After its passage last Tuesday night, President Obama’s Executive Order on cybersecurity has received somewhat of a mixed response. In one camp reside the naysayers, who, regardless of what’s contained in the order, have already summoned all that is at their disposal to oppose the President’s order simply because – well – it’s the President’s order. In another are the yes men (and women) who loyally accept whatever comes out of a Democratic White House based on its stated purpose while tragically paying no mind to the actual implications of the policies it passes. Still yet, there is another camp, one that takes each policy in turn and examines it, not based on the party affiliation of its originator or its promotion of some extreme, unrealistic ideology, but on a pragmatic understanding of the policy’s purpose and consequences.
Nearly lockstep with discussing it in his State of the Union address, President Obama moved to “strengthen the cybersecurity of critical infrastructure” through executive action. Done using measures purported to remove barriers to information sharing and establish a system of standards to protect critical private infrastructure and government agencies against cyberattacks, the Executive Order is best described as a response to previous cyber breaches into such industrial assets. These measures, as Forbes writer Chenxi Wang points out, follows the “much-hated Cyber Intelligence Sharing and Protection Act (CISPA)” proposed just a year ago and, as a result, unsurprisingly invited suspicion – particularly from civil liberties groups who saw CISPA for the “great threat” that it was to online privacy.
That said, it is important to differentiate between the healthy skeptics and those who see this latest Executive Order as little more than a political football to be used for personal and partisan gain.
Politicizing the Cybersecurity Executive Order
“If you let the government take over some part of the internet, it’s going to take over more and more,” warned policy analyst Julie Borowski from the group FreedomWorks. “The Founding Fathers wouldn’t support it.” Of course, Ms. Borowski has no way of knowing whether the founders would have supported this action or not. But that didn’t keep her from invoking their internet-less perspective – which was hardly ever a consensus, I might add – to ensure that readers remain fearful of any policy proposed by the secret Muslim from Kenya that the group still insists occupies the White House.
Meanwhile, there are others who oppose the Executive Order based on what might seem like more reasonable concerns, especially in comparison to the more extreme view above. However, those who have taken up the more measured response that we simply cannot accept “hasty, unilateral action” from the Obama administration have failed to propose an alternative that will effectively defend what is increasingly becoming the theater for modern warfare (not the video game).
The opposite side of the spectrum doesn’t get much better. By accepting without question anything that’s proposed by the White House, lawmakers and their constituents don’t do the public interest any favors. In fact, by removing such a critical check from the democratic process, it leaves policymakers to bear the undue burden and potentially detrimental task of crafting perfect policy without the aid of public scrutiny.
Yet lying between these two extremes is the previously alluded to group of non-partisan pragmatists who evaluate policy based on its merits (or lack thereof) rather than its potential as political capital. In reality, this group isn’t a group at all. Unlike the others, this one doesn’t speak in a singular, unified voice – unless, of course, their various critical analyses lead them to the same conclusion. And one voice from within that critical choir is particularly deserving of our consideration.
A Balanced Approach to Cybersecurity
Hardly a cheerleader of the Obama administration, the American Civil Liberties Union (ACLU) offered a cautioned yet positive response to the Executive Order. “Two cheers for cybersecurity programs that can do something besides spy on Americans,” writes Legislative Counsel Michelle Richardson, speaking specifically to the order’s focus on utilizing existing law and agencies to address this increasingly prevalent threat. The article, entitled “President Obama Shows No CISPA-like Invasion of Privacy Needed to Defend Critical Infrastructure,” goes so far as to call the order “a win for privacy and civil liberties.” Given the group’s vociferous opposition to past cybersecurity initiatives, such a response certainly warrants the attention of those who take this issue seriously.
The ACLU gives two specific reasons for its more welcoming disposition.
First, as the group points out, the information sharing provisions of the order focus on government sharing information with those areas of the private sector who control critical infrastructure (CI). Such an agenda comes as a breath of fresh air, particularly in comparison to more invasive bills likes SOPA, PIPA and CISPA, which needlessly seek to provide means of siphoning information from private companies to secretive government entities like the NSA, CIA or other military or paramilitary agencies. Under Section 4 of the cybersecurity order, the attorney general, Secretary of Homeland Security, and the Director of National Intelligence are ordered to use the means already at their disposal to establish a system to allow these agencies to pass cyber threat information along to these CI entities.
The other provision worth celebrating – at least to some extent – is found in Section 5 of the order. Under the guidance of the Chief Privacy Officer, the Officer for Civil Rights and Civil Liberties of the DHS, and the Office of Management and Budget, this provision emphasizes the importance of protecting basic privacy rights while ensuring that vulnerable infrastructure has the information it needs to protect itself against a cyber attack. Using the Fair Information Practice Principles (FIPPs) as a guide, the group will incorporate specific protections into the information sharing system to be created under Section 4. By using FIPPs, we can expect these protections to focus on the core principles of consumer notice, access, and consent, as well as accuracy and security of the information being shared and stored.
Notwithstanding the promise embodied in the order, however, tight budgets make sufficient funding for the task a real concern, minus some sort of congressional action. And as we found out last week, such action is all but guaranteed to come with its own set of issues – issues that threaten to undermine the refreshingly balanced approach that the cybersecurity Executive Order espouses.
For this reason, it’s difficult to call the order a “win for privacy and civil liberties.” Until Congress decides to get onboard without demanding a CISPA-like bill in return, the President’s Executive Order risks proving to be little more than an executive gesture.