President Obama invoked the pageantry of his State of the Union address this evening to announce a long-anticipated executive order on cybersecurity, a move that caps months of discussions with technology companies and could reduce pressure on Congress to move forward with controversial new legislation.
The order will "strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy," Obama said.
Obama's executive order doesn't propose new and potentially onerous regulations targeting private businesses, which Democrats had in their unsuccessful legislation last year. It also doesn't appear to rewrite privacy laws by allowing companies to share confidential information with intelligence agencies without oversight, which Republicans had suggested in their own bill, also unsuccessful, called the , or .
Because it's an executive order rather than a new law, it's restricted to directing the activities of federal agencies and is much less likely to be controversial. Some of the components include: expanding "real time sharing of cyber threat information" to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a "review of existing cybersecurity regulation."
Some Internet companies had been concerned about being swept in by overly broad definitions of "critical infrastructure." But their lobbyists did their jobs: the executive order says Homeland Security "shall not identify any commercial information technology products or consumer information technology services" as especially critical infrastructure (translated: Facebook and Pinterest are not really that important). DHS will "confidentially notify owners and operators of critical infrastructure" that are considered sufficiently important.
The executive order -- and a related "Presidential Policy Directive" updating Bush-era policies from 2003 -- drew quick praise from civil liberties groups.
The ACLU said it's "encouraged" by it, and in a not-so-subtle swipe at CISPA, added that the order shows "there are smart ways to bolster cybersecurity while protecting privacy."
Leslie Harris, president of the Center for Democracy and Technology, said in a statement that: "Rather than having the government monitor private networks, it is better for security and privacy to have private entities protect their own systems and networks. Better sharing of what the government knows will enhance that effort."
While the executive order and related directive may sap some of the enthusiasm for new laws, the partisan wrangling on Capitol Hill is hardly over.
House Intelligence committee chairman Mike Rogers, a Michigan Republican, said today that he'll reintroduce CISPA tomorrow to concede with an event that will be held at the Center for Strategic and International Studies in Washington, D.C.
"We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats," Rogers said. "Congress urgently needs to pass our cyber threat information sharing bill to protect our national security, our economy, and U.S. jobs."
While CISPA initially wasn't an especially partisan bill -- it cleared the House Intelligence Committee by a vote of 17 to 1 over a year ago December -- it gradually moved in that direction. The final floor vote last April had 206 Republicans voting for it, and 28 opposed.
Of the Democrats, 42 voted for CISPA and 140 were opposed, with House Minority Leader Nancy Pelosi saying that CISPA "didn't strike the right balance" and Republicans "didn't allow amendments to strengthen privacy protections." CISPA died in the Senate, where Democrats preferred a competing bill backed by then-Sen. Joseph Lieberman.
Despite broad industry support, CISPA alarmed privacy groups because it would would permit -- but not require -- Internet companies to hand over confidential customer records and communications to the U.S. National Security Agency and other intelligence and law enforcement agencies.
One section says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." By including the word "notwithstanding," CISPA's drafters intended to make their legislation trump all existing federal and state civil and criminal laws.
During athat CNET at our headquarters in San Francisco, Jamil Jaffer, senior counsel to the House Intelligence Committee, said the protests ignored the fact that the bill was approved by a bipartisan committee majority back in December.
Industry groups appear poised to back CISPA once again. The Internet Security Alliance, which counts representatives of General Electric, Verizon, Wells Fargo, and Boeing on its board, said after this evening's announcement that it "strongly supports the reintroduction" of CISPA over the Democrats' bill that takes a "traditional, top-down regulatory approach."
Meanwhile, Democrats haven't been idle. Late last month, a group of Democratic senators including Tom Carper, incoming chairman of the Senate Homeland Security and Governmental Affairs Committee, released a joint statement calling on their colleagues to embrace the Cybersecurity and American Cyber Competitiveness Act (S.21). Obama appeared to endorse that approach, saying this evening that "now Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks."