President Barack Obama’s order aimed at ramping up protection from cyberattacks will address only a small portion of threats and sets up a fresh battle in Congress over legislation.
Obama acted this week after two failed attempts in Congress to pass measures to protect critical infrastructure from computer attacks.
US administration officials and lawmakers acknowledge that the order creates no new authority and that legislation is needed to better safeguard networks for key systems such as power grids, banks and air traffic control.
“The executive order is not a substitute for legislation,” said General Keith Alexander, head of the National Security Agency and the military’s Cyber Command.
“We need legislation and we need it now,” Alexander told a gathering Wednesday to discuss the president’s order. “From my perspective, the threats are real and growing.”
Because most of the networks in question are in private hands, officials say they must rely on voluntary reporting by industry of any cyber threats or attacks. Legislation would be needed to shield businesses from liability when they do report potential malware threats.
Obama, in his annual State of the Union address to a joint session of Congress, said the United States was facing a “rapidly growing threat from cyberattacks.”
The president also urged Congress to pass legislation “to give our government a greater capacity to secure our networks and deter attacks.”
Senator Jay Rockefeller, co-author of a pending cybersecurity bill, welcomed the executive order and said it “will improve the partnership between the government and the private sector needed to defend our country.”
But other lawmakers were miffed that the president acted alone.
Without protections and incentives from legislation, the order “will be ineffective and carry consequences for entities that choose to participate,” said House Homeland Security Committee Chairman Michael McCaul said.
Republican Representative Mike Rogers, who heads the House Intelligence Committee, and ranking Democrat Dutch Ruppersberger re-introduced the Cyber Intelligence and Sharing Protection Act (CISPA), a bill that passed the House last year but died in the Senate.
“We are in a cyber war now, and most Americans don’t know it,” Rogers told a forum.
“And at this point, we’re losing. Nation states like China are stealing our intellectual property at a breathtaking pace.”
Ruppersberger said he was optimistic about the bill’s chances despite the failure in the last Congress, when the White House threatened a veto and the Senate opted for a different course.
“We had our issues with the president last time,” Ruppersberger told an audience at the Center for Strategic and International Studies. “We don’t agree on everything but we do agree we have to work together.”
Cybersecurity legislative efforts failed amid opposition from civil libertarians who claim it could allow too much government snooping and conservatives who say it would create a new bureaucracy.
Ruppersberger argued that in drafting the bill, “we bent over backwards so we don’t invade anyone’s privacy… the bill does not authorize the government to monitor your computer or read your tweets.”
But critics say CISPA still raises civil liberty concerns.
Leslie Harris at the Center for Democracy and Technology said CISPA “remains fundamentally flawed” because “it allows private Internet communications and information of American citizens to go directly to the NSA, a military intelligence agency that operates secretly with little public accountability.”
Analysts say it remains unclear whether lawmakers and the White House can break the deadlock and pass legislation offering real protection.
“The US is clearly at a stalemate, with the government floundering in a hotly politicized deadlock with trade lobbies and civil liberties advocates,” said Michela Menting, cyber security analyst at ABI Research.
Daniel Castro of the Information Technology & Innovation Foundation said the cybersecurity order may in fact reduce pressure on lawmakers to pass a bill.
“Some people will say this takes care of the problem,” he told AFP. “So this lessens the urgency.”
But if Congress decides to act, it may be pressed to do so ahead of deadlines to implement the executive order.
“Some form of CISPA has the best chance of passage this year in Congress,” said Thomas Billington, who head the cybersecurity media firm Billington CyberSecurity.