Sen. Susan Collins (R-Maine), co-author of last summer's failed Cyber Security Act of 2012, reiterated her stance that the White House should hold off on a planned executive order that many analysts expect will authorize near-real time information sharing between private businesses and the government on cyber security threats.
"The executive order is a big mistake," said Collins in response to Killer Apps questions during a panel discussion on cyber security at the Wilson Center in Washington today. "First of all, the executive order cannot grant the liability protections that are needed in order to encourage more participation by the private sector, so the executive order simply cannot accomplish what legislation can. In addition, an executive order is not lasting and it doesn't reflect a consensus by Congress on what should be done."
Collins went on to say that she worries that the order will "lull people into a false sense of security that we've taken care of cyber security; and the executive order cannot do that."
American Civil Liberties Union Executive Director Anthony Romero chimed in, saying that the ACLU is against the order since it could be used by future administrations to abuse civil liberties. The ACLU supported the Cyber Security Act of 2012 because it limited the government's ability to collect data about cyber security threats from private companies. The organization had strongly opposed previous cybersecurity bills.
As for the executive order, "Any action by any occupant of the White House on an executive order that mandates the collection of data across federal agencies worries me," said Romero. "It's not going to be President Obama forever, and we've had President Bush, and when you use executive order powers for good reasons, you'll find them used and turned right on us for bad reasons."
Romero went on to say that the order is a "misguided" short-term solution to a long-term problem.
The White House's order is being drafted after Republican senators sank Collins' White House-backed bill -- co authored with Joe Lieberman (I-Ct) -- over their concerns that even the minimal cybersecurity standards that it required of privately owned banks, utilities, and other so-called critical infrastructure providers would be stifling to business. The White House will not discuss the order or say when it will be released.
This comes as the Defense Department is working to expand existing programs whereby defense contractors and Internet service providers share and receive information on cyber attacks and threats with DoD and intelligence agencies. Pentagon officials are now working with the Department of Homeland Security to implement similar practices between DHS and critical-infrastructure providers.
When asked why legislation was still needed despite these programs and the executive order, U.S. Cyber Command chief Gen. Keith Alexander said that these programs represent "a great step forward" that offer a glimpse of what could be achieved via legislation.
However, he added, "I believe there still is a need [for legislation]. The Defense Industrial Base Pilot [the name of one of the programs aimed at sharing information between DoD and defense contractors] is a way of exchanging information but not in real time and without liability protection and it's between the defense" companies and the government at a low classification level. He said, "It doesn't give us the ability to work with the Internet service providers and allow that to benefit the rest of the critical-infrastructure providers and the rest of government."
One of the key provisions in Collins' legislation gave private companies protection against being sued for wrongly sharing private citizens' information with the government in the name of security. Cyber security advocates see this type of liability protection as key to getting private companies to share information on cyber threats.
Collins added that, although she is also in favor of expanding the Pentagon's current information sharing programs, "there's no way that it will have the breadth that will be brought about by our legislation."
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.