.

“With other crises facing the nation right now, this is seen as something that can be deferred. The government has to recognize that the front line of cybersecurity is largely private industry. And they do a pretty good job right now, it’s just that it’s obviously not enough,” said retired Navy Adm. Jamie Barnett, senior vice president of academic programs and research at the Potomac Institute. “But I would think this is high on the agenda of 113th Congress once they get through the fiscal crisis.”

Defense Department officials, as well as their counterparts across the federal government, have looked to congressional action on cyber legislation as critical to national security. In a statement, DOD Press Secretary George Little noted the defense secretary’s frustration with the Senate.

“Secretary [Leon] Panetta was disappointed to learn that the Senate failed to move forward on the Cybersecurity Act of 2012, which would have enhanced our nation’s ability to protect itself against cyber threats, which are growing at an alarming rate,” Little said. “The U.S. defense strategy calls for greater investments in cybersecurity measures, and we will continue to explore ways to defend the nation against cyber threats. New legislation would have enhanced those efforts. If the Congress neglects to address this security problem urgently, the consequences could be devastating.”

The Senate’s failure to move on the bill could catalyze the White House’s release of the cyber EO, which some say could come within days. According to The Hill, administration officials believe the situation requires swift action.

“As tonight’s vote in the Senate illustrates, the current prospects for a cybersecurity bill are limited. Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need,” Michael Daniel, White House cybersecurity coordinator, said in a statement, The Hill reported. “We think the risk is too great for the Administration not to act.”

It may be unlikely that a cyber EO, which has legal limitations, will spur the kind of action needed to fully secure critical networks and infrastructure, but it is expected to help.

“I think there could be a tipping point where we go from a general awakening and awareness of [the dangers] to reactive action. That’s what we want to avoid – a reactive legislative environment,” Clete Johnson, professional staff and counsel for the Senate Select Committee on Intelligence, said recently. Johnson noted that while competing political interests have so far stalled cyber action in Congress, a presidential order isn’t subject to the same constraints. “The EO might change this – the executive branch can do this without anyone weighing in.”

Considering the EO is primed for release just as President Barack Obama has signed a presidential directive on military cyber rules of engagement, the implications could be even broader, Barnett noted.

“This represents a significant step forward toward something the U.S. needs to do: develop a cyber doctrine. The presidential directive says the U.S. has a national interest in cyberspace and that we view a safe and secure cyberspace as part of our national security. And we will go after people who do things in cyberspace that affect our national security,” Barnett said. “It may seem very broad-brush but it’s a critical policy decision at national level. It helps fill that gap in cyber doctrine that has been a cause for gridlock in government…now we can build consensus and move forward.”

The bill failed on a 51-47 vote to invoke cloture. Passage required 60 votes.