SAN FRANCISCO — President Obama’s executive order on national cybersecurity could result in new regulations for companies that operate key infrastructure, according to Michael Daniel, the White House’s cybersecurity coordinator.
Daniel said new regulations could be needed to create a “backstop” to address security gaps in the computer systems and networks of the nation’s water systems, electric grid and other critical infrastructure.
Some observers have said the administration’s order, issued earlier this month, lacks teeth because the bulk of its measures are voluntary.
The order creates a program led by the Homeland Security Department where critical infrastructure operators would join on a voluntary basis and agree to follow a set of cybersecurity best practices and standards crafted jointly by the Commerce Department and the industry.
But Daniel noted that a key part of the order directs primary regulators — including the Treasury and Energy departments — to review their current regulations and requirements and align them with the standards included in the cybersecurity framework developed by the Commerce Department’s National Institute of Standards and Technology. That could result in the agencies taking new executive actions or crafting updated regulations to bring their rules up to speed with the framework.
“They’re to compare their current requirements and regulations against that framework, and if they are not sufficient and the companies [are] not participating in the voluntary program for whatever reason, that those regulators could take action to try to bring their requirements and regulations up to the level of the framework,” Daniel told The Hill in an interview at the RSA cybersecurity conference. “I think from the administration’s perspective, we view that as kind of the backstop.”
“This is very significant stuff, and I think the president believes ... we need to have that backstop to make sure that we’re getting the cybersecurity of that critical infrastructure up to the level of the framework,” he added.
The U.S. Chamber of Commerce criticized the executive order when it was issued, saying that it “opposes the expansion or creation of new regulatory regimes.”
But the White House cybersecurity chief said this section of the cyber order is needed to help critical infrastructure thwart cyberattacks that could lead to catastrophic damage in the physical world.
In the near term, the White House will focus on overseeing the implementation of the measures in the executive order, while it is also working on a set of legislative principles to help guide Congress’s work on cybersecurity legislation.
Daniel said the principles will be similar to those outlined in the cybersecurity legislative proposal the administration delivered to Congress in May 2011, such as stiffening criminal statutes for cyber crime and creating a national data breach notification law that tells companies when they need to report a security breach to the government.
He said the forthcoming set of principles will not include bill text, but will reaffirm the administration’s support of the 2011 legislative proposal.
In Washington, the administration and Congress are engaged in an intense debate about the looming $85 billion automatic budget cuts. Daniel warned that the cuts will affect cybersecurity programs across the federal government and potentially the implementation of the executive order.
“There’s no question that it’s going to potentially have a negative impact on not just the [executive order], but all of our cybersecurity efforts across the board,” he said. “I don’t think it will be disproportionate to other government programs, but it will clearly negatively affect it and slow us down on our implementation, so I think that certainly it’s going to have a negative effect.”
“It’s one of the many reasons why sequester is such a bad policy to begin with, because it doesn’t allow you to prioritize for things that are really important like cyber,” Daniel added.
In the meantime, he noted that, while the White House has engaged with various congressional committees that are in the midst of crafting cybersecurity legislation, it will be challenging to get a bill passed this year.
Although lawmakers have sounded alarm about the cyber threat facing the U.S., Congress has so far failed to pass pertinent legislation. The Senate tried twice to pass a sweeping cybersecurity bill last year, but GOP members blocked the measure over concerns that it would saddle industry with burdensome new regulations.
“I think there’s actually a real window of opportunity here,” Daniel said. “This is a difficult environment to get any legislation passed. I’m sort of a natural optimist in that regard, so I will keep working on that, but it will be a challenge.”