Homeland Security Secretary Janet Napolitano told a Senate committee that that an executive order dealing with cybersecurity threats will be less effective than legislation. (Jim Watson / AFP via Getty Images)
The White House is working with the Department of Homeland Security, FBI and others to develop an executive order to counter cybersecurity threats.
The effort follows the Senate’s failed attempt to pass cybersecurity legislation that would have created voluntary security standards for companies operating critical infrastructure, such as the electric grid, water treatment facilities and transportation systems.
But the executive order will not replace the need for cybersecurity legislation. DHS Secretary Janet Napolitano told a Senate Homeland Security and Governmental Affair Committee hearing Wednesday that the executive order will be less effective than legislation because it cannot:
• Provide liability protections for certain companies that are victims of cyber attacks.
• Increase criminal penalties for cyber criminals.
• Provide DHS with funding to hire and pay competitive salaries to cybersecurity workers.
“We still need cyber legislation,” Napolitano said.
Sens. Joseph Lieberman, I-Conn., and Daniel Akaka, D-Hawaii, expressed little hope that legislation would pass during the lame duck session following the November elections.
“I would not count on it,” said Lieberman, who introduced the Cybersecurity Act in February. “The sooner the executive branch is ready to try to fill whatever gaps it can, the safer the country will be.”
Caitlin Hayden, spokeswoman for the White House’s National Security Council, said “an executive order is one of a number of measures we’re considering as we look to implement the president’s direction to do absolutely everything we can to better protect our nation against today’s cyber threats.”
Napolitano told senators that in crafting the executive order, the administration has considered what existing authorities federal regulatory bodies have to enforce cybersecurity standards on certain sectors. Republicans who opposed the failed Senate bill argued that any voluntary standards could have been made mandatory for industry under the bill.
Sen. Susan Collins, R-Maine, earlier this month said an executive order should not be a substitute for legislative action.
Meanwhile, Sen. Jay Rockefeller, D-W.Va., a co-sponsor of the Cybersecurity Act, has asked top companies to share details on their cybersecurity practices and concerns with the bill.
Rockefeller this week sent letters to CEOs of the nation’s 500 largest companies, including Apple, ExxonMobil and AT&T, asking what cybersecurity best practices they use, how those practices were developed, how frequently they are updated and what role the federal government played in developing those practices. Companies were asked to answer eight questions by Oct. 19, including what concerns they have with voluntary security standards for companies operating critical infrastructure.
In the letters, Rockefeller said the filibuster of the Cybersecurity Act was largely due to opposition from business lobbying groups and trade associations, specifically the U.S. Chamber of Commerce.
“I would like to hear more — directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of beltway lobbyists,” he wrote.
Rockefeller said many portions of the bill, including the voluntary program, could be implemented via executive order, regulation or Homeland Security Act authorities.