Last modified: Wednesday, February 13, 2013
IU cybersecurity experts available to comment on White House executive order
FOR IMMEDIATE RELEASE
Feb. 13, 2013
President Barack Obama has signed an executive order designed to improve the nation's cybersecurity by enabling the government to share more information about cyberthreats with private industry partners and developing a new framework to reduce risks. Indiana University experts offer their comments.
A change of course, for the better
The president's executive order on cybersecurity reflects an "about-face" for the administration, which, up until now, has resisted calls for regulation to assist in the strengthening of America's cyberinfrastructure, said Fred H. Cate, a Distinguished Professor at the IU Maurer School of Law and director of the university's Center for Applied Cybersecurity Research. He said the change should be viewed ultimately as a positive step.
"Since his earliest announcement on cybersecurity, just five months after taking office, the president has promised to avoid security regulations. Yet in the absence of regulation, it is difficult to imagine that we will ever see meaningful progress toward more secure infrastructure," Cate said.
"We rely on regulation and other government 'incentives' to achieve almost every private-sector objective we consider worthwhile, from highway safety to lower emissions. The gains we have seen in cybersecurity to date have been encouraged by Federal Trade Commission enforcement of cybersecurity standards and sector-specific standards in health care and finance. Today's executive order, for the first time, signals the welcome intention of the administration to consider regulation and other 'encouragement' for the private sector to improve its cybersecurity measures."
Cate noted that Obama, in May 2009, said his administration would look for "technology solutions" rather than "dictate security standards for private companies." Congress, however, has made that task incredibly difficult. Despite having held dozens of hearings on cybersecurity, it has been more than a decade since Congress has passed any kind of major legislation on the issue.
"This executive order is a limited but long-overdue step to use the powers of the administration, in the absence of federal legislation, to address the critical issue of cybersecurity," Cate said. "The absence of federal legislation significantly weakens what the president can do in terms of requiring enhanced cybersecurity by the private sector."
Cate is the C. Ben Dutton Professor of Law and can be reached at 812-855-1161 or email@example.com.
Congressional action, international attention remain
David P. Fidler, a CACR fellow, said today's action only underscores the severity of the cyberthreat facing the United States and also the lack of political commitment in Congress to addressing the problem.
"As President Obama has argued, this executive order is not sufficient," Fidler said. "Congress will need to act if the U.S. is to make progress in defending against the cybersecurity crisis the nation now confronts. The executive order connects to two 'great debates' in cybersecurity law and policy: Can the government and the private sector significantly expand information sharing without infringing on civil liberties, and can the private sector sufficiently improve cyber defenses without more serious mandates from Congress?"
Fidler, the James Louis Calamaras Professor of Law at the Maurer School of Law and a recognized expert on the relationship between international law and cyberspace and cybersecurity law and policy, added that the international component to any future action must be considered.
"Although the executive order focuses on domestic cybersecurity, the global nature of cyberspace means that the cybersecurity framework and voluntary cybersecurity program will have to account for the international aspects of American cybersecurity needs," he said. "The executive order will also become part of international diplomacy on Internet governance and cyberspace issues because countries opposed to the 'Internet freedom' agenda of the U.S. might see this order as support for the heightened exercise of national sovereignty over Internet issues. How the executive order affects the international realm will be an important question, particularly in light of the European Union's move to regulate the private sector in the cybersecurity space."
Fidler can be reached at 812-855-6403 or firstname.lastname@example.org.